Manually Register an OpenID Client

An OpenID Client can be registered and configured manually using the ActivID Management Console.

  1. Register a user and define a valid credential except if it represents a “Public Client” (in which case it does not need credentials):

    1. Log on to the ActivID Management Console as an ActivID Administrator and go to the Help Desk tab.

    2. Under Users, click Register User and follow the wizard’s instructions to register a user with a valid credential.

    2. In this example, the user spl-api is registered in the System Users Admin Group with a static password credential (using the System Static Login authentication policy).

  2. Create an OpenID Client Configuration adapter for this user:

    1. In the Configuration tab, under Environment, click Adapters.

    2. Click Add and create an OpenID client (organization) configuration adapter with the same name as the user (in this example, spl-api):

  3. Configure the adapter’s Parameters according to the OpenID client’s configuration:

    4. The important parameters are:

    • Code of the Channel through which the client authenticates

    • Code of the password-based authentication policy to use to authenticate the client

    • Code of the PKI-based authentication policy to use to authenticate the client

    • Code of the channel through which an end-user of the client authenticates

    • Type of the session transfer code

    • Valid redirect URIs for the client (comma delimited)

    • Code of the default authentication policy for the end user

    For additional parameters, see OpenID client (organization) configuration.

You can also configure the OpenID Client Configuration adapter for the following:

Configuration option Parameters

OpenID end-user claims and consent capture
  • Client scopes
  • Prompt end user for consent signature

For further information, see Enabling OpenID Connect Claims and Prompting User for Consent.

OpenID request object support
  • Client's signing certificate
  • Client's encryption certificate
  • UserInfo encrypted response algorithm
  • UserInfo encrypted response algorithm
  • ID Token encrypted response algorithm

For further information, see Configuring Support for OpenID Connect Request Objects.

Domain Federation
  • Access Token Permitted audiences
  • End-user public roles filter
  • End-user Federation Id attribute type

For further information, see Configuring Security Domain Federation.

OpenID client’s type – public client or confidential client
  • Token Endpoint Authentication Method

For further information, see section Configuring OpenID Connect Support of Public Clients.

Refresh Token support
  • Client scopes
  • Refresh Token validity

For further information, see Configuring Support for Refresh Tokens.

Format and signature of the ID Token in the CIBA response

Use legacy plain format in CIBA messages

Possible values:

  • true (default) - the ID Token will NOT be signed (or signed/encrypted) in the CIBA response and will use the plain format.
  • false - the ID Token will be signed (or signed/encrypted) in the CIBA response and will use the updated format that complies with the CIBA specifications.

To keep the previous behavior, set the parameter to true.

Note: If you dynamically register the client, the corresponding parameter is hid_ciba_callback_format_plain. For further information, see Supported Parameters for OpenID Client Registration Requests.

Optionally, you can also configure the OpenID client for ID Token encryption using the following parameters:

  • Client's encryption certificate
  • ID Token encrypted response algorithm