...
Name | Datatype | Mandatory | Example | Description | ||
|---|---|---|---|---|---|---|
Token specification | Drop Down | ✅ | oidc | Choose any of the supported token specification
| ||
Client identificator | String | ✅ | webshop_android | Each client must be uniquely identified. Provide a value that you also must use in the clients configuration later on. Choose either something self explanatory or a random value if you wanna hide the purpose of the client as a security measurement. | ||
Name | String | ✅ | Android Webshop Application | Identifies your client in a readable way in the system | ||
Logout URI | URL | https://www.webshop.com/logout | If no logout URL will be provided by the client, the user will be redirected to this URL after a logout. | |||
Redirect Uri (Regex) * | REGEX Pattern | ✅ | regex:^https:\/\/webshop\.ch$ | The client will provide an URL where the user will be redirected to after a successful authentication. It’s good practice to test those URLs against a pattern to ensure that the user can only be redirected to previously configured URLs. This will significantly increase the security of the system.
| ||
Scope | Multi Value | profile email | A list of scopes that the client can request. If the client requests a scope that is not part of this configuration, he will not be able to perform an authentication.
| |||
Default level of authentication entry | Drop Down | ✅ | Default | Select a default level of authentication entry that will be used to determinate the authentication flow for the user. |
...
Name | Datatype | Mandatory | Example | Description | ||
|---|---|---|---|---|---|---|
Require Consent | Checkbox | ✅ | false | Defines whether or not the user needs to give consent when accessing this client. | ||
Allow remember me | Checkbox | ✅ | false | Whether or not the user is presented with the option to select “remember me” which will cause the persistence of a cookie in the clients browser for any subsequent logins. | ||
Enable local authentication | Checkbox | ✅ | true | Defines if local logins are allowed. If set to false, only external logins are available to the user. | ||
URI | string | https://www.coreone.ch | The url of the client / application. | |||
Email verification redirect uri | REGEX Pattern | regex:^https:\/\/webshop\.ch$ | If any external systems are using urls to verify the mail address of authentication users, the provided redirect uri in the link will be tested against the configured pattern.
| |||
Post logout redirect URI's | REGEX Pattern | regex:^https:\/\/webshop\.ch$ | The client will provide an URL where the user will be logged out. It’s good practice to test those URLs against a pattern to ensure that the user can only be redirected to previously configured URLs. This will significantly increase the security of the system.
| |||
Identity provider restrictions | REGEX Pattern | regex:^https:\/\/swissid\.ch$ | Defines a list of allowed external identity providers that are allowed. | |||
Required Multi-Factor Authentication | Checkbox | ✅ | true | Whether or not a MFA authentication is required for the client | ||
Allow self-registration | Checkbox | ✅ | true | Whether or not a self registration is allowed for this client or not. | ||
Activation disabled | Checkbox | ✅ | true | If the activation process is enabled in the system, you can disable it for a specific client. | ||
Show in self-service | Checkbox | ✅ | true | Whether or not the client should be listed in the user self-service portal. |
OpenID Connect
Those options are only available if the token specification oidc was selected.
Name | Datatype | Mandatory | Example | Description |
|---|---|---|---|---|
Allowed Cross-Origin Resource Sharing origins | string | http://www.externalorigin.com | A collection of sources that will be used in the CORS policy. | |
Require client secret | Checkbox | ✅ | true | Whether or not the client needs a secret to request a token or not. |
Require PKCE | Checkbox | ✅ | true | Whether clients using an authorization code based grant type must send a proof key. |
Allow plain text PKCE | Checkbox | ✅ | false | Whether clients using PKCE can use a plain text code challenge. |
Allow access token via browser | Checkbox | ✅ | false | Whether this client is allowed to receive access tokens via the browser. |
Allow offline access | Checkbox | ✅ | false | Specifies whether this client can request refresh tokens (be requesting the |
Flow | Multi Select | ✅ | authorization code | One of the following grant types according to the OIDC and OAuth 2 specification
|
Secret | Password | 🔑 * * * * * * * | The secret that will be shared with the client. |
Relying party
Those options are only available if the token specification ws-fedwas selected.
Name | Datatype | Mandatory | Example | Description |
|---|---|---|---|---|
Signature algorithm | Drop Down | ✅ | Sha256 | Any signature algorithm that is installed on the server |
Digest algorithm | Drop Down | ✅ | Sha256 | Any digest algorithm that is installed on the servers |
Saml name identfier format | Drop Down | ✅ | Email Adress | The format of the saml name identifier format |
Token type | Drop Down | ✅ | Saml 2.0 | The format of the token. Either |
Service
Those options are only available if the token specification saml2pwas selected.
Name | Datatype | Mandatory | Example | Description |
|---|---|---|---|---|
Require Saml Request Destination | Checkbox | ✅ | true | |
Sign assertions | Checkbox | ✅ | true | |
Signing certificate type | Drop Down | ✅ | Windows store | The format of the certificate. It can either be hosted in the |
Signing certificate | Certificate | ✅ | MyCert | See above. |
Encrypt assertions | Checkbox | ✅ | true | |
Encryption certificate type | Drop Down | ✅ | The format of the certificate. It can either be hosted in the | |
Encryption certificate | Certificate | ✅ | See above. |