Configure OpenID Connect for a SaaS application

Configure OpenID Connect parameters for a custom SaaS application. Add a SaaS application that uses the OpenID Connect protocol. This process allows Enterprise Application Access (EAA) to act as an OpenID provider or the identity provider (IdP) that authenticates the user to the SaaS application.

Log in to Enterprise Center.
In the Enterprise Center navigation menu, select Application Access > Applications > Applications.
Click Add application (+).
In Type select New SaaS App and type name and description for your application.
In Protocol select OpenID Connect 1.0, and click Add Application.
In the application Settings configure the following:
1. To add an application icon, click Add Icon and select an icon, or upload a new image. Click Assign.
2. If you want to organize the application in a category on the EAA Login Portal, select a category. Otherwise, leave the selected category as Uncategorized.
3. If you want to hide the application from the EAA Login Portal select Hide from Login Portal.
4. In Application URL enter the URL of the application.
Select Authentication and configure the following:
1. Enable Authentication.
2. In Identity provider select an Akamai identity provider.
3. Click Assign Directory and select a directory.
  The directory appears in Assigned Directories.
Select OpenID and configure the following:
1. In OpenID Provider Info copy the Discovery URL.
  If your application does not automatically fetch metadata, you can copy or download this file from Enterprise Application Access.
  To view or download the metadata file click View or Download.
📘
In the application enter this URL as the provider URL or upload the metadata file. If the application does not allow you to enter the URL or upload the metadata file, you may need to configure the application with the individual elements that are defined in the file.
In the Relying Party Settings do the following:
1. Copy Client ID.
2. Copy Client Secret to a secure location.
3. If you need to rotate the secret, click Rotate client secret. Copy the secret to a secure location and update the application with the new secret.
4. Enter this information into the application (relying party).
5. In Redirect URI enter the redirect or callback URL from your application. This field is required. Click Add More to enter more URIs.
6. If you use an implicit authentication flow for OpenID Connect select Implicit Grant.
7. To configure JavaScript origins for an implicit authentication flow in Javascript Origins enter the URL or URLs of the origin that serves the JavaScripts responsible for sending cross-origin resource sharing (CORS) requests to token or user info endpoints.
8. If you want to disable the logout that is initiated by the identity provider disable Front channel logout session required.
9. If the front channel logout session setting is enabled in Front channel logout-URI(s) enter a URI or URL to support this feature.
  Click Add More to enter more URIs.
  The scheme, protocol, and port of the front channel URI have to match one of the configured redirect URIs.
10. To configure post logout redirect URI(s) enter the URI where the OpenID provider sends logout responses to logout requests.
11. To enable proof key for code exchange (PKCE) select PKCE.
12. Enable Include claims in id_token.
  To view or download the metadata for the client click View or Download.
To add a claim, in Claims do the following:
1. Click (+).
2. Select Scope.
  If you select Custom Scope enter a value.
Select Claim Name based on the scope you selected or specified.
If you select Custom enter a name.
Select a Value.
If you select Custom Script or Fixed Value enter data in the field.
To add more scopes, repeat above steps.
Click Save.
Deploy the application.

Configure OpenID Connect for an access application

Configure the OpenID Connect parameters for an access application. When you use OpenID Connect 1.0 (OIDC) as the application-facing authentication mechanism for an Enterprise Application Access (EAA) access application, you need to select it in the application's advanced settings. You then go to the client application and enter the EAA application OIDC settings. In OIDC terminology, the access application is the relying party (RP) or client application. This procedure describes how to create an EAA access application that supports OpenID connect protocol. This process allows Enterprise Application Access to act as an OpenID provider or the identity provider that authenticates the user to an access application that uses OIDC as the authentication mechanism. Enterprise Application Access provides an option to download the client metadata in JSON format so that it may be uploaded to the client application. You may also manually enter the information into the client application.

Log in to Enterprise Center.
In the Enterprise Center navigation menu, select Application Access > Applications > Applications.
Click Add Application (+).
In Type select New Access app and type a name and description for your application.
Click Add Application.
Configure the application settings in Settings, Connectors, Authentication, Access, and Services.
Follow procedure to configure access parameters for an application.
In Advanced > Application-facing Authentication Mechanism, select OpenID Connect 1.0.
Click Save.
The OpenID tab appears.
In OpenID configure the following:
1. In OpenID Provider Info copy Discovery URL.
  If your application does not automatically fetch metadata, you can copy or download this file.
  To view or download the metadata file click View or Download.
📘
In the application enter this URL as the provider URL or upload the metadata file. If the application does not allow you to enter the URL or upload the metadata file, you may need to configure the application with the individual elements that are defined in the file.
In Relying Party Settings do the following:
1. Copy Client ID and Client Secret to a secure location.
2. If you need to rotate the secret click Rotate client secret. Copy the secret to a secure location and update the application with the new secret.
  Enter this information into the application (relying party).
3. In Redirect URI enter the redirect or callback URL from your application.
  Click Add More to enter more URIs.
4. If you use an implicit authentication flow for OpenID Connect select Implicit Grant.
5. To configure JavaScript origins for an implicit authentication flow, in Javascript Origins enter the URL or URLs of the origin that serve the JavaScripts responsible for sending cross-origin resource sharing (CORS) requests to token or user info endpoints.
6. If you want to disable the logout that is initiated by the identity provider disable Front channel logout session required.
7. If the front channel logout session setting is enabled, in Front channel logout-URI(s) enter a URI or URL to support this feature.
  Click Add More to enter more URIs. The scheme, protocol, and port of the front channel URI must match one of the configured redirect URIs.
8. To configure post logout redirect URI(s) enter the URI where the OpenID provider sends logout responses to logout requests.
9. To enable proof key for code exchange (PKCE) select PKCE.
10. Enable Include claims in id_token.
  To view or download the metadata for the client click View or Download.
To add a claim, in Claims click (+) and configure the following:
1. Select Scope.
  If you select Custom Scope enter a value.
2. Select a Claim Name based on the scope you selected.
  If you select Custom enter a name.
3. Select a Value.
  If you select Custom Script or Fixed Value enter your data.
  To add more scopes, repeat above steps.
Click Save.
Deploy the application.