Dynamically Register an OpenID Client

OpenID provides a protected endpoint with which OpenID clients can be dynamically registered.

A predefined OpenID client with administrative permissions authenticates and then sends registration requests to this endpoint to register and administer other clients.

A user with administrative permissions must be defined as the OpenID Client (referred to as the ‘OpenID administrator’ in this section). This user must also have an associated OpenID client (organization) configuration adapter.

Subsequently, as this OpenID administrator, you can register new OpenID clients via the OpenID register endpoint.

Create the OpenID Administrator for Dynamic Registration

Create an OpenID administrator configured with a valid logon authenticator and the required permissions that you will use to register OpenID clients.

  1. Log on to the ActivID Management Console as an ActivID Administrator and create an ActivID Appliance user with administrative privileges (for example, called OpenID_admin) in the System Users group.

  1. Select the Wallet tab and create a password for the user with the System Static Login authentication policy.

  1. Create the Permissions set to register/unregister a client:

    1. Select the Access Administration tab and, under Access Control, select Permission Sets.

    2. Click Add.

    3. Enter a descriptive Name for the permission set (for example, OpenID Client Registration Permissions) and edit the Code if necessary.

    4. From the Permission Type drop-down list, select Predefined.

    5. From the Resource Type drop-down list, select Admin Group.

    6. Select the required permission(s) from the Individual Permissions list as illustrated above and Click Save.

  1. Assign the Permission Set to the System Users group:

    1. Select the Access Administration tab and, under User Organization, select Administration Groups.

    2. Click on the name of the System Users group.

    3. Select the Permissions tab, and then scroll down to Available to view the available permissions for the group.

    4. Click Assign for the OpenID permission set you created above to assign it to the group.

    5. Keep the default values (Any …) for policy, channel and resource, click Next and then OK.

    6. Click Ok to apply the settings.

  2. Create an OpenID adapter – with same name as the "OpenID administrator":

    1. Select the Configuration tab and, under Environment, select Adapters.

    2. Click Add.

    3. Enter the main information for the adapter:

      • Name – mandatory (should use same name as the “OpenID administrator”)
      • Description – a user-friendly description of the adapter (optional).
      • Adapter Type – select Process to send notifications of operational events (such as user validations).
      • Adapter Category – select OpenID client (organization) configuration as the definition of the adapter.
    4. Enter the required parameter:

      • Valid redirect URIs for the client - mandatory
    5. If necessary, enter the optional parameters:

      For example, you can customize the expected channel and authentication policy for end users according to users group configuration used by your application.

    6. The default values are defined in the /usr/local/activid/ActivID_AS/applications/resources/ap/samlidp.properties file:

      Parameter Description Default value Property
      hid_client_channel Channel through which the client authenticates CH_DIRECT OpenId.DEFAULT_RP_CLIENTCHANNEL
      hid_client_pwd_policy Password-based authentication policy to use to authenticate the client AT_SYSLOG OpenId.DEFAULT_RP_CLIENTCREDAUTHPOL
      hid_client_pki_policy PKI-based authentication policy to use to authenticate the client AT_SYSPKI OpenId.DEFAULT_RP_CLIENTPKIAUTHPOL
      hid_client_credential_type Credential type for authentication type configured for OpenID client authentication if the authentication type is configured with several credential types

      Not applicable

      Note: This parameter is not present by default, and does not have a default value or associated property.
      hid_user_channel Channel through which an end user of the client authenticates CH_TDSPROV OpenId.DEFAULT_RP_USERCHANNEL
      hid_user_authn_policy Default authentication policy for the end user AT_TDSOOB OpenId.DEFAULT_RP_USERPWDAUTHPOL
      hid_sessiontransfer_type Type of the Closedtransfer policy for the session's authorization code NUM001 OpenId.DEFAULT_RP_USERSESSIONTRANSFTYPE
      hid_client_group Default user group for the client USG_SYS OpenId.DEFAULT_RP_USERPARENTGROUP
      hid_client_authentication_constraints

      Whitelist of IP addresses allowed to authenticate the OpenID client

      The supported value is a comma-separated list containing individual, or a range of, IP addresses as a string:

      • Individual IP - supports the IPv4 or IPv6 protocols (for example, 10.16.125.223)

      • IP range - defined by CIDR block allocation (for example, 10.16.124.0/32)

      The value can contain both individual and ranges.

      For example:

      "10.16.125.223,10.16.124.0/32"

      If the parameter is not present or undefined, no IP restriction will be applied for OpenID client authentication

      Not applicable

      Note: This parameter is not present by default, and does not have a default value or associated property.

      The default session transfer policies are:

      Policy name Format Expiry period Length
      NUM001 Numeric 10 minutes 8 digits
      NUM002 Numeric 3 minutes 20 digits
      ALP001 Alphabetic 10 minutes 8 digits
      ALP002 Alphabetic 3 minutes 20 digits
      ANU001 Alphanumeric 10 minutes 8 digits
      ANU002 Alphanumeric 3 minutes 20 digits

  3. Click Save.

Dynamically Register a New OpenID Client

To dynamically register an OpenID client via the OpenID Connect API, the caller should:

  1. Call the OpenID token endpoint with the predefined OpenID administrator's credentials to obtain an access token.

  2. (Optional) Call the OpenID configuration endpoint to get the register endpoint URL.

  3. Send the OpenID client registration request to the OpenID register endpoint with the predefined OpenID administrator's access token to register an OpenID client with the required parameters (see Supported Parameters for OpenID Client Registration Requests).

A successful registration will:

  1. Create a user in the specified (or configured) user group with a generated client id.

  2. Create the corresponding credential based on the:

    • token_endpoint_auth_method – this parameter is optional.

    • If not present, the default value is client_secret_post (the OpenID Connect Registration specification defines client_secret_basic as the default value but client_secret_post is used as it is more secure).

    • hid_client_xxx_policy
  3. Create a password credential or a device (if required such as for PKI credentials) and assign it to the user.

  4. Create the corresponding authentication record.

  5. Create an OpenID adapter.