Configure OpenID Connect for a SaaS application

Configure OpenID Connect parameters for a custom SaaS application. Add a SaaS application that uses the OpenID Connect protocol. This process allows Enterprise Application Access (EAA) to act as an OpenID provider or the identity provider (IdP) that authenticates the user to the SaaS application.

In the EAA Management Portal navigation menu, select Applications.
Click Add application and from Add Custom Apps, select SaaS app.
Enter a name and description for the application.
In Protocol, select OpenID Connect 1.0, and click Create App and Configure.
Complete the General settings:
1. To add an application icon, click Add and select from the provided icons or upload an icon.
2. If you want to organize the application in a category on the EAA Login Portal, select a category. Otherwise, leave the selected category as Uncategorized.
3. If you want to hide the application from the EAA Login Portal select Hide Application from Login Portal.
4. In Application URL enter the URL of the application.
5. Click Save and go to Authentication.
Complete the Authentication settings:
1. Click Assign identity provider, and in the dialog, select the Akamai identity provider.
2. Click Assign Directory and select a directory.
3. Click Save and go to OpenID settings.
4. In OpenID Provider Info copy the Discovery URL.
  If your application does not automatically fetch metadata, you can copy or download this file from Enterprise Application Access.
  To view or download the metadata file click View or Download.
📘
In the application enter this URL as the provider URL or upload the metadata file. If the application does not allow you to enter the URL or upload the metadata file, you may need to configure the application with the individual elements that are defined in the file.
In the Relying Party Settings do the following:
1. Copy Client ID.
2. Copy Client Secret to a secure location.
3. If you need to rotate the secret, click Rotate client secret. Copy the secret to a secure location and update the application with the new secret.
4. Enter this information into the application (relying party).
5. In Redirect URI enter the redirect or callback URL from your application. This field is required. Click Add More to enter more URIs.
6. If you use an implicit authentication flow for OpenID Connect select Implicit Grant.
7. To configure JavaScript origins for an implicit authentication flow in Javascript Origins enter the URL or URLs of the origin that serves the JavaScripts responsible for sending cross-origin resource sharing (CORS) requests to token or user info endpoints.
8. If you want to disable the logout that is initiated by the identity provider disable Front channel logout session required.
9. If the front channel logout session setting is enabled in Front channel logout-URI(s) enter a URI or URL to support this feature.
  Click Add More to enter more URIs.
  The scheme, protocol, and port of the front channel URI have to match one of the configured redirect URIs.
10. To configure post logout redirect URI(s) enter the URI where the OpenID provider sends logout responses to logout requests.
11. To enable proof key for code exchange (PKCE) select PKCE.
12. Enable Include claims in id_token.
  To view or download the metadata for the client click View or Download.
To add a claim, in Claims do the following:
1. Click Add More.
2. Select Scope.
  If you select Custom Scope enter a value.
Select Claim Name based on the scope you selected or specified.
If you select Custom, enter a name.
Select Value.
If you select Custom Script or Fixed Value enter data in the field.
To add more scopes, repeat the above steps.
Click Save and return to Deployment.
In the Deployment tab, click Deploy application.

Next, make sure that you configure the application (relying party) with the Discovery URL or the JSON metadata file information, and the client ID and secret.

Configure OpenID Connect for an access application

Configure the OpenID Connect parameters for an access application. When you use OpenID Connect 1.0 (OIDC) as the application-facing authentication mechanism for an Enterprise Application Access (EAA) access application, you need to select it in the application's advanced settings. You then go to the client application and enter the EAA application OIDC settings. In OIDC terminology, the access application is the relying party (RP) or client application. This procedure describes how to create an EAA access application that supports OpenID connect protocol. This process allows Enterprise Application Access to act as an OpenID provider or the identity provider that authenticates the user to an access application that uses OIDC as the authentication mechanism. Enterprise Application Access provides an option to download the client metadata in JSON format so that it may be uploaded to the client application. You may also manually enter the information into the client application.

In the EAA Management Portal navigation menu, select Applications > Settings > ADVANCED SETTINGS.
In the Application-facing Authentication Mechanism field, select OpenID Connect 1.0.
Click Save and go to OIDC Settings.
The OIDC tab appears.
In OpenID configure the following:
1. In OpenID Provider Info copy Discovery URL.
  If your application does not automatically fetch metadata, you can copy or download this file.
  To view or download the metadata file click View or Download.
📘
In the application enter this URL as the provider URL or upload the metadata file. If the application does not allow you to enter the URL or upload the metadata file, you may need to configure the application with the individual elements that are defined in the file.
In Relying Party Settings do the following:
1. Copy Client ID and Client Secret to a secure location.
2. If you need to rotate the secret click Rotate client secret. Copy the secret to a secure location and update the application with the new secret.
  Enter this information into the application (relying party).
3. In Redirect URI enter the redirect or callback URL from your application.
  Click Add More to enter more URIs.
4. If you use an implicit authentication flow for OpenID Connect select Implicit Grant.
5. To configure JavaScript origins for an implicit authentication flow, in Javascript Origins enter the URL or URLs of the origin that serve the JavaScripts responsible for sending cross-origin resource sharing (CORS) requests to token or user info endpoints.
6. If you want to disable the logout that is initiated by the identity provider disable Front channel logout session required.
7. If the front channel logout session setting is enabled, in Front channel logout-URI(s) enter a URI or URL to support this feature.
  Click Add More to enter more URIs. The scheme, protocol, and port of the front channel URI must match one of the configured redirect URIs.
8. To configure post logout redirect URI(s) enter the URI where the OpenID provider sends logout responses to logout requests.
9. To enable proof key for code exchange (PKCE) select PKCE.
10. Enable Include claims in id_token.
  To view or download the metadata for the client click View or Download.
To add a claim, in Claims click (+) and configure the following:
1. Select Scope.
  If you select Custom Scope enter a value.
2. Select a Claim Name based on the scope you selected.
  If you select Custom enter a name.
3. Select aValue.
  If you select Custom Script or Fixed Value enter your data.
  To add more scopes, repeat above steps.
Click Save and return to Deployment.
In the Deployment tab, click Deploy application.

Next, make sure that you configure the application (relying party) with the discovery URL or the JSON metadata file information, the client ID, and the secret.