OpenID Connect Certification Configurations for Basic Profile with WSO2 Identity Server.
OpenID Connect Providers(OP) can get OIDC certified by passing the five conformance profiles provided by OpenID foundation. [1]
The five profiles are as follows.
1. Basic
2. Implicit
3. Hybrid
4. Config
5. Dynamic
For each profile, there are test cases provided by the test suite. This test suite is created by OpenID foundation for OPs to check whether their implementation is in sync with the OIDC specifications.
This blog will give you an idea about the configurations and starting steps that need to run the basic profile for WSO2 Identity Server (WSO2 IS). For any OP,s you can use the same configurations but some configuration values will change according to the implementation.
Here are the steps for the basic profile configuration.
- Expose Identity Server over a public IP.
To run the test client we need to make the Identity Server publicly accessible. First get a public IP/Domain name and configure the IS to work with that public IP/Domain.
If you are configuring IS in a remote machine, knowing how to work with ssh and scp will help.
Go through [2] and [3], for more about ssh and scp.
2. Take the WUM updated pack for WSO2 IS.
WUM is a tool that can be used to update WSO2 products with the latest bug fixes. You can find all the details about wum from this blog.
3. Change the configurations in IS carbon.xml
For this you should go to repository -> conf. You can open the carbon.xml file using an editor. For an example vim carbon.xml.
Then change the values for “HostName” and “MgtHostName”. In here change the localhost to the public IP address or the domain name.
4. Create a new OIDC test instance.
Now you have to create a test instance to run the test suit. To create a test instance, use this link.
Press the new button and it will give a form like this to fill. Provide the information as below. Since we are testing the basic profile, no need to have WebFinger, Dynamic Provider Information Discovery and Dynamic Client Registration. For basic profile run the test for response_type code.
After you press create button you will be redirected to a page, which contains all the configurations. We have to do all the configurations manually because we didn’t select any features of the OP.
5. Add a new service provider(SP)
You will be given a redirect_uri after the creation of the test instance.This will be used when creating the service provider in IS.
Create a new SP in WSO2 IS. Then in inbound Authentication configurations of the SP, select Oauth/OpenID Connect Configuration, provide the url as SP’s callback url.
Then you will get a client_id and client secret for that SP. Add those details in the test configuration.
6. Claim configuration in IS
You have to add claim configurations for the SP. For that first go to the Registry -> Browse in the IS management console.
Then go to system-> config -> identity -> oidc
Then you can find the parameters for each scope in OIDC. Here change the values for address scope as “address.value”.
Then go to claims and map OIDC claims with WSO2 claims. You have to map all the values that are mentioned in the registry to WSO2 claims.
Then go to WSO2 claims and make the mapped claim visible to user.
Then add those mapped WSO2 claims in SP’s required claims.
After that you can add a user and fill the required attributes from the User Profile UI.
7. Configuring parameters in the test client
You have to fill the test configurations manually as below.
Then you will get the tests for the basic profile and have to run all the tests and see what are passing and failing.
These are the basic steps you need to follow in order to run the test suit successfully. For more information on OIDC certification go through this link.
Hope this will help when setting up the OIDC test suit for the first time.
[1]- http://openid.net/certification/
[2]- https://mediatemple.net/community/products/dv/204403684/connecting-via-ssh-to-your-server
