Add login with an OpenID Connect identity provider


# Add login with an OpenID Connect identity provider

You can add standard OpenID Connect login to your applications using an external OpenID Connect (OIDC) identity provider (IdP) and enable users to log in to your applications while maintaining their accounts in the external identity providers.

Follow this guide to register an OIDC IdP in Asgardeo and add it to the login flow of your application.

# Register Asgardeo in the IdP

You need to register an OpenID Connect application with the external identity provider. Follow the identity provider's documentation to know how to register an OIDC application.

You can use the following URL as the callbackURL of the application.

https://api.asgardeo.io/t/<organization_name>/commonauth
1

Once you register an application, you will receive the following:

  • client_id (also known as app_id or application_id)
  • client_secret (also known as app_secret)

Check the documentation of the OIDC identity provider and get the following endpoints:

  • Authorization Endpoint URL
  • Token Endpoint URL
  • User Info endpoint (optional)
  • Logout endpoint (optional)

# Register the OIDC IdP

Now, let's register the OIDC IdP in Asgardeo.

  1. On the Asgardeo Console, click Connections.

  2. Click Create Connection and select Standard-Based IdP.

  3. Provide a unique identity provider name, select OpenID Connect, and click Next.

    Create OIDC Enterprise IDP in Asgardeo
  4. Enter the following details of the external OIDC identity provider and click Next:

    Parameter Description
    Client ID The client ID obtained from the external identity provider.
    Client secret The client secret obtained from the external identity provider.
    Authorization endpoint URL The authorization endpoint of the external identity provider.
    Token endpoint URL The token endpoint of the external identity provider.
  5. (Optional) Provide the mode of certificate configuration.

    You can either configure a JWKS endpoint or upload a certificate of the external party. This helps to validate the signature of the assertions sent by the external identity provider.

    • JWKS endpoint: The JWKS endpoint of the external identity provider.
    • Use PEM certificate : Upload or paste the public certificate of the external identity provider. The certificate should be in PEM format.
      If you have certificate in other formats such as `.crt`, `.cer` or `.der`, expand here to see how you can convert them to PEM format using OpenSSL

      Convert CRT to PEM

      openssl x509 -in cert.crt -out cert.pem
      
      1

      Convert CER to PEM:

      openssl x509 -in cert.cer -out cert.pem
      
      1

      Convert DER to PEM:

      openssl x509 -in cert.der -out cert.pem
      
      1
  6. Click Finish to complete the registration.

Once the OIDC identity provider is created, you can configure additional OIDC settings from the Settings tab.

Asgardeo requests for the openid scope from the external identity provider. If you need more attributes from the external identity provider, you can configure scopes from the Settings tab.

# Enable the OIDC IdP for login

Before you begin

You need to register an application with Asgardeo. You can register your own application or use one of the sample applications provided.

  1. On the Asgardeo Console, go to Applications.

  2. Select your application, go to its Login Flow tab and add OIDC identity provider from your preferred editor:

    Recommendations

    Asgardeo recommends adding your social and enterprise connections to the first authentication step as they are used for identifying the user.

    Using the Classic Editor

    To add OIDC identity provider login using the classic editor:

    1. If you haven't already defined a sign-in flow, click Start with Default configuration to get started.

    2. Click Add Authentication on the step, select your OIDC identity provider, and click Add. Add OIDC identity provider login in Asgardeo

    Using the Visual Editor

    To add OIDC identity provider login using the Visual Editor:

    1. Switch to the Visual Editor tab, by default the Username & Password login flow will be added onto the Visual Editor's workspace.

    2. Click on + Add Sign In Option to add a new authenticator to the same step and select your OIDC identity provider connection.

      Add OIDC IdP login in Asgardeo with visual editor
  3. Click Update to save your changes.

# How it works

To provide this login capability, Asgardeo uses the standard OpenID Connect with authorization code flow underneath. For an application, this flow works as follows:

Add OIDC enterprise login in Asgardeo

# Map groups with Asgardeo

# Configure External Connection's Group attribute

Follow the steps below to map the groups attribute of your connection with Asgardeo:

  1. On the Asgardeo Console, go to Connections.
  2. Select your connection and go to its Attributes tab.
  3. Click Add Attribute Mapping to add a new attribute mapping. Add attribute mappings
  4. Enter the External IdP Attribute of the connection and map it to the Groups attribute of Asgardeo. Add new group attribute mapping
  5. Click Add Attribute Mapping and then click Save. Stage new group attribute mapping
  6. Click Update to save the changes. Submit attribute mappings

# Add groups to connections

Follow the steps below to add the groups from your connection to Asgardeo:

  1. On the Asgardeo Console, go to Connections.
  2. Select your connection and go to its Groups tab.
  3. Click New Group and enter the group name. Be sure to enter the exact group name that will be returned from the connection. Add group
  4. Click Finish to add the group information.

# Delete a connection

Before you begin

If your connection has applications associated with it, you will not be able to delete the connection.


Before deleting such connections:
  1. Check the associated applications from the Connected Apps tab of the connection.
  2. Click on an application that uses the connection and you will be redirected to the Sign-in Method tab of the respective application.
  3. Remove the connection from the sign-in flow of the associated applications.
  4. Repeat steps 2 and 3 for all listed applications.
  5. Proceed to delete the connection.

To delete a connection that does not have any applications using it:

  1. On the Asgardeo Console, go to Connections.

  2. Click Set up and navigate to the General tab.

  3. At the bottom of the page, click the button in the Delete connection.

    You cannot delete connections that are available by default.

  4. Select the checkbox and confirm your action.

    Delete connection