Configuring Asgardeo as an External IDP using OIDC
Have you ever used social login options such as Google sign-in, Facebook login and GitHub sign-in to log in to any application you used? If so, you are already aware of how easy it is to sign in to an application using an existing social account. Similarly, we can use an external OpenID Connect (OIDC) identity provider to add standard OpenID Connect login to your application. It will allow users registered in the external identity provider to log in to your application using their existing accounts created in that external IdP.
This blog mainly focuses on how to configure Asgardeo as the external OIDC identity provider, which will be configured in your application login flow.
Configure the external identity provider
Since we are configuring Asgardeo as our external IDP, you should have an account in Asgardeo. To give a better explanation, let’s consider the tenant name as “externalidp”. You need to register an OIDC application in externalidp.
- Log into the Asgardeo console.
- Navigate to Develop -> Applications
- Click New Application and select Traditional Web Application.
- Register the application providing the required details. You should provide a unique name for the app and select OpenID Connect as the protocol. Authorized Redirect URL should be the URL to which the authorization code is sent to upon authentication and where the user is redirected to upon logout.
5. Once the application is registered, make a note of the following,
- Client ID — can be obtained from the Protocol tab
- Client secret — can be obtained from the Protocol tab
- Authorization endpoint URL — can be obtained from the Info tab
- Token endpoint URL — can be obtained from the Info tab
- JWKS endpoint URL — can be obtained from the Info tab
6. Create a user by navigating to Manage -> Users. (eg: email@example.com)
Now it should be possible to add standard OIDC login to your application using the configured external IDP and the user firstname.lastname@example.org should be able to log in.
To test the external IDP, I will be using a sample app provided by Asgardeo itself. Hence, let’s create a new tenant in Asgardeo (Let’s call it as “myorg”) and configure an application with standard OpenID Connect login.
Test the external identity provider
You have to create an OIDC IdP and an application in the tenant “myorg” to test the external IdP.
To create an OIDC IdP,
- Navigate to Develop -> Connections
- Click Create Connection and select Standard-Based IdP.
- Provide a unique name for the IdP, select OpenID Connect as the protocol and click Next.
4. Provide the Client ID, Client secret, Authorization endpoint URL and the Token endpoint URL obtained from the external Idp configured above and click Next.
5. Provide the JWKS endpoint URL and click Finish.
NOTE: From the Settings tab of the IdP, you can obtain the Authorized redirect URL which should be added to the external IdP in order to configure it in the new application. You can add it in the protocol tab of the OIDC app created above (in the tenant “externalidp”).
To enable OIDC IdP in the application login,
- Navigate to Develop -> Applications and create an application. You can refer the documentation and configure any type of application depending on your requirements.
- Navigate to Sign-in Method tab and select “Start with default configuration”.
- There click “Add Authentication” and select the OIDC IdP configured, and click Add.
4. Finally click Update.
Now you are done with all the configurations. Let’s see whether the external IdP is working as expected.
- Access the application URL.
- Select Sign In With the created IdP.
3. Sign in with the created user “email@example.com”.
Congratulations! You have successfully configured Asgardeo as an external identity provider.
Hope this blog helped to get an understanding on configuring Asgardeo as an external identity provider using OIDC. If you face any issues while doing the configurations, feel free to add them in the comments section.