Registreren

Pages
- Building your application
- Advanced functions
  - Deployment
  - Branches
  - Security
  - Mail & spam
  - Standard urls
  - REST API
  - SSO
    - OIDC as client
    - OIDC as Identity provider
  - Social media
  - HTML Editor
- Hosting
- Miscellaneous

OIDC as Identity provider

What is OIDC?

OpenID Connect is a secure, standardized protocol for authentication between platforms/applications. A Client application uses an Identity Provider (application) to authenticate users and retrieve user info. This user info can then be used in the Client application. It is a way to implement Single Sign On functionality.

The benefit of using this protocol has to do with the separation of concerns, while also having a single source of truth for user info if there are multiple Client applications. The concern for secure authentication using a username, password, and perhaps multi factor authentication, remains with the Identity Provider.

A well known example of an Identity provider is Microsoft Azure. But a Crossmarx application can also be set up as an Identity Provider.

Setting up a Crossmarx application as an OIDC Identity Provider

If you want to use your application as an OIDC Identity Provider, you will have to make sure that you have contacted Crossmarx first to activate this feature.

Backstage you can add a Social Login Setting. From the main menu it can be found through the following path: Definition -> Configuration (for all branches) -> Social login settings.

The configuration should be as follows:

Type: "OIDC server".
Label: the name of this specific OIDC server setting.
Client id: a unique id for the OIDC Client application you are expecting to use this Identity Provider.
Secret key: a unique secret key that is used in combination with the client id to set up secure communication with the OIDC Client application.
Allowed redirect uri's: the Identity Provider receives a URI to redirect the user to after authentication. Beware, this needs to be the exact same URI that is received from the Client. If your Client application is a Crossmarx application, this URI will be your application's protocol and domain name, appended with "/engine/oidc/login". For example: "https://{domain}/engine/oidc/login".
Claims (optional): custom information you can exchange with the Identity Provider.
Claims mapping (optional): the script that maps the custom data upon the claim keys.

Your Crossmarx application now functions as an Identity Provider. All the users in the user account system of this application can now be authenticated using OIDC. Currently it is not possible to select specific user groups for which it is possible to authenticate with OIDC. Please contact Crossmarx if you want to discuss the development of this functionality.

The various endpoints for your OIDC Client applications will be:

Authorize endpoint: https://{domain}/engine/oidc/authorize
Token endpoint: https://{domain}/engine/oidc/token
JWKS endpoint: https://{domain}/engine/oidc/certs

Claims

Claims can be used to exchange custom information between the Identity Provider and Client. This has to be coordinated with the Client.

When you use a Crossmarx application as an Identity Provider, you can define the claim keys as specified in the field "Claims". To map the custom data you want to send onto those keys, you can write a script in the field "Claims mapping".

It is important that the claim keys are exactly the same on both the Identity Provider and Client side.