OpenID Connect RP Setup

Skip to end of metadata
Go to start of metadata

 

Description

This guide describes how to configure your site as an OIDC RP ( OpenID Connect Relying Party) to authenticate users via a 3rd party OP (OpenID Connect Provider).

RP Flow Overview

 

Code Flow Diagram With Gigya as Openid Connect Provider

 

 

 

 

Setup Guide

The steps necessary for configuring your site as an OIDC RP (Relying Party).

First Steps

You will need the OP's OpenID Connect meta-data to complete configuration.

  • Authorize Endpoint
  • Token Endpoint
  • UserInfo Endpoint

You will need the client_id and client_secret the OP has assigned to your RP.

You must supply the OP with the following Redirect URI for your RP. This must include the "?". For instructions on determining your Data Center, see Finding Your Data Center.

https://socialize.<Data-Center>.gigya.com/socialize.finalizeOidcLogin?

 

If your site is using a CName, the Redirect URI will be

https://<Cname-Alias>/socialize.finalizeOidcLogin?

If using a Cname, your site must use SSL / HTTPS.

 

Console Configuration

Navigate to the OIDC Login page of the Gigya Console.

 

Complete all the required fields.

  • Provider Name - The name you will use to reference this OP (must be all alpha-numeric lowercase characters and not include any spaces). This value can not be changed once configured. If this provider is ever deleted from your configuration, all users associated with it will be lost.
  • Client ID - The client_id you received from the OP.
  • Client Secret - The client_secret you received from the OP.
  • Authorization Endpoint - The authorize endpoint for the OP.
  • Token Endpoint - The token endpoint for the OP.
  • UserInfo Endpoint - The userinfo endpoint for the OP.
  • Scopes - Additional standard scopes you are authorized to request from the OP.
  • Custom Scopes - Any optional custom scopes that you are authorized to request from the OP (a space delimited case-sensitive list of additional scopes that are preconfigured on the OP). 
  • Issuer - The value entered here must match the value returned in the iss claim of the response from the OP. If these values do not match, validation will fail and users will not be able to login.
  • JSON Web Keys - The JSON Web Key object containing the keys for the OP. Gigya only supports RSA/RS256 keys. If the response can not be validated using the supplied keys, login will fail. If the OP uses any algorithm other than RSA/RS256, you must leave this field blank.

 

Press Create to save the configuration.

Login Configuration

To enable users to log into the OP you can add a Custom Buttons array to any Gigya RaaS Screen-Set.

To add a Custom Button to a screen-set, use the following format.

customButtons: [
	{
		"type":"oidc",
		"providerName":"<the providerName of the OP>",
		"opName":"<the providerName of the OP>",
		"iconURL":"<The URL of the image to use for the button face.>",
		"logoURL":<This value should be left empty, it is not valid for OIDC>,
		"lastLoginIconURL":"<The URL of an image to use as the button face for users that previously used this option.>",
		"position":1 // The position of this button in the Social Login widget. If not supplied, will default to 1 and the order they are defined in this array
	}
]
gigya.accounts.showScreenSet({"screenSet": "Default-RegistrationLogin", customButtons});

It is important to note that even though you may have custom buttons defined for multiple different OPs within the same screen-set, a user can only be connected to a single OP for the life of their account (or until the OP is deleted). This means that once a user logs in via any of the available OPs they will be only able to use that unique OP in the future.

 

Once your OP is configured, you will see it listed in the OIDC Login tab of the Console, along with any other active OPs.

 

Your RP configuration is now complete.

 

Support Files

Below you can download generic OpenID Connect buttons for the customButtons array object that conform to standard RaaS social login button size.

 

Additional Information

The entire OpenID Connect specification can be found at http://openid.net/specs/openid-connect-core-1_0.html.

OpenID Provider Setup

socialize.getSessionInfo REST

 

 

 

 

 

  • No labels