This document discusses integrating single sign-on (SSO) using OpenID Connect with the TCBL SSO server. It provides an overview of the OpenID Connect authentication flow, steps for configuring a client application, and information on registering the application with the TCBL SSO server. Upcoming work at imec is also outlined, including migrating the Gluu server, improving the user experience for authentication and consent, and developing an app for users to manage their profile data. The presentation concludes with time for discussion.

1. TCBL
imec – TCBL Single Sign On (extra information)
Athens, June 21, 2017

2. Contents
 OpenID Connect: flow
 How to integrate by TCBL service / Associated Service Provider (ASP)
 Upcoming work at imec
 Time for discussion…

3. OpenID Connect: flow (1/3)
 Reference:
 http://openid.net/specs/openid-connect-core-1_0.html
 Abbreviations on next slide
 RP = Relying Party (the “client”; website of TCBL service or ASP)
 OP = OpenID Connect Provider (the TCBL SSO server)
 AuthN = Authentication (who are you?)
 AuthZ = Authorization (do you allow?)

4. OpenID Connect: flow (2/3)
1. AuthN Request
2. AuthN
3. AuthZ
4. AuthN Response (ID & Access tokens)
5. User Info Request (Access token)
6. User Info Response (name…)
RP OP
User
(client) (server)

5. OpenID Connect: flow (3/3)
 OpenID Connect defines three detailed flows to accomplish this
sequence:
 Authorization Code Flow (back end to back end, tokens not visible by
the user): recommended
 Implicit Flow (when back end to back end is not possible, e.g. in front
end applications, tokens visible by user)
 Hybrid Flow
 Described in detail at http://openid.net/specs/openid-connect-core-
1_0.html#CodeFlowSteps

6. How to integrate by TCBL service / ASP (1/5)
 1. Find software:
 Find a RP client software library, e.g.:
 at http://openid.net/developers/certified/
 at http://openid.net/developers/uncertified/
 Or find an OpenID Connect plugin for your platform, e.g.:
 for Drupal: https://www.drupal.org/project/openid_connect

7. How to integrate by TCBL service / ASP (2/5)
 2. Configure the client:
 Obtain info about the TCBL SSO server
 We’ve got two servers:
 For test/development: https://tcblsso2.ilabt.imec.be
 For production: https://tcblsso.ilabt.iminds.be
 Configuration details can be read at location /.well-known/openid-
configuration, e.g. for the test/development server:
 wget https://tcblsso2.ilabt.imec.be/.well-known/openid-configuration

8. How to integrate by TCBL service / ASP (3/5)
 As an example: extract from the wget output:
{
"issuer": "https://tcblsso2.ilabt.imec.be",
"authorization_endpoint": "https://tcblsso2.ilabt.imec.be/oxauth/seam/resource/restv1/oxauth/authorize",
"token_endpoint": "https://tcblsso2.ilabt.imec.be/oxauth/seam/resource/restv1/oxauth/token",
"userinfo_endpoint": "https://tcblsso2.ilabt.imec.be/oxauth/seam/resource/restv1/oxauth/userinfo",
"clientinfo_endpoint": "https://tcblsso2.ilabt.imec.be/oxauth/seam/resource/restv1/oxauth/clientinfo",
"check_session_iframe": "https://tcblsso2.ilabt.imec.be/oxauth/opiframe",
"end_session_endpoint": "https://tcblsso2.ilabt.imec.be/oxauth/seam/resource/restv1/oxauth/end_session",
"jwks_uri": "https://tcblsso2.ilabt.imec.be/oxauth/seam/resource/restv1/oxauth/jwks",
"registration_endpoint": "https://tcblsso2.ilabt.imec.be/oxauth/seam/resource/restv1/oxauth/register",
"validate_token_endpoint": "https://tcblsso2.ilabt.imec.be/oxauth/seam/resource/restv1/oxauth/validate",
"id_generation_endpoint": "https://tcblsso2.ilabt.imec.be/oxauth/seam/resource/restv1/id",
"introspection_endpoint": "https://tcblsso2.ilabt.imec.be/oxauth/seam/resource/restv1/introspection",
(…)
}

9. How to integrate by TCBL service / ASP (4/5)
 3. Register your application at the server:
 If the library / plugin supports dynamic client registration:
 Contact us to enable dynamic client registration temporarily
 Do the dynamic client registration exactly once, save your client ID
and client secret and notify us
 Else:
 Contact us for manual registration of your client
 We’ll provide the client ID and client secret

10. How to integrate by TCBL service / ASP (5/5)
 4. Apply guidelines in your app for uniform TCBL look and feel
 Use the “Login with TCBL” logo as the button to log in
 Let the authentication and consent user interface pages appear as a
replacement (redirect) of the current website contents (not in a
popup): in the authentication request, do not set parameter
display=‘popup’.

11. Upcoming work at imec (1/10)
 Migration from Gluu server 2.4.4 to 3.0.x
 2.4.4 is end of life in 2018…
 Develop
 Improve user experience during login (authentication and consent
user interface pages)
 Own app for users to manage the data they provide about themselves

12. Upcoming work at imec (2/10)
 Modified authentication
user interface page
email
password
Login
Learn more

13. Upcoming work at imec (3/10)
 Modified consent user interface
page
Nothing
Learn more
What information from
your user profile at
Login with TCBL do you
want to share with this
application?
Minimum
Extended
Under investigation

14. Upcoming work at imec (4/10)

15. Upcoming work at imec (5/10)
 Own app for users

16. Upcoming work at imec (6/10)
 Own app for users

17. Upcoming work at imec (7/10)
 Own app for users

18. Upcoming work at imec (8/10)
 Own app for users

19. Upcoming work at imec (9/10)
 Own app for users

20. Upcoming work at imec (10/10)
 Own app for users

21. Time for discussion…

22. TCBL
imec – TCBL Single Sign On (extra information)
Athens, June 21, 2017