Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When used together with Ceptor API Management it is possible to specify specific types of tokens issued to specific Partners and Applications (see Managing Partners, Applications and Developers)

For configuration, see Federation - OAuth2 / OIDC - Tokens

Scopes

Scopes are used to define which fields end up in which token - here you can specify that if a client asks for e.g. a scope called "salary" when requesting a token, then you control which attributes are added to the ID token, Access Token and Userinfo respectively.
This gives you fine grained control of which data you expose under which conditions.

For configuration, see Federation - OAuth2 / OIDC - Scopes

Fields

Some attributes are themselves objects, such as the OpenID Connect "address" object - by configuring them here, you control which attributes are included, and from where the information within originates.

For configuration, see Federation - OAuth2 / OIDC - Fields

Identity Providers

When Ceptor authenticates users using foreign OpenID Connect Providers, you can define the authentication providers here.
These Identity Providers are then used within the Ceptor Gateway - see Location - Authentication for information about how to configure the gateway to use these identity providers under specific conditions. 

Ceptor has custom support for some identity providers which almost are following the OpenID Connect standard, such as LinkedIn and Facebook.

For configuration, see Federation - OAuth2 / OIDC - IdentityProviders

Clients / Partners

Depending on configured plugin, and general deployment of Ceptor, you have different options available for configuring Clients or Partners.

...

Only one implementation can be active at a time, this is controlled by the OAuth2 Client Datastore class which decides the implementation to use.
For configuration when using the property/configuration based datastore, see: Federation - OAuth2 / OIDC - Clients/Partners
For configuration when using API management / API Developer Portal and the SQL based datastore, see: Managing Partners, Applications and Developers

SAML / WebSSO

Concepts

Ceptor can be configured to use SAML / WebSSO (Web Single SignOn) to federate identity to or from 3rd parties.

...

For each SAML Service Provider we issue SAML tokens to, we have complete control over which attributes we wish to send to it.
Most of the attributes can just be configured, e.g. userid, name and groups, but writing scripts to completely tailor the SAML ticket to any purpose is also supported - using these scripts it is possible to change all parts of the issued SAML login response ticket.

For configuration, see Federation - SAML / WebSSO - Service Providers

SAML Identity Provider

Ceptor can be configured to authenticate an end-user by redirecting him to a 3rd party site which issues SAML tickets that Ceptor then parses and validates and uses to authenticate the users, thereby trusting the 3rd party to do the authentication.

For each SAML IdentityProvider we trust, a corresponding configuration of this identity provider along with its SAML metadata or trustedcertificates is needed.

For configuration, see Federation - SAML / WebSSO - Identity Providers


Federation and Ceptor Gateway

...