OpenID Connect

SWITCH edu-ID supports OpenID Connect which can be conveniently used for the following use cases:

Confidential clients:

  • Server-based web applications

Public clients:

  • Browser-based web applications
  • Mobile apps
  • Native applications

The OpenID Connect protocol is provided by the same Shibboleth IdP instance that also supports SAML. This means that many functionalities known from edu-ID with SAML are also available under OpenID Connect. Features that are commonly available with OIDC and SAML

  • Both protocols use the same underlying user accounts and attribute information.
  • A user encounters the same login user interface.
  • A user gets the same user consent
  • Both protocols support 2-step authentication

However, there are also some differences: Some attribute names (claims) are different, and client registration requires other OIDC-specific information and it is performed manually for the time being.

It is planned to continuously extend the functionality of the oidc service. Please contact the edu-ID Team to make suggestions for new features.

Service Registration

First, check the getting started page to make sure that you want to register an OIDC client and that you are entitled to do so.

To register an relying party (a service) send us an email to SWITCH edu-ID support with the following information:

  1. the client type: confidential or public client
  2. the client ID: a unique client id, which is a string without spaces that starts with the name of the home organization responsible for the RP.
    Example: unidemo-student-registration
  3. one or more valid redirect URIs:
    Example: ["https://unidemo.ch/studreg","http://localhost/dev/studreg"]
  4. the sector identifier URI: To be able to generate the pairwise identifier, the sector identifier URI is needed. Note that only the domain part of the sector identifier is used for the pairwise key generation. It must be protected by TLS and use a valid certificate. This URI may be equal to one of the redirect URIs.
    Example: https://studreg.unidemo.ch
  5. confidential clients only: the public key for client registration in jwk format. Supported signing algorithms are: es256 and rs256 with minimal key length: 3072 bits.
    Example:
    {
        "kty": "EC",
        "use": "sig",
        "crv": "P-256",
        "x": "G4gRG9lIiwiaWF0r...",
        "y": "rOYGhNG1EGyf9XN6...",
        "alg": "ES256"
    }
    
  6. list of required scopes: (for data protection reasons only scopes that are really justified will be released to RPs)
    Example: profile, email, swissEduIDBase
  7. setup for test, production or both?

Please note, that public clients MUST use PKCE. When using a confidential client, the usage of PKCE is recommended.

By default, you will get access to the openid scope and you can obtain an id token with it. Please include any additional scopes you require, which will be served from the userinfo endpoint. We will then register the service for you.

IdP Configuration

OIDC IdP configuration and endpoints:

Production:
https://login.eduid.ch/.well-known/openid-configuration

Notes:

  • for security reasons secret-based client authentication methods are not supported in the production environment. Use public key client authentication instead.
  • implicit and hybrid flows are not supported. Use authorization code flow instead.

References