Who is this article for?Ideagen Smartforms Admins configuring Auth Methods within Smartforms Middleware.
Smartforms Middleware supports OpenID Connect
Configuring it to use an OpenID Provider can be achieved by adding an auth method of type OpenID Connect. When doing so, a number of fields can be filled to configure the connection with your OpenID
Connect Provider. These fields are described below the screenshot which shows all possible advanced configuration settings:
Edit Provider Information
The fields in this section can typically be found on the OpenID Provider's Provider Metadata
document (aka Discovery document). Fields marked with a * are required.
-
Discovery Endpoint − The HTTPS URL of the OpenID Provider's Provider Metadata
document (aka Discovery document). See
https://openid.net/specs/openid−connect−discovery−1_0.html#ProviderConfig. This is fastest
way to configure the OpenID Provider's information. Filling this field and clicking the
"Configure Provider" button will auto−fill all other Provider Information fields described
below. -
Issuer* − The OpenID Provider's Issuer Identifier. An HTTPS URL. See
https://openid.net/specs/openid−connect−core−1_0.html#IssuerIdentifier -
Authorization Endpoint* − The OpenID Provider's HTTPS authorization endpoint. See
https://openid.net/specs/openid−connect−core−1_0.html#AuthorizationEndpoint -
Token Endpoint* − The OpenID Provider's HTTPS token endpoint. See
https://openid.net/specs/openid−connect−core−1_0.html#TokenEndpoint -
UserInfo Endpoint* − The OpenID Provider's HTTPS user info endpoint. See
https://openid.net/specs/openid−connect−core−1_0.html#UserInfo -
Intropsection Endpoint − The OpenID Provider's introspection endpoint. Some OpenID
Provider's may not support this endpoint. See https://tools.ietf.org/html/rfc7662#section−2 -
JWKS Endpoint − A URL returning the OpenID Provider's JSON Web Key Set (JWKS), if
any. This endpoint can typically be found as the "jwks_uri" value of the provider's Provider
Metadata document (aka Discovery document). See
https://openid.net/specs/openid−connect−discovery−1_0.html#ProviderMetadata -
Signature Validation Keys − Cryptographic keys provided by the OpenID Provider for the
purpose of verifying JSON Web Token (JWT) signatures. Not to be confused with
Decryption Keys under Advanced Settings. See Decryption Keys below. These keys will be
displayed in JSON Web Key (JWK) format. See https://tools.ietf.org/html/rfc7517 -
Manage Signature Validation Keys Automatically − Let Smartforms Middleware
automatically update Signature Validation Keys from the JWKS Endpoint. This is the easiest
way to keep Signature Validation Keys up−to−date. JWKS Endpoint is required when using
this option. Disable this option if your OpenID Provider has used some other method to
share keys with you. If you disable this option, you can configure Signature Validation Keys
manually using the provided buttons. Make sure to enter keys in JSON Web Key (JWK)
format. See https://tools.ietf.org/html/rfc7517
Edit Client Information
-
Client ID − The OpenID Connect client_id you obtained from your OpenID Provider. Your
provider should have provided this as part of registering as a client application. See
https://tools.ietf.org/html/rfc6749#section−2.2 -
Additional auth request scopes − Use this to add additional OAuth scopes that clients and
designers should request as part of the OpenID Connect authentication request. You should
coordinate with your OpenID Provider to determine which scopes to request. See
https://openid.net/specs/openid−connect−core−1_0.html#AuthRequest -
Additional auth request query params − Use this to add additional query string
parameters that clients and designers should include in the OpenID Connect authentication
request. You would do this if your OpenID Provider accepts a nonstandard authentication
request parameter. See
https://openid.net/specs/openid−connect−core−1_0.html#AuthRequest -
Additional token request params − Use this to add additional form body parameters that
clients and designers should include in the OpenID Connect token request. You would
usually do this if your OpenID Provider accepts a nonstandard token request parameter. See
https://openid.net/specs/openid−connect−core−1_0.html#TokenRequest -
Require UserInfo response to be signed? − Should Smartforms Middleware reject
UserInfo responses that are not signed by the OpenID Provider? This is recommended. You
should coordinate with your OpenID Provider to determine whether they support signed
UserInfo responses. See
https://openid.net/specs/openid−connect−core−1_0.html#UserInfoResponse -
Require UserInfo responses to be encrypted? − Should Smartforms Middleware reject
UserInfo responses that are not encrypted by the OpenID Provider? You should coordinate
with your OpenID Provider to determine whether they support encrypted UserInfo
responses. Use of this option requires configuring one or more Decryption Keys. See
https://openid.net/specs/openid−connect−core−1_0.html#UserInfoResponse -
Require UserInfo responses to have a valid audience? − Should Smartforms Middleware
reject UserInfo responses that have a missing or invalid audience ("aud") claim? This is
Recommended. You would usually only disable this if for some reason your OpenID
Provider doesn't support the "aud" claim. See
https://openid.net/specs/openid−connect−core−1_0.html#UserInfoResponse -
Require UserInfo responses to have a valid issuer? − Should Smartforms Middleware
reject UserInfo responses that have a missing or invalid issuer ("iss") claim? Recommended.
You would usually only disable this if for some reason your OpenID Provider doesn't support
the "iss" claim. See
https://openid.net/specs/openid−connect−core−1_0.html#UserInfoResponse -
Decryption Keys − Cryptographic keys for decrypting encrypted JSON Web Tokens
(JWTs). Specify keys in JSON Web Key (JWK) format. See
https://tools.ietf.org/html/rfc7517a. You would typically exchange these keys with your
OpenID Provider as part of registering as a client application. If using asymmetric
encryption, you would normally generate these keys yourself using a service like
https://mkjwk.org//a> (or the associated command line tool at
https://github.com/mitreid−connect/json−web−key−generator to avoid trusting a remote
service), then share the public key(s) with your OpenID Provider and enter the private key(s)
here.
Default Groups
-
Default Groups for New User − When a user logs in to Smartforms for the first time using
this OpenID Provider, it will initially be assigned to the groups specified under "Allowed."
This group assignment can then be manually changed through Ideagen Smartforms
Middleware at a later time.
Article Comments
0 comments