How SSO with OpenID Connect works

The following table describes the authorization code flow, implicit flow, and the hybrid flow available for OpenID Connect applications that use the CyberArk OpenID Connect custom application template. OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. Application users are authenticated by the CyberArk Identity that provides an ID and Access Token as part of the assertion validating the identity of a particular user.

Step

OpenID Connect
authentication step
(Authorization code flow)

OpenID Connect
authentication step
(Implicit flow)

OpenID Connect
authentication step
(Hybrid flow)

1

User accesses an application.

User accesses an application.

User accesses an application.

2

The application/relying party (RP) prepares an authentication request containing the desired request parameters and sends it to theCyberArk Identity. The response_type requested is code.

The application/relying party (RP) prepares an authentication request containing the desired request parameters and sends it to the CyberArk Identity. The response_type requested is id_token or id_token token.

The application/relying party (RP) prepares an authentication request containing the desired request parameters and sends it to the CyberArk Identity. The response_type requested is code id_token, code token, or code id_token token.

3

The CyberArk Identity verifies the user’s identity in Active Directory or other user stores, and authenticates the user.

The CyberArk Identity verifies the user’s identity in Active Directory or other user stores, and authenticates the user.

The CyberArk Identity verifies the user’s identity in Active Directory or other user stores, and authenticates the user.

4

The CyberArk Identity sends the user back to the application with an authorization code.

The CyberArk Identity sends the user back to the application with an ID Token (id_token or id_token token) and an Access Token (token).

The CyberArk Identity sends the user back to the application with an authorizatio n code (code id_token, code token, or code id_token token) and an Access Token (token).

5

The application sends the code to the Token Endpoint to receive an Access Token and ID Token in the response.

The application uses the ID Token to authenticate the user, and the access token to access protected resources. The access token can access the UserInfo endpoint for claims as well.

The application sends the code to the Token Endpoint to receive an Access Token and ID Token in the response.

6

The application uses the ID Token to authenticate the user, and the access token to access protected resources. The access token can access the UserInfo endpoint for claims as well.

 

The application uses the ID Token to authenticate the user, and the access token to access protected resources. The access token can access the UserInfo endpoint for claims as well.

The prompt parameter with a value of login or none is supported. For example: OIDCAuthRequestParams prompt=none or OIDCAuthRequestParams prompt=login

See http://openid.net/specs/openid-connect-core-1_0.html for details.