Custom application

This section describes how to set up a Custom Single Sign-On (SSO) application using OpenID Connect.

Prerequisites

The Specops Domain Name Protection feature must be disabled, see Domain Name Protection.

Set up a Custom application

These are the main steps when setting up a Custom application.

Configure a Group Policy Object
Create a Single Sign-On application

Configure a Group Policy Object

Follow these steps only if you select Group Policy or Both as the policy mode when creating the Single Sign-On application.

In the Group Policy Management Console, create a Group Policy Object (GPO).
Link the GPO to some container with users that should be able to access the organization's application.
In the Gatekeeper Admin Tool, click Single Sign-on.
Click Tag GPOs, select the GPO that should be available to use when configuring an OpenID Connect application in Specops Authentication, and click OK.

Create a Single Sign-On application

Log in as admin to the Specops Authentication Web.
Click Single Sign-On.
Click Add new.
Select Application Template: Custom.
Select Application Protocol: OpenID Connect.
Click Next.
Under General Settings, type an application name and optionally a description for the application.
If the relying party expects a signed JWT from the user info endpoint, select Sign user info. If not selected, the user info endpoint will return JSON.
Under Redirect URL's, add URLs that should be allowed for redirection during authentication and logout. These should be provided by the relying party. It is optional to add them now, but at least one URL will be needed for authentication to work.
In Standard Claim Mapping, optionally add the claims that should be sent to the relying party during authentication.
- Claim: Select a name from the list of predefined names or select Custom... to enter a custom name.
- AD Attribute or Custom Value: Select a value from the list of Active Directory attributes or select Custom... to enter a custom name. If an AD attribute is selected, the claim will be populated from the user during authentication. If Custom is selected, a fixed value is used.
  
  Warning
  
  The "sub" claim needs to be mapped to an AD attribute that is immutable and uniquely identifies the user. Never map "sub" to, for example, the "mail" attribute since this could allow a malicious user to gain access to another user's account. The "sub" claim is mapped to "objectGUID" as default.
Click Next: Group Claim Mapping.

Note

The standard claims added in Standard Claim Mapping are always sent to the relying party. The group claims entered in Group Claim Mapping are additional claims added to the OIDC token for users who are members of the selected AD groups.

This configuration does not control which users can access the application. Access to the application is controlled through Policy Configuration which means that users in the selected groups must also be included in a policy to access the application.
Under Add new group claims, optionally add claims for security groups. Enter the name of a group in Active Directory and click Add.
Enter one or more claims and claim values for the group and click Save.
Click Next: Policy Configuration.

Note

Policy Configuration determines which users the application policy applies to and which authentication rules are enforced for them. Only users included in a policy are allowed to access the application. Users who are not included in any policy will not have access.
Select a Policy mode from the list.
If you selected Group Policy or Both as policy mode, choose one or more GPOs from the Group Policy Objects list, and click Add.
Click Edit Authentication Rules next to the added GPO. Configure your desired authentication rules and click Save.
If you selected Cloud or Both as policy mode, click Configure and add the identity services that you want to include.
Click I'm done.
The Application Credentials page shows the credentials and URLs that may be needed when configuring Specops Authentication as an identity provider at the relying party.
Copy the Current Client Secret value under Client Id and save it for later use. This is the client secret value that must be entered in the relying party configuration.

Important!

The Current Client Secret value is shown only once. After you leave this page, the value cannot be viewed or copied again.
When finished, click Close.

For information on generating a new client secret or revoking an old one, see the next section.

Rotate and Revoke a Client Secret

Rotating creates a new Current Client Secret and keeps the previous secret temporarily available. Revoking removes the old client secret so it can no longer be used. Use these options to replace the current client secret or permanently revoke an old one.

Click Credentials next to the OIDC application on the Configured Single Sign-On Applications page.
On the Application Credentials page:
1. Click Rotate secret to generate a new Current Client Secret. The previous current client secret becomes an old client secret. If an old secret already exists, it is replaced. Both secrets remain valid until the old client secret is revoked or replaced by another rotation.
2. Click Revoke old secret to permanently remove the old client secret. After it is revoked, the old secret can no longer be used, and the new Current Client Secret remains active.