Openid-connect Dynamic Register

Introduction

OpenID-ConnectOpenid-connect hasallows a clear design suitable for both frontend and backend.

SAML has a clear design for the frontend, but the backend usage is harder as the security in SAML cannot be placed at transport layer. Instead, in must be placed at document level. Additionally, it requires intensive use of cryptographic algorithms for signature and encryption.

That’s why some applications put a SAML frontend protection for both the frontend and relay on the session cookies generated by the fronted for backend access.

The problem arises when one service provider needsregisters todynamically invoke some services from a SAML enabled application that does not support or implement WS-Security.

To solve it, Soffid Identity Provider provides aother service to get the session cookies required to access to a SAML application.providers.

DataDynamic flowRegister

The rest service /userinfo/impersonate?url=…. will do the job, and will return the cookies to use to act upon the target application impersonating the current user.

Request

POST https://<YOUR_SERVER>:2443/registeruserinfo/impersonate?url=http://targetapplication/ Accept: application/json Content-type: application/x-www-form-urlencoded Authorization: BasicBeared dGVzdDp0ZXN0Token [ {     "path"application_type": "/"web",     "domain"redirect_uris":         ["samltest.id"https://client.example.org/callback",          "name":"_shibsession_64656661756c7468747470733a2f2f73616d6c746573742e69642f73616d6c2f7370"https://client.example.org/callback2"],     "value"client_name": "_fa49874951dd05c18a0f68642c0736e9" My Example }7",   {     "path"logo_uri": "https:/"/client.example.org/logo.png",     "domain"subject_type": "samltest.id"pairwise",     "name"token_endpoint_auth_method": "_opensaml_req_ss%3Amem%3A88b0af3e1ff47c911257490bc1a5749dfda1670948a563cec2fdf9e8a799f2c4"client_secret_basic",     "value"jwks_uri": "" https://client.example.org/my_public_keys.jwks",     "userinfo_encrypted_response_alg": "RSA1_5",     "userinfo_encrypted_response_enc": "A128CBC-HS256",     "contacts": ["ve7jtb@example.org", "mary@example.org"],     "request_uris":         ["https://client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA"] } ]

Parameters

• URL: is the access URL for the target application.
• Authorization: contains the oauthBeared token.Token.

Response

The response contains the list of cookies to send to the target application.

[ { {     "path"client_secret_expires_at":"/",  0,     "domain"registration_client_uri": "samltest.id"https://iam-sync-tenantidp.soffidnet:2443/register?client_id=DR_7",     "name"client_secret": "_shibsession_64656661756c7468747470733a2f2f73616d6c746573742e69642f73616d6c2f7370"wBeH8G6hT2GRwr7jJ6HfX2lMJDGdwGi9M49SKF2MjHRGOtwZ",     "value"redirect_uris":"_fa49874951dd05c18a0f68642c0736e9" [ },     {         "path":"https:/"/client.example.org/callback",         "domain":"samltest.id"https://client.example.org/callback2"     ],     "name"registration_access_token": "_opensaml_req_ss%3Amem%3A88b0af3e1ff47c911257490bc1a5749dfda1670948a563cec2fdf9e8a799f2c4"NjYxODg1Ng.AFa8jQbltq+bocWQpT3okPvHXHrTM+HqXQC26Kz5mfAWfXWG",     "value"client_name": "" My Example 7",     "client_id": "DR_7" } ]

Request

Once the application has got the list of cookies, it can invoke the target application URL

POSTGET https://targetapplication/api/service1<YOUR_SERVER>:2443/register?client_id=DR_7 Accept: application/json Content-type: application/json Cookie:Authorization: cookie1=value1token NjYxODg1Ng.AFa8jQbltq+bocWQpT3okPvHXHrTM+HqXQC26Kz5mfAWfXWG

As security measures, the impersonation profile must be enabled, and the source application must be entitled to use it against the target application

Response

{     "client_secret_expires_at": 0,     "registration_client_uri": "https://iam-sync-tenantidp.soffidnet:2443/register?client_id=DR_7",     "redirect_uris": [         "https://client.example.org/callback",         "https://client.example.org/callback2"     ],     "client_name": "My Example 7",     "client_id": "DR_7" }