Add an OIDC Relying Party

Cloud Access Service (CAS) can act as the authorization server for a generic OpenID Connect (OIDC) relying party application. OIDC manages primary authentication, and CAS manages additional authentication.

Before you begin 

• You must be a Super Admin in the Cloud Administration Console.

• Know which access policy to use for additional authentication.

Step 1: Enter Basic Information

1. In the Cloud Administration Console, click Authentication Clients > Relying Parties > Add a Relying Party.

2. In the Relying Party Catalog, click Add corresponding to Generic OIDC.

3. In the Basic Information tab, enter a name and description (optional) for the OIDC application.

4. Click Next Step.

Step 2: Configure Authentication Management

In the Authentication tab, do the following:

1. If you want CAS to manage only additional authentication, select Relying Party manages primary authentication, and RSA manages additional authentication.

   If you want CAS to manage both primary and additional authentication select RSA manages all authentication.

   Primary authentication (for example, password) is the initial identifying information of the user that is requesting access to the application.

2. If CAS is managing primary authentication, in the Primary Authentication Method drop-down list, select the authentication method to use.

   Note:  If you select FIDO, note that users cannot complete registration when authenticating for the first time with a FIDO authenticator as a primary authentication method. Be sure that users can first complete registration by accessing an application or My Page that requires FIDO as additional authentication. Users can then use FIDO as primary authentication for this application.

3. If the Relying Party manages primary authentication, and RSA manages additional authentication, in the 1.0 Access Policy for Additional Authentication drop-down list, select the 1.0 access policy to apply to requests from OIDC.

   If RSA manages all authentication, in the 2.0 Access Policy for Authentication drop-down list, select the 2.0 access policy to apply to requests from OIDC. For information about access policies, refer to the "Access Policies 1.0 and 2.0" section on the Access Policies page.

4. Click Next Step.

Step 3: Enter the Connection Profile

Specify the connection information for CAS as the provider and the OIDC as the relying party.

1. Provide one or more redirect URLs that the Relying Party can accept in the request and redirect the response to. If the URL provided in the request does not match with the URL provided in the Redirect URL field, it will be rejected.

2. In the Client ID field, provide the unique ID that identifies the configuration in both CAS and OIDC. If you change this ID after you copy the metadata to OIDC, update the custom control with the change.

3. In the Client Authentication Method drop-down list, select an authentication method.

4. Click Generate corresponding to the Client Secret field.

5. Select the scope by typing the name. The available scopes will be auto-populated. You can select multiple scopes.

6. Select the claim by typing the name. The available claims will be auto-populated. You can select multiple claims. To configure claims and scopes, see Manage OIDC Claims and Scopes.

7. Click Save and Finish.

8. (Optional) To publish this configuration and immediately activate it, click Publish Changes.
   You must publish the configuration before the relying party can make use of the metadata.