Back to Search Back to Search Results

OIDC Provider Requirements

Configuration requirements for OIDC providers to work with Titania Delivery OIDC authentication.

Titania Delivery can be configured as an OIDC relying party (client) for most OIDC providers that conform to the relevant parts of the OIDC specifications. This topic describes special requirements and known limitations for setting up OIDC provider applications.

Refer to your OIDC provider's documentation for instructions on how to set up a new client application for your Titania Delivery site.

Note: Oberon Technologies cannot provide detailed technical support for setting up and configuring an application on a customer's OIDC provider.
Note: Oberon Technologies cannot guarantee client interoperability with all OIDC providers. Experience has shown that different software producers have implemented the OIDC and OAuth2 standards in slightly different ways that may be incompatible with Titania Delivery. The OIDC providers that are known to have been configured to work with Titania Delivery are:
  • Microsoft Azure AD
  • Salesforce
  • Microsoft ADFS
Note: The Titania Delivery OpenID framework may not work with Symantec SiteMinder v12.8 OpenID providers, due to an incompatibility in handling some values during the protocol exchange.
Note: Current customers who intend to use OIDC authorization should contact Titania Product Support (through their support portal) to arrange testing on a non-production Titania Delivery platform, to verify that their provider and configuration will work as expected. New customers who intend to use OIDC authentication should contact their project manager for support.

Specific requirements:

  • The OIDC provider must comply with Authorization Code flow as described in Section 2.1.5.1 End-User Grants Authorization and RFC 6749.

  • The issuer URL is key to all OIDC authentication processes, both for locating required resources and for validating message content. In particular, for a given {issuer-url}:

    • The provider must return a JSON metadata file from an HTTP request to the well-known endpoint at {issuer-url}/.well-known/openid-configuration. This file contains data needed to configure an OIDC relying party (client) to authenticate a user with the OIDC provider.
    • The provider metadata file must include an issuer property with a value that exactly matches {issuer-url}.
      Note: Some OIDC providers support non-OIDC-compliant applications by allowing non-matching issuer URLs in the provider metadata. Titania Delivery OIDC clients cannot be configured for providers that do not comply with this requirement.
    • If OIDC bearer tokens from this provider are going to be used, the iss property in the token must match {issuer-url}.

  • The OIDC application redirect URI list must include a URI like: https://[hostname]/login/oauth2/code where [hostname] is your Titania Delivery server platform.

    Note: OIDC providers use various names for the redirection URI, such as “Callback URLs” or “Authorized redirect URIs”.

  • The OIDC provider must support the “openid” scope and either the “email” or the “upn” scopes.

    Note: This may require modifying the default configuration when setting up a client application.

After the OIDC provider client application is configured, the TD administrator will need the issuer URL, client id, client secret, and any custom scopes required by the provider in order to complete the client registration process in Titania Delivery.

Parent topic: Configuring OIDC Authentication Clients