I can create a OIDC/Oauth Identity Provider 2 different ways in ISAM.
Secure Federation -> Manage -> Federations -> Add -> Select OpenId Connect Relying Party
Secure Federation -> Manage -> OpenId Connect and API Protections -> Creating Definition

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

This is for creating an OIDC Relying Party:
Secure Federation -> Manage -> Federations -> Add -> Select OpenId Connect Relying Party

This is for creating an OAuth/OIDC Provider:
Secure Federation -> Manage -> OpenId Connect and API Protections -> Creating Definition

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon January 11, 2021 05:02 AM
From: Joao Goncalves
Subject: Difference between two ways to create OIDC IdP

I can create a OIDC/Oauth Identity Provider 2 different ways in ISAM.
Secure Federation -> Manage -> Federations -> Add -> Select OpenId Connect Relying Party
Secure Federation -> Manage -> OpenId Connect and API Protections -> Creating Definition

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

When you create a OIDC Relying Party, you can configure multiple Parties, which I believe are the relying Parties.

When I create a reverse proxy and associate it with the Federation, Reverse Proxy -> Manage -> AAC and Federation Configuration -> Federation Management, in fact I can only select the Relying Party with multiple Parties!

Does is mean that the Relying Party junction is used by the Parties to validate the access token created by the Identity Provider.
In other words, when I create a Relying Party Federation, in fact, I am creating a set of services for the Parties to use for validating the Access Token?

If this is true, why do i have the option of selecting the Role in SAML 2.0? I can choose form Identity Provider or Service Provider!


------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Mon January 11, 2021 05:19 AM
From: Jon Harry
Subject: Difference between two ways to create OIDC IdP

Hi Joao,

This is for creating an OIDC Relying Party:
Secure Federation -> Manage -> Federations -> Add -> Select OpenId Connect Relying Party

This is for creating an OAuth/OIDC Provider:
Secure Federation -> Manage -> OpenId Connect and API Protections -> Creating Definition

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 11, 2021 05:02 AM
From: Joao Goncalves
Subject: Difference between two ways to create OIDC IdP

I can create a OIDC/Oauth Identity Provider 2 different ways in ISAM.
Secure Federation -> Manage -> Federations -> Add -> Select OpenId Connect Relying Party
Secure Federation -> Manage -> OpenId Connect and API Protections -> Creating Definition

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

I think perhaps you have things backwards.  When you create a "Relying Party" in Verify Access, you are setting up Verify Access as a Relying Party... i.e. as a system that will receive tokens from others (such as social sign-on providers)

If you want to set up Verify Access so that it will generate tokens which can subsequently be checked for validity by others calling into a Verify Access introspection endpoint then you need to set up Verify Access as an OAuth/OIDC Provider.

If you set up multiple Relying Party definitions in Verify Access then you must run the Reverse Proxy federation configuration wizard for each one (to set up ACLs for the definition-specific endpoints).

If you  set up Verify Access as an OIDC/OAuth Provider, you only need to run the Reverse Proxy OIDC/OAuth configuration wizard once - even if you set up multiple OIDC/OAuth Provider definitions.  This is because the endpoints for OIDC/OAuth have common path roots so that a single set of ACLs works for all definitions.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon January 11, 2021 06:38 AM
From: Joao Goncalves
Subject: Difference between two ways to create OIDC IdP

When you create a OIDC Relying Party, you can configure multiple Parties, which I believe are the relying Parties.

When I create a reverse proxy and associate it with the Federation, Reverse Proxy -> Manage -> AAC and Federation Configuration -> Federation Management, in fact I can only select the Relying Party with multiple Parties!

Does is mean that the Relying Party junction is used by the Parties to validate the access token created by the Identity Provider.
In other words, when I create a Relying Party Federation, in fact, I am creating a set of services for the Parties to use for validating the Access Token?

If this is true, why do i have the option of selecting the Role in SAML 2.0? I can choose form Identity Provider or Service Provider!


------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon January 11, 2021 05:19 AM
From: Jon Harry
Subject: Difference between two ways to create OIDC IdP

Hi Joao,

This is for creating an OIDC Relying Party:
Secure Federation -> Manage -> Federations -> Add -> Select OpenId Connect Relying Party

This is for creating an OAuth/OIDC Provider:
Secure Federation -> Manage -> OpenId Connect and API Protections -> Creating Definition

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 11, 2021 05:02 AM
From: Joao Goncalves
Subject: Difference between two ways to create OIDC IdP

I can create a OIDC/Oauth Identity Provider 2 different ways in ISAM.
Secure Federation -> Manage -> Federations -> Add -> Select OpenId Connect Relying Party
Secure Federation -> Manage -> OpenId Connect and API Protections -> Creating Definition

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Thanks.
In https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/config/concept/oidc_rp_auth_endpoints.htm, I can see an external application [ExAPP] can invoke the Relying Party using the kickoff endpoint to start the authentication process.

If I understand it correctly I believe at the end of the kickoff process the ExAPP will get either the Id Token.
After invoking the redirect endpoint it will retrieve the Access Token.

I don't understand the relevance of the Point of Contact as stated in https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/config/concept/oidc_rp_auth_iden_map.htm

And since the Point of Contact is global, does it mean if Access Manager used on Point of Contact profile, all other Relying Parties must use the same profile?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Tue January 12, 2021 04:19 AM
From: Jon Harry
Subject: Difference between two ways to create OIDC IdP

Hi Joao,

I think perhaps you have things backwards.  When you create a "Relying Party" in Verify Access, you are setting up Verify Access as a Relying Party... i.e. as a system that will receive tokens from others (such as social sign-on providers)

If you want to set up Verify Access so that it will generate tokens which can subsequently be checked for validity by others calling into a Verify Access introspection endpoint then you need to set up Verify Access as an OAuth/OIDC Provider.

If you set up multiple Relying Party definitions in Verify Access then you must run the Reverse Proxy federation configuration wizard for each one (to set up ACLs for the definition-specific endpoints).

If you  set up Verify Access as an OIDC/OAuth Provider, you only need to run the Reverse Proxy OIDC/OAuth configuration wizard once - even if you set up multiple OIDC/OAuth Provider definitions.  This is because the endpoints for OIDC/OAuth have common path roots so that a single set of ACLs works for all definitions.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 11, 2021 06:38 AM
From: Joao Goncalves
Subject: Difference between two ways to create OIDC IdP

When you create a OIDC Relying Party, you can configure multiple Parties, which I believe are the relying Parties.

When I create a reverse proxy and associate it with the Federation, Reverse Proxy -> Manage -> AAC and Federation Configuration -> Federation Management, in fact I can only select the Relying Party with multiple Parties!

Does is mean that the Relying Party junction is used by the Parties to validate the access token created by the Identity Provider.
In other words, when I create a Relying Party Federation, in fact, I am creating a set of services for the Parties to use for validating the Access Token?

If this is true, why do i have the option of selecting the Role in SAML 2.0? I can choose form Identity Provider or Service Provider!


------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon January 11, 2021 05:19 AM
From: Jon Harry
Subject: Difference between two ways to create OIDC IdP

Hi Joao,

This is for creating an OIDC Relying Party:
Secure Federation -> Manage -> Federations -> Add -> Select OpenId Connect Relying Party

This is for creating an OAuth/OIDC Provider:
Secure Federation -> Manage -> OpenId Connect and API Protections -> Creating Definition

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 11, 2021 05:02 AM
From: Joao Goncalves
Subject: Difference between two ways to create OIDC IdP

I can create a OIDC/Oauth Identity Provider 2 different ways in ISAM.
Secure Federation -> Manage -> Federations -> Add -> Select OpenId Connect Relying Party
Secure Federation -> Manage -> OpenId Connect and API Protections -> Creating Definition

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------