Generic OpenID Connect
Generic OpenID Connect (OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID Foundation.) allows users to sign in to an Okta orgThe Okta container that represents a real-world organization. using their credentials from their existing account at an OIDC Identity Provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.). A generic OIDC IdP can be a third-party IdP that supports OIDC, such as Salesforce or Yahoo, or your own custom IdP. You can also configure federation between Okta orgs using OIDC as a replacement for SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated.. If you want your users to be able to sign in using an existing database of credentials and sync their accounts in to Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. from the external IdP, configure your Okta org to use a generic OIDC IdP.
Configuring a generic OIDC IdP allows you to use the following features:
- User Registration: Capture the Profile attributes from a generic OIDC IdP user and store those attributes in Okta's Universal Directory.
- User AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect.: After a user is registered, continue to use that generic OIDC IdP for user authentication, thus eliminating the need to store an additional username and password for that user.
- Profile Sync: If a user updates their profile, those changes can be reflected inside Okta the next time that they use the IdP to sign in.
- Support for Multiple Social Profiles: Multiple Social Profiles can all be linked to one Okta user.
- OAuth 2.0 ScopeA scope is an indication by the client that it wants to access some resource. Configuration: Specify OAuth 2.0 scopes to fully control which attributes are linked to Okta.
For detailed information on usage and set up, see Generic OpenID Connect Identity Providers.Top