Multiple OIDC providers
This page shows OIDC with two identity providers.
Client registrations for an AM identity provider and PingOne Advanced Identity Cloud identity provider are declared in the heap. The Nascar page helps the user to choose an identity provider.
-
Set up AM as the first identity provider, as described in AM as OIDC provider.
-
Set up PingOne Advanced Identity Cloud as a second identity provider, as described in PingOne Advanced Identity Cloud as an OpenID Connect provider.
-
Add the following route to PingGateway, replacing the value for the property
amInstanceUrl:-
Linux
-
Windows
$HOME/.openig/config/routes/07-openid-nascar.json
%appdata%\OpenIG\config\routes\07-openid-nascar.json
{ "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AuthenticatedRegistrationHandler-1", "type": "Chain", "config": { "filters": [ { "name": "ClientSecretBasicAuthenticationFilter-1", "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "oidc_client", "clientSecretId": "oidc.secret.id", "secretsProvider": "SystemAndEnvSecretStore-1" } } ], "handler": "ForgeRockClientHandler" } }, { "name": "openam", "type": "ClientRegistration", "config": { "clientId": "oidc_client", "issuer": { "name": "am_issuer", "type": "Issuer", "config": { "wellKnownEndpoint": "http://am.example.com:8088/openam/oauth2/.well-known/openid-configuration" } }, "scopes": [ "openid", "profile", "email" ], "authenticatedRegistrationHandler": "AuthenticatedRegistrationHandler-1" } }, { "name": "idcloud", "type": "ClientRegistration", "config": { "clientId": "oidc_client", "issuer": { "name": "idc_issuer", "type": "Issuer", "config": { "wellKnownEndpoint": "&{amInstanceUrl}/oauth2/realms/alpha/.well-known/openid-configuration" } }, "scopes": [ "openid", "profile", "email" ], "authenticatedRegistrationHandler": "AuthenticatedRegistrationHandler-1" } }, { "name": "NascarPage", "type": "StaticResponseHandler", "config": { "status": 200, "headers": { "Content-Type": [ "text/html; charset=UTF-8" ] }, "entity": [ "<html>", " <body>", " <p><a href='/home/id_token/login?registration=oidc_client&issuer=am_issuer&goto=${urlEncodeQueryParameterNameOrValue('https://ig.example.com:8443/home/id_token')}'>Access Management login</a></p>", " <p><a href='/home/id_token/login?registration=oidc_client&issuer=idc_issuer&goto=${urlEncodeQueryParameterNameOrValue('https://ig.example.com:8443/home/id_token')}'>Identity Cloud login</a></p>", " </body>", "</html>" ] } } ], "name": "07-openid-nascar", "baseURI": "http://app.example.com:8081", "condition": "${find(request.uri.path, '^/home/id_token')}", "properties": { "amInstanceUrl": "https://myTenant.forgeblocks.com/am" }, "handler": { "type": "Chain", "config": { "filters": [ { "type": "AuthorizationCodeOAuth2ClientFilter", "config": { "clientEndpoint": "/home/id_token", "failureHandler": { "type": "StaticResponseHandler", "config": { "comment": "Trivial failure handler for debugging only", "status": 500, "headers": { "Content-Type": [ "text/plain; charset=UTF-8" ] }, "entity": "${contexts.oauth2Failure.error}: ${contexts.oauth2Failure.description}" } }, "loginHandler": "NascarPage", "registrations": [ "openam", "idcloud" ], "requireHttps": false, "cacheExpiration": "disabled" } } ], "handler": "ReverseProxyHandler" } } }Consider the differences with
07-openid.json:-
The heap objects
openamandidclouddefine client registrations. -
The StaticResponseHandler provides links to the client registrations.
-
The AuthorizationCodeOAuth2ClientFilter uses a
loginHandlerto allow users to choose a client registration and therefore an identity provider.
-
-
Test the setup:
-
In your browser’s privacy or incognito mode, go to https://ig.example.com:8443/home/id_token.
The Nascar page offers the choice of identity provider.
-
Using the following credentials, select a provider, log in, and allow the application to access user information:
-
AM: user
demo, passwordCh4ng31t. -
PingOne Advanced Identity Cloud: user
demo, passwordCh4ng3!tThe home page of the sample application is displayed.
-
-