Interconnect FoxIDs with OpenID Connect
FoxIDs can be connected to another FoxIDs with OpenID Connect and thereby authenticating end users in another FoxIDs track or an external Identity Provider (IdP) configured as an up-party.
FoxIDs tracks can be interconnect in the same FoxIDs tenant or in different FoxIDs tenants. Interconnect can also be configured between FoxIDs tracks in different FoxIDs deployments.
The integration between two FoxIDs tracks support OpenID Connect authentication (login), RP-initiated logout and front-channel logout. A session is established when the user authenticates and the session is invalidated on logout.
A sample integration to a parallel FoxIDs track is configured in the FoxIDs
test-corpwith the up-party name
You can test parallel FoxIDs login with the
AspNetCoreOidcAuthorizationCodeSamplesample application by clicking
OIDC parallel FoxIDs Log in.
The following describes how to configure a up-party OpenID Connect in your FoxIDs track and trust a parallel FoxIDs track where a down-party OpenID Connect is configured. This will make your FoxIDs track trust the parallel FoxIDs track to authenticate users.
1 - Start in your FoxIDs track by creating an OpenID Connect up-party client in FoxIDs Control Client
- Add the name
It is now possible to read the
Post logout redirect URL and
Front channel logout URL.
2 - Then go to the parallel FoxIDs track and create the down-party client
The client is a confidential client using Authorization Code Flow and PKCE.
- Specify client name in down-party name.
- Select allowed up-parties. E.g.
loginor some other up-party.
- Select show advanced settings.
- Specify redirect URI read in your up-party.
- Specify post logout redirect URI read in your up-party.
- Specify front channel logout URI read in your up-party.
- Specify a secret (remember the secret to the next step).
- Remove the
- Remove / edit the scopes depending on your needs.
- Click create.
3 - Go back to your FoxIDs up-party client in FoxIDs Control Client
- Add the parallel FoxIDs track down-party client authority.
Default the parallel track use the
loginup-party to authenticate users with the
It is possible to select another up-party in the parallel track. E.g.
- Add the profile and email scopes (possible other or more scopes).
- Add the parallel FoxIDs track down-party client's client secret.
- Add the claims which will be transferred from the up-party to the down-parties. E.g., email, email_verified, name, given_name, family_name, role and possible the access_token claim to transfer the parallel FoxIDs tracks access token.
- Click create.
That's it, you are done.
Your new up-party can now be selected as an allowed up-party in the down-parties in you track.
The down-parties in you track can read the claims from your up-party. It is possible to add the access_token claim to include the parallel FoxIDs tracks access token as a claim in the issued access token.