OIDC Integration Use Cases

[Gayatri212]

Goal

• To integrate GE SSO with EC WebUI

Problem Statement

• Currently using EC Oauth2 for webUI authentication, however it requires more integration efforts to be compatible with GE SSO

Proposed Solution

• Integrate EC Oauth2 with GE specific SSO
• Create OIDC client
• Find endpoints for authorization and token along with domain
• Map EC WebUI DLs with specific scopes
• Modify UserDetail struct in EC Oauth2 to meet the user information from GE SSO

[Gayatri212]

@ayasuda2003 Following are the fields that we get from OIDC user info

• cn
• country
• employeetype
• firstname
• gehrbusinesssegment
• gehrindustrygroup
• geHRjobid
• gessoaltemail
• gessobusinessunit
• gessocompanyname
• gessojobfunction
• lastname
• location
• mail
• mobile
• phonenumber
• state
• street
• title
• gevdsGroupIDmemberOf

[ayasuda2OO3]

@ayasuda2003 Following are the fields that we get from OIDC user info

@Gayatri212 could you share a sample response of this call?

[Gayatri212]

POST https://fssfed.stage.ge.com/fss/as/token.oauth2? grant_type=refresh_token& refresh_token= G85kg-386h3Mbbfh9d& redirect_uri= https://testSite/authRedirect.jsp& client_id=test& client_secret=xyz123xyz123xxxxXXxxx

Response: { token_type: "Bearer" expires_in: 7199 refresh_token: "2nMV5WNXuH4RQGjEqTGXVvb2e6irsR7QkYUkceqKhq" access_token: "VmQGGROr9X6GJ4dGaL8Pn4RIJJTs" }

@ayasuda2003 this is the sample response of token.oauth2 call

[ayasuda2OO3]

thanks, I referred to the user info call under this endpoint /fss/idp/userinfo.openid. Please advise. @Gayatri212

[ayasuda2OO3]

thanks, I referred to the user info call under this endpoint /fss/idp/userinfo.openid. Please advise. @Gayatri212

Please disregard the question. I had it sorted out. The OIDC-like api does not appear to follow the standard. However, the field gevdsGroupIDmemberOf is required to convert to the local scopes, the type of this field fluctuates between string/array that it must be handled. Solution is in QA.

[ayasuda2OO3]

thanks, I referred to the user info call under this endpoint /fss/idp/userinfo.openid. Please advise. @Gayatri212

Please disregard the question. I had it sorted out. The OIDC-like api does not appear to follow the standard. However, the field gevdsGroupIDmemberOf is required to convert to the local scopes, the type of this field fluctuates between string/array that it must be handled. Solution is in QA.

Moreover, in the conf.yaml setting, the userId needs to be mapped to an OIDC identifier.

Reference: [1] the internal forum [2] Issue thread

[ayasuda2OO3]

In release #2737 @Gayatri212 please share feedback.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.