Setting up the OIDC Definition API

Edit online

Before you begin

To configure an API protection definition to be OIDC OP conformant and Financial Grade API compliant, ensure the OIDC Compliant and FAPI Compliant flag are checked. See OIDC Definition and WebSEAL OAuth Config.

Follow the guidelines below and the configuration steps in this topic to be completely conformed:
For both FAPI and OIDC
Ensure that the OIDC well-known endpoint is configured. See OpenID Connect Discovery.
For FAPI only
  • Ensure that each client has a certificate and the public portion of that certificate is added to rt_profile or signing ssl db (required for Request JWT validation). The same client certificate can be added to pdsrv or webseal ssl db for MTLS. Ensure the certificate that is used for JWT validation is ES256 to meet FAPI requirements. See Configuring FAPI Client.
  • FAPI requires the signing algorithm used for signing JWT to be ES256. Ensure a certificate where the algorithm that is mentioned is used, to be FAPI Compliant.
  • Update Discovery Endpoint. The following parameters are required to be added to metadata.json. 
    "claims_supported":["realmName","preferred_username","given_name","uid","upn","groupIds","employee_id","name","tenantId","mobile_number","department","job_title","family_name","email","acr"],
"tls_client_certificate_bound_access_tokens":<%var supported = true;templateContext.response.body.write(supported);%>
  • Set [session] variable ‘require-mpa’ to 'yes' in webseal. This ensures that HTTP headers are not valid session keys or authentication tokens unless they are received through an MPA. In FAPI, this functionality can be used to ensure each token and the certificate information are build as one unique session without any form of session caching.
  • Set Point of Contact to Access Manager Credential.

About this task

Note: OIDC Compliance is a prerequisite for FAPI Compliance. The following conformances are configured when the OIDC or FAPI Wizards are checked.

More information on the functionalities that are performed can be found in OpenID Connect Provider Conformance and FAPI Conformance.

The following are configured when OIDC Compliant flag is check in API Definition API.

OIDC Conformance (OIDC definition)
  • Access Policy – max_age and prompt=none
  • Mapping Rule - authenticationTime
  • Mapping Rule – produce_userinfo_jwt
  • Mapping Rule – redirect_uri
  • Mapping Rule – nonce
  • Mapping Rule – assert_no_code_reuse
  • STS Chain – Userinfo as JWT
  • STS Chain – Request JWT (With a module for mapping rule and validate Request Object added by default this code only runs if FAPI flag is turned on in the definition)
  • STS Chain – Client Authentication
FAPI Conformance

The following articles are configured when FAPI Compliant flag is checked in WebSEAL OAuth and OpenID Connect Provider Configuration and API Protected Definition accordingly.
WebSEAL - OAuth and OpenID Connect Provider Configuration (FAPI Compliant flag) OpenID Connect and API Protection (FAPI Compliant flag)
Authentication Mechanism – FAPI Cert Authentication with FAPI_CertEAI.js (Available by default in Verify Identity Access 10) Mapping Rule – s_hash
WebSEAL Config – Configure FAPI Cert EAI Mapping Rule – Disallow response_type code
WebSEAL Config – Configure HTTP Transformation for Sample Resource Endpoint Mapping Rule – Disallow state in request parameter
Access Policy – isam_oauth_unauth acl to junction/sps/auth Mapping Rule – Disallow state in request parameter
STS Chain – Request JWT (With a module for mapping rule that triggers FAPI_ValidateJWT.js. This code only runs if FAPI flag is turned on in the definition)
Access Policy – check for Request JWT in Auth Request
FAPI Definition Configuration
Access Policy – check for Request JWT in Auth Request

Procedure

  1. OIDC Definition
    1. In the appliance dashboard, select Federation > OpenID Connect and API.
    2. In the Definitions tab, check the OIDC Compliant and FAPI Compliant check-box.
  2. WebSEAL OAuth Config
    1. In the appliance dashboard, select Web > Reverse Proxy.
    2. Select a reverse proxy instance.
    3. Navigate to Manage > AAC and Federation Configuration > OAuth and OpenID Connect Provider Configuration.
    4. In the Main tab, check the FAPI compliant check-box.