This guide describes how to configure your site as an OIDC RP ( OpenID Connect Relying Party) to authenticate users via a 3rd party OP (OpenID Connect Provider).
RP Flow Overview
Code Flow Diagram With Gigya as Openid Connect Provider
The steps necessary for configuring your site as an OIDC RP (Relying Party).
You will need the OP's OpenID Connect meta-data to complete configuration.
- Authorize Endpoint
- Token Endpoint
- UserInfo Endpoint
You will need the client_id and client_secret the OP has assigned to your RP.
You must supply the OP with the following Redirect URI for your RP. This must include the "?". For instructions on determining your Data Center, see Finding Your Data Center.
us1.gigya.com- For the US data center.
eu1- For the European data center.
au1- For the Australian data center.
ru1- For the Russian data center.
cn1- For the Chinese data center.
If you are not sure of your site's data center, see Finding Your Data Center.
If your site is using a CName, the Redirect URI will be
If using a Cname, your site must use SSL / HTTPS.
Navigate to the OIDC Login page of the Gigya Console.
Complete all the required fields.
- Provider Name - The name you will use to reference this OP (must be all alpha-numeric lowercase characters and not include any spaces). This value can not be changed once configured. If this provider is ever deleted from your configuration, all users associated with it will be lost.
- Client ID - The client_id you received from the OP.
- Client Secret - The client_secret you received from the OP.
- Authorization Endpoint - The authorize endpoint for the OP.
- Token Endpoint - The token endpoint for the OP.
- UserInfo Endpoint - The userinfo endpoint for the OP.
- Scopes - Additional standard scopes you are authorized to request from the OP.
- Custom Scopes - Any optional custom scopes that you are authorized to request from the OP (a space delimited case-sensitive list of additional scopes that are preconfigured on the OP).
- Issuer - The value entered here must match the value returned in the iss claim of the response from the OP. If these values do not match, validation will fail and users will not be able to login.
- JSON Web Keys - The JSON Web Key object containing the keys for the OP. Gigya only supports RSA/RS256 keys. If the response can not be validated using the supplied keys, login will fail. If the OP uses any algorithm other than RSA/RS256, you must leave this field blank.
Press Create to save the configuration.
To enable users to log into the OP you can add a Custom Buttons array to any Gigya RaaS Screen-Set.
To add a Custom Button to a screen-set, use the following format.
It is important to note that even though you may have custom buttons defined for multiple different OPs within the same screen-set, a user can only be connected to a single OP for the life of their account (or until the OP is deleted). This means that once a user logs in via any of the available OPs they will be only able to use that unique OP in the future.
Once your OP is configured, you will see it listed in the OIDC Login tab of the Console, along with any other active OPs.
Your RP configuration is now complete.
Below you can download generic OpenID Connect buttons for the customButtons array object that conform to standard RaaS social login button size.
Supported Field Mapping
Gigya supports several automatic field mappings when connecting your Gigya RP to a 3rd party OP. These mappings are as follows:
Fields Mapped to the Profile Object
|Gigya Profile Field Name||3rd Party OP Field Name|
|profile.Url||oidcUserInfo.profile (OR) oidcUserInfo.link|
|profile.city||oidcUserInfo.address (OR) oidcUserInfo.locality|
|profile.state||oidcUserInfo.address (OR) oidcUserInfo.region|
|profile.zip||oidcUserInfo.address (OR) oidcUserInfo.postalCode|
|profile.country||oidcUserInfo.address (OR) oidcUserInfo.country|
Fields Mapped to the oidcData Object
|Gigya oidcData Field Name||3rd Party OP Field Name|
Custom field mapping is not currently supported.
The entire OpenID Connect specification can be found at http://openid.net/specs/openid-connect-core-1_0.html.