Add an OIDC Application
3 months ago

Add an OIDC Application

You can configure your own connection between an OIDC-enabled web application (relying party) and RSA (the identity provider, or IdP). After you complete this procedure, the application is added to My Applications and is available for single sign-on (SSO) after the next publish operation.

Before you begin 

  • You must be a Super Admin for the Cloud Access Service (CAS) to perform this task.
  • Contact your SaaS application provider to learn about their OIDC policies and how much time they need to enable the OIDC configuration. Plan your timetable accordingly.
  • At least one identity router and one identity source must be configured and connected to CAS.

Procedure 

  1. In the Cloud Administration Console, click Applications > Application Catalog.

    The Application Catalog appears.

  2. Click Create From Template.

  3. Next to OIDC, click Select.

  4. On the Basic Information page, complete these fields.

    1. In the Name field, enter a name for the application.

    2. (Optional) In the Description field, enter a description for the application.

    3. Click Next Step.

  5. On the Authentication page, select 2.0 policy for authentication.

    Note:  If you are currently using a 1.0 policy, you need to migrate to a 2.0 policy before modifying the application configuration. The 2.0 policies provide the capability to configure both Primary and Step-up Authentication options within the same access policy.

    1. Select the Allow user to request access to this application checkbox to enable users to request access to the application through My Page > Applications > App Catalog tab.

      Note:  When Allow user to request access to this application checkbox is selected, an App Catalog group is automatically created. The group name matches the application name. Additionally, users who are not eligible for this application policy can view the application in the App Catalog tab.

    2. Click Next Step.
    The Connection Profile page of the wizard appears.
  6. On the Connection Profile page, complete these fields.

    1. In the Connection URL field, enter the URL for the OIDC application. This field is required.

    2. The Authorization Server Issuer URL field is read-only and displays the CAS URL of your organization.

    3. In the Redirect URL field, enter the redirect URL(s). You can enter multiple URLs. The maximum allowed length for URLs is 4000 characters.

    4. In the Client ID field, provide a unique ID that identifies the configuration in both CAS and OIDC relying party. This field is required.

    5. In the Client Authentication Method drop-down list, select an authentication method.

    6. Click Generate corresponding to the Client Secret field, or enter the client secret value.

    7. In the Scopes field, select a scope by typing the name. The available scopes will be auto-populated. You can select multiple scopes.

    8. In the Claims field, select a claim by typing the name. The available claims will be auto-populated. You can select multiple claims.
      To configure claims and scopes, see Manage OIDC Claims and Scopes.

    9. Enable the Require user consent for disclosure of private information setting if you want users to provide consent for private data disclosure to the relying party for additional claims.
      RSA My Page provides self-service consent management through the Privacy Settings page, allowing users to directly control their consent preferences related to data sharing.

    10. Click Next Step.

  7. On the Portal Display page, configure how the application will appear in the application portal.
    1. (Optional) To hide the application in the application portal, clear the Display in Portal check box. When unselected, the application is not visible in the application portal, but users can still access the application by going directly to the protected URL.
      For information about how this setting interacts with the Disabled setting on the Basic Information page of the wizard, see Application Availability and Visibility.
    2. Select the Application Icon to represent the application in the portal. Use the default icon or click Change Icon to upload a different image.
      The image file must be in JPG or PNG format, and no larger than 50 KB. The recommended size is 75x75 pixels.
    3. In the Application Tooltip field, enter text that appears briefly when the cursor pauses over the application icon in the application portal.
    4. The Portal URL field is read-only and displays the URL for the home page of the application.

  8. On the Fulfillment page, select whether users will access the application with or without an approval workflow, and define the application configuration type. (For more information on the Fulfillment feature, see Lifecycle Management (Fulfillment Setting) in the Cloud Administration Console).

    Note:   The Fulfillment service to provision user access requests for applications or services is disabled by default.

  9. Enable the Fulfillment setting to select the Approver Type and set the proper configuration type for the OIDC application.

    1. Select one of the following Approver Types:

      • None: This option grants application access directly to users.

      • Manager: This option requires the assigned manager, retrieved from the Identity Source, to accept the request via My Page > My Action Items to grant access to OIDC for users.

      • Application Owner: This option requires the assigned application owner, retrieved from the Basic Information, to accept the request via My Page > My Action Items to grant access to OIDC for users.

      • Manager & Application Owner: This option requires both the assigned manager and application owner to accept the request via My Page > My Action Items before granting access to OIDC for users.

    2. (Optional) Select the Send Email to Requesters and Approvers checkbox to notify approvers and requesters by email once a request is submitted. This will allow approvers to view and either approve or decline the request and notify requesters of the current status.

    3. Select the appropriate configuration type from the Fulfillment Configuration Type drop-down list:

      Note:  Administrators need to ensure that all necessary configuration information is readily available before proceeding.

      Option Description

      LDAP

      • Identity Source: Select one of the previously configured identity sources from the list.

      • Fulfillment Group Name: Enter a name for the selected identity source. For example, to reference a group named "Developers" in the IT organizational unit within the domain company.org, use the following format: 

         cn=Developers,ou=IT,dc=company.org

      Note:  You can select the same identity source and assign a different fulfillment group name each time.

      SCIM Endpoint

      • Base URI: Enter Base URI obtained from the service provider.

      • API Key: Enter API key obtained from the service provider.

      • Group Object ID (Optional): Enter Group Object ID obtained from the service provider.

      Note:  If you cannot reach SCIM Endpoint application, ensure contacting RSA support to approve the application.

     

  10. (Optional) Enable OAuth 2.0 if you are using OAuth 2.0 for the SCIM Endpoint.

    1. In the OAuth 2.0 URL field, enter the OAuth 2.0 URL obtained from the service provider.

    2. In the Client ID field, enter the Client ID obtained from the service provider.

    3. In the Client Secret field, enter the Client Secret configurations obtained from the service provider.

      Option Description

      Entra ID

      • Client ID: Enter the Client ID obtained from the service provider.

      • Client Secret: Enter the Client Secret obtained from the service provider.

      • Tenant ID: Enter the Tenant ID obtained from the service provider.

      • Group Object ID: Enter the Group Object ID obtained from the service provider.

  11. Select Enable Delete Actions to allow managers and application owners to manage account deletion actions in My Page. You can choose from the following options:

    Note:  When you select LDAP as the configuration type, Remove from group is the only action available for account removal.

    • Delete account:Deletes the user account entirely from the SCIM or EntraID application.

    • Remove from group:Removes the user account from the fulfillment groups defined in the application’s fulfillment configuration.

    Note:  If the same group is used in the fulfillment configuration of multiple applications, removing a user from that group will also revoke their access to any other applications that share the group.

  12. Select Allow enabling/disabling user account access to applications to allow managers and application owners enable or disable user accounts on the SCIM or Entra ID application.

    Note:  Disabling or enabling a user in the identity source affects access to all applications that use the same identity source.

  13. (Optional) Enable Application Roles to define roles and set conditions, providing users with attribute-based access to the application.

    Note:  If a user does not match any of the configured roles, they can still request access to the application. In such cases, they will receive the default access level specified in the fulfillment configuration completed during the earlier steps.

    (Optional) Select the Allow approvers to add users to roles or groups checkbox to enable approvers to assign/ unassign users to specific roles or groups via My Page.

  14. In the Role Name field, enter the role name that appears on My Page for the approver to add users. You can either click the plus (+) icon to add additional roles, or click the minus (-) to remove roles.

    Managers and application owners can submit a Modify User Role request from My Page, and these changes follow the same approval workflow defined in the Fulfillment settings.

  15. In the Additional Group field, enter the group name that appears on My Page for the approver to add users. You can either click the plus (+) icon to add additional groups , or click the minus (-) to remove additional groups.

  16. The selected users must meet the criteria specified in the drop-down list. You can select one of the following options:

    • Any: This option grants access to users whose profile matches any of the set criteria.

    • All: This option grants access only to users whose profile matches all of the set criteria.

  17. To set the User Attribute, click the Add button. In the User Selection dialog box, do the following:

    1. Select the User Attribute from the drop-down list.

    2. Select the Operation from the drop-down list.

    3. Enter the Value based on your operation selection.

    4. Click Save.

    Note:  If this role assigns users based on identity source attributes, ensure that the identity source is properly configured to select those attributes and synchronize them with CAS.

  18. Click Save and Finish.

  19. (Optional) To publish this configuration and immediately activate it, click Publish Changes.

Don't see what you're looking for?