# OpenID Connect

If your service supports OpenID Connect, you can connect it to the Identity Broker. Firstly, familiarise yourself with the OpenID Connect protocol. The Signicat Identity Broker supports the Authorisation Code flow.

Configure your service to use the Authorisation Code flow by setting the correct value for the response_type parameter when calling the Signicat Identity Broker authorisation endpoint. Use “code” for Authorisation Code.

Before a connection can be established between your service and the Identity Broker, Signicat needs to know the following credentials of your service:

  • Client_id and the client_secret (only for Authorisation Code Grant flow) parameters. Contact Signicat for instructions on how to define these.
  • Redirect_url, a URL on your service where the response will be sent.

As soon as the minimum information as described above is defined on your side, send it to Technical Support to start enabling the connection.

Signicat will provide the credentials of the Signicat Identity Broker containing all the endpoints required, together with the certificates that your service should use for checking the signed JWTs. Configure it in your service.

Contact the supplier of your service if you need additional help in configuring OpenID Connect connections on your service. Contact Technical Support if you need to troubleshoot your connection.

# Connection settings

Use our form to configure the connection from scratch.

# Configuration fields

  • Name: Name of the connection (required).
  • Include only when scoped checkbox: The broker provides scoped IdP functionality.
  • Response URL: Already set. Contains the URL where the broker will receive the response from the IdP.
  • Client ID: Unique identifier of the client (required).
  • Client Secret: A uniquely generated string used for client authentication (required).
  • Issuer: Should be a URL (required).
  • Authentication endpoint: (required)
  • Token endpoint: (required)
  • Select an authentication method: (required)
  • End session endpoint: Redirect to the end-session endpoint with the relevant parameters to log out the end-user.
  • JWK set endpoint: (required)
  • Select an algorithm: (required)
  • Select a scope: In the scope we allow sending requested attributes, IdP scoping or additional parameters. The OpenID configuration contains a list of supported scopes.
  • Select a Level of Assurance: You can choose from Level 1, 2, 2+, 3 and 4 from the dropdown menu (required). Read Level of Assurance Contracts for more information.
  • Select attribute filter: Select an attribute filter (see __ Attribute Filters for more information).
  • Response attribute mappings: The user can choose to customise the name of the attributes received in the response body. You can provide none or multiple name-to-name mappings

# URL Configuration

Use an issuer URL to configure most of the connection.

# Configuration fields

  • Name: Name of the connection (required).
  • Include only when scoped checkbox: The broker provides scoped IdP functionality.
  • Response URL: Already set. Contains the URL where the broker will receive the response from the IdP.
  • Client ID: Unique identifier of the client (required).
  • Client Secret: A uniquely generated string used for client authentication (required).
  • Issuer: Should be an URL (required).
  • Select a scope: In the scope we allow sending requested attributes, IdP scoping or additional parameters. The OpenID configuration contains a list of supported scopes.
  • Select a Level of Assurance: You can choose from Level 1, 2, 2+, 3 and 4 from the dropdown menu (required). Read Level of Assurance Contracts for more information.
  • Select attribute filter: Select an attribute filter (see __ Attribute Filters for more information).
  • Response attribute mappings: The user can choose to customise the name of the attributes received in the response body. You can provide none or multiple name-to-name mappings
Last updated: 9/20/23, 12:13:17 PM UTC