How SSO with OpenID Connect works

The following table describes the authorization code flow, implicit flow, and the hybrid flow available for OpenID Connect applications that use the CyberArk OpenID Connect custom application template. OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. Application users are authenticated by the CyberArk Identity that provides an ID Token as part of the assertion validating the identity of a particular user.

Step

OpenID Connect
authentication step
(Authorization code flow)

OpenID Connect
authentication step
(Implicit flow)

OpenID Connect
authentication step
(Hybrid flow)

1

User accesses an application.

User accesses an application.

User accesses an application.

2

The application/relying party (RP) prepares an authentication request containing the desired request parameters and sends it to theCyberArk Identity. The response_type requested is code.

The application/relying party (RP) prepares an authentication request containing the desired request parameters and sends it to the CyberArk Identity. The response_type requested is id_token or id_token token.

The response_mode requested is form_post.

The application/relying party (RP) prepares an authentication request containing the desired request parameters and sends it to the CyberArk Identity. The response_type requested is code id_token, code token, or code id_token token.

The response_mode requested is form_post.

3

The CyberArk Identity verifies the user’s identity in Active Directory or other user stores, and authenticates the user.

The CyberArk Identity verifies the user’s identity in Active Directory or other user stores, and authenticates the user.

The CyberArk Identity verifies the user’s identity in Active Directory or other user stores, and authenticates the user.

4

The CyberArk Identity sends the user back to the application with an authorization code.

The CyberArk Identity sends the user back to the application with an ID Token (id_token or id_token token) and an Access Token (token).

The CyberArk Identity sends the user back to the application with an authorizatio n code (code id_token, code token, or code id_token token) and an Access Token (token).

5

The application sends the code to the Token Endpoint to receive an Access Token and ID Token in the response.

The application uses the ID Token to authorize the user. At this point the application/RP can access the UserInfo endpoint for claims.

The application sends the code to the Token Endpoint to receive an Access Token and ID Token in the response.

6

The application uses the ID Token or Refresh Token to authorize the user. At this point the application/RP can access the UserInfo endpoint for claims.

 

The application uses the ID Token or Refresh Token to authorize the user. At this point the application/RP can access the UserInfo endpoint for claims.

The prompt parameter with a value of login or none is supported. For example: OIDCAuthRequestParams prompt=none or OIDCAuthRequestParams prompt=login

See http://openid.net/specs/openid-connect-core-1_0.html for details.