Employee Identity (EIAM)

Integrating with IDaaS for Single Sign-On Using Custom ID Token

Integration Solutions

# Scenario Description

Applicable when a third-party platform uses its own authentication method for login, and then achieves password-free login to various application systems already integrated with IDaaS by generating a custom ID Token.

In this scenario:

The third-party platform acts as the OIDC OP (OpenID Provider), generating the user's ID Token information.
The IDaaS platform acts as the OIDC RP (Relying Party), verifying the signature and matching the current user identity information. If signature verification and user matching are successful, single sign-on proceeds to the target application system integrated with the IDaaS platform.

# Single Sign-On Process

The user first logs into portal application A, then accesses application B through portal application A to achieve single sign-on.

IDaaS Single Sign-On Address: Refer to Third-party Platform Calls IDaaS Single Sign-On Interface
Application B Address: The redirect_to parameter in Third-party Platform Calls IDaaS Single Sign-On Interface
Only supports unidirectional SSO, i.e., Application A -> SSO Application B, cannot achieve Application B -> Application A.
This solution is a custom protocol, not an international standard protocol. The application party/third party must ensure their own security to avoid security risks caused by their own issues.

# Integration Steps

# Configure OIDC Authentication Source in IDaaS Enterprise Center

Configuration Name	Remarks
Authentication Method	Select "Authentication Source Initiates Authentication"
Public Key Format	Supports four formats: based on JWK URL, PEM format public key, JSON format public key, certificate format public key.
Public Key	Different public key formats correspond to different content. Can be generated according to the Reference Example.
Signature Algorithm	Fixed as "RS256"
Audience	The `aud` parameter in the generated id_token.
Callback Address	The callback address used to receive the id_token returned by the authentication source. Automatically generated after addition.
Associated Source Attribute	The attribute key existing in the parsed id_token, defaults to `sub`.
Associated User Attribute	The unique attribute of the IDaaS platform user.

# Third-Party Platform Generating ID Token

The generation method can be referred to in the example code

HEADER Section
1. Parameter Example
```
{ "kid": "14a0b7d31d5d284c549f9e3565fb136a", "alg": "RS256" }
```
1
1. Parameter Description
Parameter Name Required Description

kid Yes Key ID used for verifying the identity token signature

alg Yes Signature algorithm

Parameter Name	Required	Description
kid	Yes	Key ID used for verifying the identity token signature
alg	Yes	Signature algorithm

PAYLOAD Section

Parameter Example

{ "iss": "https://xxx.com ", "aud": "https://{your_domain}", "exp": 1655779413, "jti": "B6P99VAWZQZBGNa4avp29s", "iat": 1655779293, "nbf": 1655779173, "sub": "subject" }

Parameter Description

Parameter Name	Required	Description
iss	Yes	Token issuer, the unique identifier of the party providing authentication information, URI format, usually the application's domain name
aud	Yes	Token audience, consistent with the Audience configured in the OIDC identity provider
exp	Yes	Token expiration time, timestamp (milliseconds)
iat	Yes	Token issuance time, timestamp (milliseconds)
sub	Yes	Token subject, user unique identifier
jti	No	Token ID

# Third-Party Platform Calls IDaaS Single Sign-On Interface

Initiate authentication based on the OIDC authentication source, and call the OIDC callback address provided by IDaaS to complete authentication.

Request Description

Request URL https://{your_domain}/api/v1/openid/id_token/{idpId}
Request Method GET

Request Parameters

Parameter Name	Chinese Name	Required	Type	Example
id_token	ID Token	Required	String
redirect_to	Redirect Address	Optional	String	The access URL of the target application system to be accessed If the parameter is empty, it defaults to redirecting to the IDaaS User Center You can configure a whitelist for this address

Request Example

https://{your_domain}/api/v1/openid/id_token/202208231445-0FE9-93C4AFCDA?id_token=eyJhbGciOiJJ9.eyJzdWIiOiJ6aG91eGNoIiwiaWQiOiIyMDIyMTIyMDE1zIjdlIZmFiMDVkNTg3YyJ9.bfCdG5PcttXzoEA8kuOf81SrQ&redirect_to=https://demo.com

Response Example

HTTP Status: 302 REDIRECT [https://demo.com]

# Reference Examples

# Generate Public and Private Keys

Generate PEM format public and private keys online. You can refer to: https://apiked.com/rsa
Taking generating a JSON format public key as an example, generate an RS256 algorithm key as follows.

Third-party dependency packages:

<dependency>
	<groupId>org.bouncycastle</groupId>
	<artifactId>bcpkix-jdk15on</artifactId>
	<version>1.50</version> <!-- Use the latest version -->
</dependency>
<dependency>
	<groupId>org.bouncycastle</groupId>
	<artifactId>bcprov-jdk15on</artifactId>
	<version>1.50</version> <!-- Use the latest version -->
</dependency>
<dependency>
	<groupId>com.nimbusds</groupId>
	<artifactId>nimbus-jose-jwt</artifactId>
	<version>8.19</version> <!-- Use the latest version -->
</dependency>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

The example code is as follows:

	/**
     * Generate keys
     */
    public static RSAKey generatorKeys() throws Exception {
        String kid = UUID.randomUUID().toString().replaceAll("-", "");
        RSAKey key = new RSAKeyGenerator(2048)
                .keyUse(KeyUse.SIGNATURE)
                .algorithm(new Algorithm("RS256"))
                .keyID(kid)
                .generate();
		System.out.println("Private key in JSON format not provided externally: "+key.toJSONString());
        System.out.println("Public key in JSON format that can be provided externally: "+key.toPublicJWK().toJSONString());
        return key;
    }

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# Generate User ID Token

Based on the user's unique identifier, an example of generating an id_token is as follows:

Third-party dependencies:

<dependency>
	<groupId>org.bouncycastle</groupId>
	<artifactId>bcpkix-jdk15on</artifactId>
	<version>1.50</version> <!-- Use the latest version -->
</dependency>
<dependency>
	<groupId>org.bouncycastle</groupId>
	<artifactId>bcprov-jdk15on</artifactId>
	<version>1.50</version> <!-- Use the latest version -->
</dependency>
<dependency>
	<groupId>com.nimbusds</groupId>
	<artifactId>nimbus-jose-jwt</artifactId>
	<version>8.19</version> <!-- Use the latest version -->
</dependency>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

Example code:

	/**
     * Generate user id_token
     */
    public static String buildIdToken() throws Exception{
         /**
         * 1. Generate signature tool based on the key
         */
        //JSON format, the parse method parameter is the private key in JSON format not provided externally generated in the previous step
        RSAKey rsaKey = (RSAKey)JWK.parse("{\"p\":\"yuaog5...nNgWLVg\",\"dp\":\"nhr2nPFE...LMP28KylCs0GdE\",\"alg\":\"RS256\",\"dq\":\"xdW66Lr10...6HZXFk\",\"n\":\"oGVHTUb9amuG...J8SAfBV7c49W0lSw\"}");
        RSASSASigner rsassaSigner = new RSASSASigner(rsaKey);
        /**
         * 2. Build the header
         */
        JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(rsaKey.getKeyID()).build();
        /**
         * 2. Build the payload
         */
        JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
                // aud is required, must match the Audience configuration in the IDaaS authentication source
                .audience("http://{your_domain}")
                // iss is required, must be in URI format, third-party application domain
                .issuer("http://xxx.com")
                // sub is required, according to platform configuration, sub is the user's unique identifier
                .subject("zhangsan")
                // iat is required, token issuance time
                .issueTime(new Date())
                // exp token expiration time
                .expirationTime(new Date(System.currentTimeMillis() + (1000 * 60 * 5)))
                // Custom attributes, optional
                .claim("mobile", "18310773289")
                .build();
        /**
         * 3. Build the signature
         */
        SignedJWT signedJWT = new SignedJWT(header, claimsSet);
        signedJWT.sign(rsassaSigner);
        /**
         * 4. Generate id_token
         */
        String id_token = signedJWT.serialize();
        System.out.println("id_token is: "+ id_token);
        return id_token;
    }

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

I am ready. Please provide the Markdown content you would like me to translate.

Return Codes Developer Resources Download (EIAM)

竹云IDaaS•开放平台