See openid-connect Menu

Step 2. Connect Your OIDC App to OneLogin

To connect your OpenID Connect-enabled app to OneLogin, you must:

  1. Create a OneLogin Custom Connector that is enabled for OpenID Connect
  2. Use this Custom Connector to add your OpenID Connect-enabled app to your company app catalog
  3. Configure your OpenID Connect-enabled App to use OneLogin for Authentication
  4. Give users access to the app in OneLogin

Prerequisites

  • Any OpenID-Connect-enabled app that uses the Implicit or Authentication (Basic) flow (The "Hybrid" flow is not yet supported by OneLogin, but it’s coming soon)

Create a Custom Connector for Your App

  1. Access OneLogin and go to Apps > Custom Connectors and click the New Connector button.

  2. Give the connector a name.

    This is not the name that will display in your OneLogin app catalog, but you should name it after your app name so that you can select it from among your custom connectors when you use it to add the app to your catalog.

  3. Select a Sign on Method of OpenID Connect.

    The page changes to display OpenID Connect fields.

  4. Enter the Redirect URI that your app uses as the callback entry point.

    This is where OneLogin sends the authentication response and ID token.

    Important! You must use a hostname: the Open ID spec does not allow localhost.

  5. (Optional) Enter the Login URL where your users go to sign in to the app.

    You only need to provide the login URL if you want users to be able to launch the app from their OneLogin portal. OpenID Connect enables service-provider-initiated (SP-initiated) SSO, but not identity-provider-initiated (IdP-initiated) SSO. By providing the login URL, you let OneLogin mimic an IdP-initiated SSO experience: the user is taken to the app’s login page, where the SP-initiated authentication flow is kicked off.

  6. Click Save.

Use the Custom Connector to Add Your App to Your Catalog

  1. On the Custom Connectors page, find the new custom connector and click Add App to Connector.

  2. On the Configuration tab, change the Display Name if you want (this is the name that will appear in the app catalog)

  3. Click Save to add the app to your catalog and display additional tabs.

Configure Your OIDC-enabled App to use OneLogin for Authentication

In this task, you provide your app with the OneLogin request URI that it will use to communicate with OneLogin, and you verify that the claims and scopes (which define the user attributes) supported by the app are supported in OneLogin’s OIDC implementation.

  1. Go to the SSO tab to get the Open ID Connect values that you must provide to your app to complete the connection with OneLogin.

  2. Copy the appropriate values from the SSO tab to your app.

    Client ID: Public key, issued by OneLogin. It must be recorded by your app, to be passed with each request for an access token.

    Client Secret: Private key, used by the client to exchange an authorization code for a JWT token. To generate the Client Secret, click Regenerate client secret. Do not hard-code this in apps that cannot keep a secret.

    Redirect URI: This is the URI that your app uses as the callback entry point. In other words, it is where OneLogin sends the authentication response and/or ID token. This is the value that you entered when you created the custom connector. It must use a hostname: the Open ID spec does not allow localhost.

    Request URI Example (Implicit Flow): The URI that your app must use to request the token in the Implicit Flow communication model, in which all tokens (identity and access tokens) are delivered through the browser front-channel. Copy this to your app if it uses the Implicit flow.

    Request URI Example (Authentication Flow): The URI that your app must use to request the token in the Authentication (or Basic) Flow communication model, in which the URI sends the message that the Client ID, Client Secret, and one-time-use code will be passed on the "back end" in return for access tokens. Copy this to your app if it uses the Authentication flow.

    Note. To see all of the data about the OneLogin configuration that you could possibly want, click the OpenID Provider Configuration Information link at the bottom of the page to launch the https://yoursubdomain.onelogin.com/oidc/.well-known/openid-configuration metadata endpoint. If your app supports self-discovery using provider metadata endpoints, this is where it can find all of details of OneLogin’s OpenID Connect implementation for this connector, including supported claims, grant types, and JSON Web Key (JWK) signing and encyrption information. For more information, see below.

OneLogin’s OpenID Connect Implementation

To see the complete OneLogin OpenID Connect implementation for your app, you can view the .well-known (public metadata) JSON document by clicking the OpenID Provider Configuration Information link at the bottom of the SSO tab for your app connection in OneLogin.

You should inspect this document carefully to identify the particulars of the OneLogin implementation.

Note in particular the claims_supported and scopes_supported, which may differ from other OpenID Connect implementations.

Here is a sample .well-known document, followed by an explanation of the primary objects provided in the document:

{
  "authorization_endpoint": "https://acme.onelogin.com/oidc/auth",
  "claims_parameter_supported": false,
  "claims_supported": [
    "auth_time",
    "company",
    "custom_fields",
    "department",
    "email",
    "email",
    "family_name",
    "given_name",
    "iss",
    "locale_code",
    "name",
    "phone_number",
    "preferred_username",
    "sub",
    "title",
    "updated_at"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "issuer": "https://openid-connect.onelogin.com",
  "jwks_uri": "https://acme.onelogin.com/oidc/certs",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "response_modes_supported": [
    "form_post",
    "fragment",
    "query"
  ],
  "response_types_supported": [
    "code",
    "id_token token",
    "id_token"
  ],
  "scopes_supported": [
    "openid",
    "name",
    "profile",
    "email",
    "phone"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://acme.onelogin.com/oidc/token",
  "token_endpoint_auth_methods_supported": "client_secret_basic",
  "introspection_endpoint": "https://acme.onelogin.com/oidc/token/introspection",
  "revocation_endpoint": "https://acme.onelogin.com/oidc/token/revocation",
  "userinfo_endpoint": "https://acme.onelogin.com/oidc/me",
  "userinfo_signing_alg_values_supported": [],
  "token_introspection_endpoint": "https://acme.onelogin.com/oidc/token/introspection",
  "token_revocation_endpoint": "https://acme.onelogin.com/oidc/token/revocation",
  "claim_types_supported": [
    "normal"
  ]
}

The following objects are of particular interest:

authorization_endpoint The Open ID provider server endpoint where the user is asked to authenticate and grant the client app access to the user’s identity (ID token) and potentially other requested details, such as email and name (called UserInfo claims). This URL plus client ID, redirect URI, response type, etc., makes up the Request URI. We recommend that you can use the prebuilt Request URI Example provided on the SSO tab in the OneLogin app editor.
claims_supported The OpenID Connect claims (user attributes that can be provided to the client app by the IdP) supported by OneLogin.
grant_types_supported The OAuth 2.0 grant types supported by OneLogin.
id_token_signing_alg_values_supported The signing algorithms supported for ID tokens.
issuer The base URL of the OneLogin OpenID Connect server.
jwks_uri The URI of the JWK Set that contains the public keys used to verify the authenticity of the JWT tokens passed between OneLogin and the client app. Note that we cycle these public keys on a quarterly basis, and we therefore do not recommend that you cache them.
scopes_supported The OpenID Connect scopes (request types) supported by OneLogin. For example, the scope openID indicates a request for OpenID authentication and ID token. The scope profile indicates a request for user details, or claims.
token_endpoint The token endpoint authenticates the client app, then lets it exchange the code received from the authorization endpoint for an ID token and access token.
introspection_endpoint The token introspection endpoint enables the client to validate the JWT access token.
revocation_endpoint The token revocation endpoint takes requests to revoke specified tokens when they are no longer needed.
userinfo_endpoint The userinfo endpoint returns previously consented user profile information to the client app.

For more information about the JSON objects listed at the .well-known endpoint, see https://connect2id.com/products/server/docs/api/discovery.

Give Users Access to Your App in OneLogin

To give your users access to your app in OneLogin, return to the app configuration page in OneLogin and go to the Access tab. Assign the OneLogin roles that should have access to the app and provide any app security policy that you want to apply.

For example you can attach a policy to the app to require multi-factor authentication.

You can also go to Users > All Users to add the app to individual user accounts.


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "openid-connect"

Loading...