1. Service Centre
  2. Authentication Systems
  3. Single Sign-On Authentication

OpenID Connect

Rasmus Broholm Nørgaard
Updated

WISEflow supports authentication through OpenID Connect. This enables institutions to use well-known, secure SSO methods to authenticate users. 

OpenID Connect is a highly customisable way of authenticating users already known in WISEflow by mapping an institution user ID to a licence user ID in WISEflow. Mapping can be done to any unique user ID or email currently on the licence.

Usage

Users can authenticate through OpenID Connect from the institution login page, when OpenID Connect have been enabled on the licence. Note that logo and text depends on the exact configuration:

Skærmbillede 2024-02-14 kl. 11.28.33.png

If users are already logged in to the OpenID Connect instance, they will automatically be forwarded to WISEflow. If not, users are asked to log in using their own credentials:

Skærmbillede 2024-02-14 kl. 11.37.14.png

Configuration

The initial configuration is done by UNIwise and the institution in collaboration. It is possible to have more than one OpenID Connect instance on a licence.

Configuring an OpenID Connect instance requires the following from the institution:

  • Identity Provider (IdP) that supports the OAuth 2.0 protocol with the OpenID-Connect Authorization Code Flow
  • IdP metadata
    • Icon
    • Display name (Display name will be shown on the login button)
  • IdP client credentials
    • Client ID
    • Client secret
  • OpenID Connect discovery URL
  • One of the following security features:
    • PKCE
    • State
    • Nonce
  • ID Token claim
    • Path to Personal Identifier (PID)
    • Must be visible from the ID Token
  • Unique licence user data type in WISEflow that matches the PID
OpenID Connect Protocol Details

Discovery URL

The discovery URL is used to retrieve the IdP metadata. The discovery URL is usually located at the root of the IdP domain. (e.g. https://foo.bar/.well- known/openid-configuration) The discovery URL must be accessible from the WISEflow server.

Client Credentials

  • The client credentials are used to authenticate the WISEflow server with the IdP.
  • The client credentials must be shard securely.
  • The client credentials consist of a client ID and a client secret.

Flow Type

  • Only the OpenID-Connect Authorization Code Flow is supported by WISEflow.

Authentication Request Parameters

Parameter Description
client_id The client ID is used to identify the client.
redirect_uri The redirect URI is used to redirect the user back to WISEflow after authentication.
response_type The response type must be “code”.
scope The scope must be “openid”.
state state is used to prevent CSRF attacks.
nonce nonce is used to prevent replay attacks
code_challenge Used by PKCE to verify the code verifier.
code_challenge_method The code challenge method is S256.

PKCE

PKCE is used to prevent code interception attacks and is recommended but not required. WISEflow uses the S256 hashing algorithm to hash the code verifier.
Parameter Description
code_challenge

The code challenge is a hashed value of the code verifier. The code challenge is used to verify the code verifier.
code_challenge_method

The code challenge method is used to specify the hashing algorithm used to hash the code verifier. The code challenge method must be S256.
code_verifier

The code verifier is a random string generated by the client. The code verifier is used to generate the code challenge.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section