Overview
Ceptor supports Identity Federation with third parties using SAML or OpenID Connect, or by supplying various proprietary methods via custom Authentication plugins, such as ETicket.
These federations have existed for many years, configured via name/value pairs in the session controllers configuration.
See Microsoft ADFS Integration / WebSSO SAML and JWT / OpenID Connect for details.
But as a new feature in Ceptor v6.4, these can be configured in an easily accessible GUI within Ceptor Console instead of the older method, making it easier to configure.
Configuration is now stored as JSON objects within the configuration, but for backwards compatibility reasons, the older approach using properties documented in the links above is still possible.
Note that if the session controller configuration contains a JSON object called federation_JSON_ then this JSON type configuration is used, and the older properties are ignored.
OAuth2 / JWT / OpenID Connect
Concepts
In its OpenID Connect related configuration, Ceptor has these elements.
- Tokens
- Scopes
- Fields
- Identity Providers
Tokens
Tokens are distinct and separate configurations for JWT Tokens - it covers configuration for how to issue tokens, but also how to parse tokens received from others.
This approach makes it possible to issue different tokens with separate content to different parties.
When used together with Ceptor API Management it is possible to specify specific types of tokens issued to specific Partners and Applications (see Managing Partners, Applications and Developers)
Scopes
Scopes are used to define which fields end up in which token - here you can specify that if a client asks for e.g. a scope called "salary" when requesting a token, then you control which attributes are added to the ID token, Access Token and Userinfo respectively.
This gives you fine grained control of which data you expose under which conditions.
Fields
Some attributes are themselves objects, such as the OpenID Connect "address" object - by configuring them here, you control which attributes are included, and from where the information within originates.
Identity Providers
When Ceptor authenticates users using foreign OpenID Connect Providers, you can define the authentication providers here.
These Identity Providers are then used within the Ceptor Gateway - see Location - Authentication for information about how to configure the gateway to use these identity providers under specific conditions.
Ceptor has custom support for some identity providers which almost are following the OpenID Connect standard, such as LinkedIn and Facebook.