OAuth/OpenID Connect SSO

Prerequisites

1. Log in to the service provider, the custom application for which you want to configure OpenID Connect, using administrator credentials.
2. Get the authorization redirect or callback URL(s) from the service provider.

Steps to configure OAuth/OpenID Connect-based SSO for custom applications

1. Log in to Identity360 as an Admin or Super Admin.
2. Navigate to Applications → Application Integration and click Create New Application.
3. In the Manage Applications menu, click Custom Application.
4. In the General Settings tab, enter the Application Name and Domain Name and upload the icons for the application if available.
5. Select SSO under the Choose Capabilities section to enable SSO for the custom application and click Continue.
6. Select the OAuth/OpenID Connect in the Method option and choose the supported SSO flow.

Note:

SP-initiated SSO

• A user tries to log in to an application. The application sends an authorization request to Identity360. The user is redirected to the Identity360 login page.
• The user enters their login credentials here. After successful verification, an authorization code is sent to the application from Identity360.
• The application sends the authorization code back to Identity360 to receive the ID token. This token contains the user details required to complete the login process.
• After verifying the signature of Identity360 in the ID token, the application retrieves the user details from the ID token.
• Finally, after the successful verification of user details on the application's end, the user is logged in to the application.

IdP-initiated SSO

• A user logs in to Identity360 successfully. They go to the Applications tab and select the desired application.
• In this case, Identity360 sends an ID token to the application directly.
• After verifying the signature of Identity360 in the ID token, the application retrieves the user details from the ID token.
• After the successful verification of user details on the application's end, the user is logged in to the application.
7. If you select SP-Initiated flow:

   In the Login Redirect URL field, enter all the available authorization redirect or callback URL obtained from your service provider. (See step 2 of prerequisites.) The URL can be found in the Service Provider's OAuth/OIDC SSO configuration page.

If you select IdP-Initiated flow:
• The IdP Login Initiate URL is used to send the id_token from the identity provider to the service provider. Once this URL is configured, users will be able to log in to the service provider by selecting that particular application in the Applications tab in Identity360.
• In the Login Redirect URL field, enter all the available authorization redirects or callback URLs obtained from your service provider. (See step 2 of prerequisites.) The URL can be found in the service provider's OAuth/OIDC SSO configuration page.
8. Under Response Type, choose one or more options from Authorization code, Access Token, and ID Token.
9. Tick the Allow Refresh Token check box to allow the Service Provider to obtain access tokens without needing the user to re-authenticate every time.
10. The Access Token Validity field fieldi set to 3,600 seconds by default. You can change this value if required.

Note: Access Token Validity denotes the time limit for which the token sent by the identity provider would be accessible by the service provider.

11. Choose the Key Algorithm as HS256, RS256, RS384, or RS512, depending on the algorithm used by the service provider for the Access Token or id_token signature.
12. From the Client Authentication Mode drop-down, choose the modes required.
13. On choosing the Private Key JWT mode, Identity360 will need the JWKS URL details from the service provider to obtain the public key, which will then be used to verify the signature.
14. Click Save.