Menu
In this scenario my Relying Party (RP) not only wants to get information about a user but also needs to map a user to an internal user of the RP. Because of this I would like to map existing users of the Identity Provider (IdP) to users/groups in the RP. How can I achieve this with OpenID Connect (IdP and RP have a trust relationship; both are controlled by me)?
What are other options to solve this issue?
289
The OpenID Connect Federation 1.0 specification is being developed to enable large-scale federations to be deployed using OpenID Connect. It enables trust among federation participants to be established through signed statements made by federation operators and organizations about federation participants.
In SAML, the user is redirected from the Service Provider (SP) to the Identity Provider (IDP) for sign in. In OpenID Connect, the user is redirected from the Relying Party (RP) to the OpenID Provider (OP) for sign in. The SAML SP is always a website.
Google's OAuth 2.0 APIs can be used for both authentication and authorization. Google's OAuth 2.0 implementation for authentication conforms to the OpenID Connect specification and is OpenID certified. Thus, it can be used to provide SSO services for TalentLMS clients.
This specification defines the "SIOP DID Profile" (SIOP DID) that is a DID AuthN flavor to use OpenID Connect (OIDC) together with the strong decentralization, privacy and security guarantees of Decentralized Identifiers (DID) for everyone who wants to have a generic way to integrate Identity Wallets into their web ...
There are two approaches I see here; one from the OpenID Connect point of view, and the other from user directory handling.
Id token claims
OpenID Connect specification defines standard claims in an id token, and gives the freedom to define claims of our own. For example, if the RP cannot depend on sub claim to identify and map the end user, one can introduce a custom claim other than standard claims available.
ID Tokens MAY contain other Claims. Any Claims used that are not understood MUST be ignored
For example, you can define a claim rp_identifierin id token which gives you the RP user id.
This will require some configuration to your IDP and also storing required identifier in IDP storage.
Directory synchronization
Not sure how your user directories are set up. But if you are using an external IDP, you may want to synchronize your internal and external user directories. I am not an expert in this domain, but for your reference this article explains about Azure active directory synchronization.
Although the user synchronization is out of scope of OpenID Connect, many who are moving to OpenID Connect at some point have to map internal users to users in IDP provide.
112
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
