3. Onboarding process#
To use your application as a service provider with the ID Broker, you must provide a service that is configured for single sign-on with the ID Broker. The ID Broker must first register your service.
You have to contact the operator of the ID Broker at service-provider-admin@univention-id-broker.com to start the registration process. Your registration request has to include at least one redirect URL where the user’s browser is directed to after successful authentication through OIDC.
The ID Broker operator will provide you with a client ID and client secret that the service can use to authenticate itself to the ID Broker.
3.1. Service and app requirements#
Your app must support the OpenID Connect (OIDC) authentication protocol, more specifically the Authorization Code Flow. OIDC is an identity layer built on top of the OAuth 2.0 protocol.
In addition, the service provider app must use the Proof Key for Code Exchange (PKCE) protocol. Regarding OIDC and OAuth 2.0, see OAuth 2.0 Security Best Current Practice.
3.2. Connect to ID Broker#
The ID broker publishes its OIDC metadata under the following well-known URIs:
For the staging environment: https://sso-broker.staging.univention-id-broker.com/auth/realms/ID-Broker/.well-known/openid-configuration
For the production environment: https://sso-broker.production.univention-id-broker.com/auth/realms/ID-Broker/.well-known/openid-configuration
The URI returns a JSON list of OIDC endpoints, supported scopes and claims, public keys used to sign the tokens, and other
details. The service provider application can use this information to create a request to the ID Broker (OIDC server) and validate the access_token
.
3.3. Information required by the operator#
When you register your service, you need to hand in the following information to the operator:
The service name.
When the Self-disclosure API is used: The IP addresses of the service, so that the operator can configure an appropriate firewall rule for the Self-disclosure API.