Configure Identity Providers that use the OAuth 2.0 or OAuth 2.1 Protocol (or the OpenID Connect protocol, which extends the OAuth 2.0 protocol) to authenticate and authorize users.
TrustBuilder will act as a Service Provider when sending an authentication Request to the Identity Provider.
Configure a custom OAuth IDP
From the admin portal, go to Identity Providers tab > Custom OAUTH IDP.
The display name of the Identity Provider
If a known name is used (such as Facebook, Google, LinkedIn) the corresponding logo will automatically be provided.
The Identity Provider description
Select a workflow that will be executed after the Authentication is complete. Said workflow can be used, for instance, to provision users in a user database.
Primary attribute that is used to identify the Subject
The URL where the IDP's metadata (discovery endpoint) can be retrieved.
OpenID Connect defines a discovery mechanism, called OpenID Connect Discovery, where an OpenID server publishes its metadata at a well-known URL, typically:
For TrustBuilder, the URL path is:
You can manage certificates from the Certificates configuration page. You can also add or import certificates from the Identity provider configuration.
Token Endpoint Method
There are 4 options to authenticate the Client (Mind: Not the user!):
The discovery endpoint can be used to retrieve metadata about your IdentityServer. It returns information like the issuer name key material, supported scopes etc. The discovery endpoint is available via /.well-known/openid-configuration relative to the base address.
Only visible when Token Endpoint Method is set to “Client Secret Basic” or “Client Secret Post“
Only visible when Token Endpoint Method is set to “Client Secret JWT” or “Private Key JWT“
JWT Private Key
Only visible when Token Endpoint Method is set to “Client Secret JWT”
Enables the choice between applying OAuth 2.0 and OAuth 2.1.
App Client ID
The "client_id" as it is known by the IDP. Identifies TrustBuilder as the Service Provider.
URL where to request the Authorization Code token
URL where to send the ID Token request
Token introspection URL
When using the token exchange endpoint of IDHub, this URL will be used to validate the access token.
End Session Endpoint
URL where to redirect the user for Single Sign out to terminate authenticated sessions.
User Info Endpoint
URL where to request the User Info
The URL where the Identity Provider's JWKS (Key information) can be found.
Used in OpenID Connect. The value filled in here must match the "iss" (issuer) value that is given in the id_token. This value is validated when using in the Authorization Flow and Hybrid Flow, so it's highly recommended to provide this value. If this cannot be validated, this will result in an INVALID_GRANT.
We will also use this value as "audience" in the authentication request.
Attribute Name for Subject
Defines which attribute in the Authentication Response JSON describes the subject. This is because the Identity Provider does not necessarily use the same attribute as the subject.
Define which scopes to include in the Authentication Request.
Sign Authentication Request
When this is enabled, the Authentication Request to the IDP will be signed, using the signing key certificate.
Encrypt Authentication Request
When this is enabled, the Authentication Request to the IDP will be encrypted as a JWT, using the public encryption key of the IDP. This key is generally retrieved from the JWKS endpoint.
The following extra fields are displayed when this is enabled:
Request by Reference
This is similar in behavior as the SAML artifact: instead of returning the claims in the id_token, the SP will retrieve the claims from the uri that is passed in the "request_uri" parameter.
Provide the hostname and the port to be used in the request URI
Provide the hostname and the port to be used in the redirect URI
Redirect URI Alias
Defines where TrustBuilder will look for the user attributes when authenticating
Defines which Authentication protocol is used. OAuth 2.0 or OpenID Connect