OAuth/OpenID Connect SSO

Prerequisites

1. Log in to the service provider, the custom application for which you want to configure OpenID Connect, using administrator credentials.
2. Get the authorization redirect or callback URL(s) from the service provider.

Steps to configure OAuth/OpenID Connect-based SSO for custom applications

1. Log in to Identity360 as an Admin or Super Admin.
2. Navigate to Applications → Application Integration and click Create New Application.
3. In the Manage Applications menu, click Custom Application.
4. In the General Settings tab, enter the Application Name and Domain Name and upload the icons for the application if available.
5. Select SSO under the Choose Capabilities section to enable SSO for the custom application and click Continue.
6. Select the OAuth/OpenID Connect in the Method option and choose the supported SSO flow.

Note:

SP-initiated SSO

• A user tries to log in to an application. The application sends an authorization request to Identity360. The user is redirected to the Identity360 login page.
• The user enters their login credentials here. After successful verification, an authorization code is sent to the application from Identity360.
• The application sends the authorization code back to Identity360 to receive the ID token. This token contains the user details required to complete the login process.
• After verifying the signature of Identity360 in the ID token, the application retrieves the user details from the ID token.
• Finally, after the successful verification of user details on the application's end, the user is logged in to the application.

IdP-initiated SSO

• A user logs in to Identity360 successfully. They go to the Applications tab and select the desired application.
• In this case, Identity360 sends an ID token to the application directly.
• After verifying the signature of Identity360 in the ID token, the application retrieves the user details from the ID token.
• After the successful verification of user details on the application's end, the user is logged in to the application.
7. If you select SP-Initiated flow:

   In the Login Redirect URL field, enter all the available authorization redirect or callback URL obtained from your service provider. (See step 2 of prerequisites.) The URL can be found in the Service Provider's OAuth/OIDC SSO configuration page.

If you select IdP-Initiated flow:

• The IdP Login Initiate URL is used to send the id_token from the identity provider to the service provider. Once this URL is configured, users will be able to log in to the service provider by selecting that particular application in the Applications tab in Identity360.
• In the Login Redirect URL field, enter all the available authorization redirects or callback URLs obtained from your service provider. (See step 2 of prerequisites.) The URL can be found in the service provider's OAuth/OIDC SSO configuration page.
8. From the Client Authentication drop-down, select an option based on your application type:
   • Server-based applications: Choose the methods required for your application: Client Secret (which includes Basic, Post, and JWT methods by default), or Private Key JWT. If you choose the Private Key JWT method, Identity360 will need the JWKS URL details from the replying party to obtain the public key, which will then be used to verify the signature. Additionally, you can enable PKCE (Proof Key for Code Exchange) for enhanced security, if supported by your application.

     Note: Choosing None for server-based applications disables client authentication, which may result in unauthorized access to your user's authorization code.

   • Client-only applications: As these applications cannot securely store client secrets, set the Client Authentication to None to enforce PKCE (Proof Key for Code Exchange) to ensure secure token exchange.
9. Choose the Key Algorithm as HS256, RS256, RS384, or RS512, depending on the algorithm used by the relying party for the Access Token or id_token signature.
10. Set Access Token Validity. This field defaults to 3,600 seconds, which defines how long the access token issued by the identity provider remains valid for use by the service provider. You may adjust this duration as needed.
11. Enable the Allow Refresh Token check box to permit the service provider to obtain new access tokens without needing the user to re-authenticate each time.
12. Click Save.

    Note: By default, the response type is set to include the authorization code, access token, and ID token. To modify this configuration, contact support.