Identity as a Service:SSO Integration through OIDC

​

Parameter

Description

Example

Basic configurations (required)

Redirect URI

The whitelist of redirect URIs. This parameter defines where the user lands after successful logon or registration. Each redirect URI must be whitelisted.

http://www.example.com/oidc/sso

http://www.example.com/oidc/sso2

Authorize

For more information, see SSO overview.

All Users

Advanced configurations (optional)

scopes

The identity information of a user that can be obtained by using the UserInfo Endpoint.

• openid

• email

• phone

• profile

openid,

email,

profile

access_token

Validity Period

An access token allows a user to access IDaaS API operations. Default value: 20 minutes. Minimum value: 5 minutes. Maximum value: 24 hours. If an access token expires, you must use a refresh token to refresh the session or log on again.

20 minutes

id_token

Validity Period

An ID token is used to verify the identity of a user. The token is in the JSON Web Token (JWT) format. An ID token allows the application to verify the identity of a user by using a public key. After an ID token expires, you must use a refresh token to refresh the session or log on again.

For more information about the format of an ID token, see Tokens in IDaaS.

10 hours

refresh_token

Validity Period

A refresh token is used to obtain a new access token and id token. After a refresh token expires, users need to log on again.

30 days

Change Lifetime for id_token

You can extend the payload field of id_token to return non-sensitive user information. Note that fields added to payload are available to all users. Add fields as needed.

-

SSO Implemented By

OIDC allows applications to implement SSO.

If you select IDaaS & Application, you must specify the IDaaS Sign-In URL parameter.

IDaaS & Application

IDaaS Sign-In URL

The URL of the page where SSO can be implemented. If the URL receives logon requests, the page is immediately redirected to the authorization endpoint.

http://www.example.com/oidc/login

Signing Algorithm

The asymmetric algorithm that is used to sign tokens. Only RSA-SHA256 is supported.

SHA256

Logout Redirect URIs

The whitelist of redirect URIs for applications when users log out of IDaaS. An application can initiate a single logout (SLO) request that contains this parameter.

http://www.example.com

Parameter

Description

Example

Issuer

The source of the token in id_token. It is also the base URL of the following API operations.

https://xxxxx.aliyunidaas.com.cn/oidc1

Discovery Endpoint

Discovery

The endpoint that is used to obtain metadata, such as a directory of endpoints, supported authentication methods, and parameters. The metadata is available to all users.

https://xxxxx.aliyunidaas.com.cn/oidc1/.well-known/openid-configuration

Authorization Endpoint

Authorization

The endpoint where the application requests SSO.

https://xxxxx.aliyunidaas.com.cn/oidc/authorize

Token Endpoint

Token

The endpoint that the application uses to obtain an access token after it receives an authorization code.

https://xxxxx.aliyunidaas.com.cn/oauth2/token

Token Revocation Endpoint

Revocation

The endpoint that is used to revoke an issued token.

https://xxxxx.aliyunidaas.com.cn/oauth2/revoke

Public Key Endpoint

JWKS

The JSON Web Key Set (JWKS) endpoint that is used to verify the ID token and complete SSO. The public key may be rotated.

https://xxxxx.aliyunidaas.com.cn/oidc1/slo

UserInfo Endpoint

Userinfo

The endpoint that is used to obtain basic user information by using an access token after logon.

https://xxxxx.aliyunidaas.com.cn/oidc1/userinfo

End Session Endpoint

SLO

The endpoint that is used to trigger SLO.

-