Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

User mapping in OpenID Connect Relying Party

In this scenario my Relying Party (RP) not only wants to get information about a user but also needs to map a user to an internal user of the RP. Because of this I would like to map existing users of the Identity Provider (IdP) to users/groups in the RP. How can I achieve this with OpenID Connect (IdP and RP have a trust relationship; both are controlled by me)?

What are other options to solve this issue?

like image 289
Dunken Avatar asked Nov 15 '17 10:11

Dunken


People also ask

Is OpenID Connect federated?

The OpenID Connect Federation 1.0 specification is being developed to enable large-scale federations to be deployed using OpenID Connect. It enables trust among federation participants to be established through signed statements made by federation operators and organizations about federation participants.

How is OpenID Connect different from SAML?

In SAML, the user is redirected from the Service Provider (SP) to the Identity Provider (IDP) for sign in. In OpenID Connect, the user is redirected from the Relying Party (RP) to the OpenID Provider (OP) for sign in. The SAML SP is always a website.

Can OpenID Connect be used for SSO?

Google's OAuth 2.0 APIs can be used for both authentication and authorization. Google's OAuth 2.0 implementation for authentication conforms to the OpenID Connect specification and is OpenID certified. Thus, it can be used to provide SSO services for TalentLMS clients.

Is OpenID Connect decentralized?

This specification defines the "SIOP DID Profile" (SIOP DID) that is a DID AuthN flavor to use OpenID Connect (OIDC) together with the strong decentralization, privacy and security guarantees of Decentralized Identifiers (DID) for everyone who wants to have a generic way to integrate Identity Wallets into their web ...


Video Answer


1 Answers

There are two approaches I see here; one from the OpenID Connect point of view, and the other from user directory handling.

Id token claims

OpenID Connect specification defines standard claims in an id token, and gives the freedom to define claims of our own. For example, if the RP cannot depend on sub claim to identify and map the end user, one can introduce a custom claim other than standard claims available.

ID Tokens MAY contain other Claims. Any Claims used that are not understood MUST be ignored

For example, you can define a claim rp_identifierin id token which gives you the RP user id.

This will require some configuration to your IDP and also storing required identifier in IDP storage.

Directory synchronization

Not sure how your user directories are set up. But if you are using an external IDP, you may want to synchronize your internal and external user directories. I am not an expert in this domain, but for your reference this article explains about Azure active directory synchronization.

Although the user synchronization is out of scope of OpenID Connect, many who are moving to OpenID Connect at some point have to map internal users to users in IDP provide.

like image 112
Kavindu Dodanduwa Avatar answered Oct 13 '22 14:10

Kavindu Dodanduwa