IDP Initiated SSO with OIDC
Hello everyone,
We have a requirement to configure an OpenID Connect Authentication Service in 8.6 to work with IdP initiated sessions. In this case, User will be already logged into the Identity provider (IDP) and will then try to access Pega Application URL (Service Provider) from there.
Although the user is already authenticated in IDP, however our requirement is that Pega should still use the "Authorization code" grant flow where Pega would need to request the Authorzation code first from IDP and then continue the process.
Now my question is will the OOTB Open ID Authentication service work here? In other words, if I embed my application URL in IDP e.g https://myapplication/prweb/PRAuth/IDP, will it work the same way as if I hit this URL in a separate browser session?
Thanks
SB
JP Morgan
US
@SwaidB26IDP is nothing but token based auth.
when user enters pega the request will have the token. Your code needs to hit the IDP with this token or use the private key to authenticate the user. The token once decoded will be returning claims like the time for how long the token is valid , authorization with in the app and few other meta data. This info will help you to route the user to desired workflow.
Toyota Financial Services
AU
@abdulq95 thanks for your reply.
My query is not related to "Client Credential" grant flow that you have described but rather the "Authorization code" grant flow.
Ernst & Young LLP
MT
As per my understanding, the only difference between trying to open PRPC app url - from existing IDP/Auth server session, and from an incognito window is the authentication step.
Auth server authentication step will be skipped if you are logged in Auth server already.
Rest of the auth process - Auth token, Access token, ID token creation will happen regardless how you are accessing the PRPC app url.
Toyota Financial Services
AU
@Nirmalya.SenSharma Thanks for your reply.
We want the standard "Authorization code" grant flow to work here wherein Pega would still request an Authorization Code from IDP (since user is already authenticated in IDP, IDP might use the existing cookie information, will leave that up to IDP to decide).
Hopefully, the OOTB OIDC Auth service configuration would work in this scenario and we would not need to built a custom Auth service. We are planning to do a POC regardless but wanted to check if anyone has implemented this use case.
Thanks again for your reply.
Ernst & Young LLP
MT
That is my understanding as well, that OOTB OIDC auth service will work without any hitch.
But, if you find any issue in your POC, let us know that as well.
Thanks