Register an external IdP

the section covers creating and registering an external idp create an openid client create an openid client application on your idp the following parameters of openid clients can vary from provider to provider, but the vip specific configuration is always the same redirect uris these uris are the location to which the browser is redirected after you complete your authentication to the idp vip only has a single redirect uri for each instance required format of the uri https //\<vip url>/rest/api/v2/openid/authorize for the uat virtucrypt environment, the uri is https //testvip virtucrypt com/rest/api/v2/openid/authorize for production virtucrypt environment, the uri is https //vip virtucrypt com/rest/api/v2/openid/authorize response type code grant type authorization code register openid client with vip perform the following steps to register the openid client with vip log in to your {{vc}} intelligence portal (vip) account with a user id that has the administrator role in the left hand side menu, select settings > credentials select \[ create identity provider ] in the main view this brings up the create identity provider dialog special functionality has been added to this dialog that enables you to derive your authorization from your identity provider this can be done using the role claim and role mapping fields role claim is where you specify the claim containing a list of roles to map to vip roles if blank, roles are not mapped from the authorization token retrieved from the authorization server and instead are derived from those linked to the authenticated user in vip role mapping enables you to derive your authorization from your identity provider after authenticating, if a role claim is defined, identities are granted any role matching custom role this mapping determines which vip role is associated with the idp roles ​ enter the appropriate details for the following client idp settings client id this identifier is generally provided by your idp this id is specific to the vip client application you receive this id when performing authentication flows client authentication method select one of the two client authentication methods that vip supports (client secret and public key/private key) client secret a client secret is a secret known only to the oidc application and the authorization server it is generated by your identity provider vip supports using client secrets as one of the methods for client authentication a client has to provide its client secret to authorize itself and get a token the client secret serves as a means of confirming the client’s authenticity note if you select this method, a new client secret field populates to the right of the client authentication method drop down option, enabling you to enter the client secret public key/private key public/private key is an authentication method that uses json web tokens in this method, instead of sending the client secret directly, the vip sends a symmetrical signed jwt using its private key to create the signature in this method, the token is signed using vip secret (with the hmac algorithm) note if you select this method, three clickable buttons display to the right of the client authentication method drop down option, enabling you to download the public key used to generate the jwts, in three different formats (jwk, pem, and der) discovery uri this is an endpoint returning a json structure as defined in rfc8259 grant type select a grant type oauth grants, also called oauth flows, refer to the methods of getting tokens to make requests to a resource server authorization code according to the oauth authorization code grant flow, an authorization server sends a temporary (authorization) code to a client the code is exchanged for a token authorization code with pkce authorization code grant with the proof key of code exchange (pkce) is an extension of the standard authorization code grant oauth flow it is a secure substitute for the implicit flow for single page applications (spa) or native applications vip email claim when the authorization server returns a jwt, this claim pulls the vip identity username if blank, vip derives the username from preferred username if present, or falls back to email scopes the scopes that are sent when initiating the authentication flow openid and profile scopes are appended to this list if blank, the system sends only openid and profile scopes source claims from access token if enabled, vip determines the identity username from the access token instead of the id token role claim the claim containing a list of roles to map to vip roles if blank, roles are not mapped from the authorization token retrieved from the authorization server and are derived instead from those linked to the authenticated user in vip custom headers this field enables you to customize the jwt header that is sent to the idp a jwt header usually contains the token type and the cryptographic algorithm used to secure the token its main function is to provide essential information for processing and verifying the token however, it is important to remember that the jwt header is not encrypted and should not contain any sensitive information nevertheless, it is protected by a signature, which ensures that the header and payload of the token cannot be altered without invalidating it role mapping after authenticating, if a role claim is defined, identities are granted any role matching custom role this mapping determines which vip role is associated with the idp roles select \[ test ] to verify the configuration is correct if the test succeeds, a message displays stating that the identity provider is valid see test button troubleshooting in docid\ pgoky5darvt3g4pxdkwod for information on how to resolve any errors you encounter here select \[ create ] to save the settings and create the new idp