OIDC endpoint URLs

book

Article ID: 193287

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a CA Access Gateway (SPS) and we'd like to know if it is
supported to call the OIDC endpoints for generated for OIDC clients
without the clientname part ?

  <authorizationserver_base_URL>/affwebservices/CASSO/oidc/sample_client/token
  <authorizationserver_base_URL>/affwebservices/CASSO/oidc/token

 

Environment

 

Policy Server 12.8SP3 on RedHat 7;

 

Resolution

 

From the documentation, some modification has been brought in 12.8SP3 :

  Manage Provider Metadata Feature

    From 12.8.02, CA Single Sign-on as an OpenID Connect Provider supports
    the Well-known Endpoint. To support the feature, client_name is
    appended to the URL format as shown here:

      Issuer URL: https://Access_Gateway_server:port/affwebservices/CASSO/oidc/client_name
      Endpoint URL: https:/Access_Gateway_server:port/affwebservices/CASSO/oidc/client_name/endpoint

    From 12.8.03, you can enable or disable the provider metadata feature
    using the new field Enable Well-known in Administrative UI. The status
    of this option manages whether Well-known endpoint is displayed when
    an OIDC Client is created, and it also determines the Issuer URL
    format

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/release-notes/new-features.html

and further :

Enable Well-known

  Specifies whether the provider metadata feature is enabled or
  disabled. The status of this option manages the provider metadata
  feature and thereby the Issuer URL format.

  Default: Disabled

  If Enable Well-known is selected, CA Single Sign-on performs the
  following actions when it creates a client:

    Displays the Provider Metadata endpoint in the following format in
    Administrative UI:

      https://Access_Gateway_server:port/affwebservices/CASSO/oidc/client_name/.well-known/openid-configuration

    Displays the other endpoints in the following format:

      https://Access_Gateway_server:port/affwebservices/CASSO/oidc/client_name/endpoint_name

    Displays the Issuer URL value in the following format in
    Administrative UI:

      https://Access_Gateway_server:port/affwebservices/CASSO/oidc/client_name

    (Runtime) Includes Issuer URL in the following format when the iss
    claim is sent in responses such as ID Token and signed UserInfo
    response:

      https://Access_Gateway_server:port/affwebservices/CASSO/oidc/client_name

  If Enable Well-known is not selected, CA Single Sign-on performs the
  following actions:

    Does not display the Provider Metadata endpoint in Administrative UI.

    Displays the other endpoints in the following format in Administrative
    UI:

      https://Access_Gateway_server:port/affwebservices/CASSO/oidc/endpoint_name

    Displays the Issuer URL value in the following format in
    Administrative UI:

      https://Access_Gateway_server:port

    (Runtime) Includes Issuer URL in the following format when the iss
    claim is sent in responses such as ID Token and signed UserInfo
    response:

      https://Access_Gateway_server:port

  Note: If you are using 12.8.02 and you are upgrading your
  environment to 12.8.03, your existing endpoints URLs may not
  continue to work in 12.8.03 once you upgrade. To avoid the issue,
  you must perform the steps related to OIDC objects upgrade in Policy
  Server upgrade and policy store upgrade topics. For more information
  about the steps required to upgrade OIDC objects, see the Policy
  Server and policy store upgrading sections in In-place Upgrade and
  Rolling Upgrade.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/using/administrative-ui/openid-connect-provider-reference/clients-dialog.html

So, according to documentation, both ways are supported, depending of
the value of "Enable Well-known" functionality. You should note that
upgrade from 12.8SP2 to 12.8SP3 may break some urls.

From our Documentation, the sample_client is mentioned as "Sample"
only.

  Authentication Using Implicit Flow
  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/use-ca-single-sign-on-as-openid-connect-provider/authentication-using-implicit-flow.html

RFC doesn't precise anything neither about preceeding URI of /token :

  The OAuth 2.0 Authorization Framework
  https://tools.ietf.org/html/rfc6749

We strongly suggest you to use the clientname part in the URL as the
product has been designed for that sake, mainly when OpenID Discovery
is in use. The use of the URI without clientname is an old endpoints
naming for which you still can use, with limitation as per above.