Entrust IDaaS

The Curity Identity Server can be integrated with Entrust IDaaS (formerly IntelliTrust). This can be done using the Entrust IDaaS authenticator, allowing users to login with the authentication credentials available to them in their instance of IDaaS. The way in which this integration is achieved is shown in Fig. 64:

Overview of Entrust IDaaS integration

Fig. 64 Overview of Entrust IDaaS integration

This diagram is showing that the end user is redirected to the Curity Identity Server from a service provider application in their user agent, typically a browser (1). This service provider may be a SAML service provider, OAuth client or OpenID Connect Relying Party. Whatever kind of provider, the user is then redirected to Entrust IDaaS (2) directly or based on their selection of an Entrust IDaaS authentication as one of the authentication methods exposed to them by the Curity Authentication Server. The user authenticates at Entrust IDaaS, e.g., by entering their username password an a PIN generated by the Entrust IdentityGuard Soft Token app (3). When this takes place, the user is redirected back to the Curity Authentication Server (4) with an authorization code that represents the users login and consent. At this point, the Entrust IDaaS authenticator redeems this code for identity data and, if additional scopes were requested beyond the openid scope, the user info endpoint of Entrust IDaaS is called (5). In either case, whatever identity data is obtained is returned to the service provider application (6). In this way, the authenticator is used _relay_ or _proxy_ between Entrust IDaaS and a downstream client application.

Creating an App in Entrust

As described in the Entrust IDaaS documentation, you can create a generic OIDC and OAuth Web application that can be used to authenticate Entrust IDaaS users to your instance of Curity. To do this, follow these steps in the Entrust IDaaS administrative console:

  1. From the dashboard, click Applications or click the menu button and select Resources and then Applications.

    ../../_images/create-entrust-oidc-app.png

    Fig. 65 Creating an OpenID Connect application for the Curity Identity Server in Entrust IDaaS

  2. Click the + button in the top left corner of the Applications List page.

  3. In the OpenID Connect and OAuth Cloud Integrations section, select Generic Web Application.

  4. On the General step of the Add Generic Web Application wizard, enter a name (e.g., Curity Identity Server). Optionally, add a description and upload a logo.

  5. On the Setup step of the wizard, take note of the Client ID and Client Secret. These will be needed in steps 6 and 7 of the next section, respectively.

  6. If you change the Token / Revocation Endpoint Client Authentication Method from its default to Client Secret Post, you will need to ensure that the Curity authenticator configuration set in step 9 of the next section is also changed accordingly.

  7. If you want to pass through from Curity OAuth clients to Entrust IDaaS transparently, uncheck Require Consent.

  8. Ensure that Authorization Code is the only grant type selected (which is the default).

  9. Ensure that Authorization Code PKCE Code Challenge Method is set to S256 (the default). No other option is supported.

  10. Check the Include Authentication Time checkbox.

  11. Click Add and enter the redirect URI in the Login Redirect URI(s) multi-select widget. This can be obtained from the Info toolbar button of the Entrust IDaaS authenticator after creating it in the next section. It will be of the form https://<host>:<port>/<authenticate_endpoint>/<authenticator_id>/callback.

    ../../_images/info-about-redirect.png

    Fig. 66 Obtaining the redirect URI needed by Entrust IDaaS in the authenticator’s info pane

  12. Check any scopes from the Supported Scopes that should be used. Note that these will have to be added in step 8 of the next section.

  13. Select a Subject ID Attribute. It is recommended to use Unique User ID.

Note

The Entrust IDaaS authenticator handles any singing settings for ID tokens and user info, so the defaults should be OK.

Creating a new Authenticator

The general process for setting up an Entrust IDaaS authenticator is the same as other types of authenticators. The easiest way to configure a new Entrust authenticator is using the admin UI. The configuration for this can be downloaded as XML or CLI commands later. In the admin UI, setting up an Entrust IDaaS authenticator can be achieved by following these steps:

  1. Go to the Authenticators page of the authentication profile wherein the authenticator instance should be created.

  2. Click the New Authenticator button.

  3. Enter a name (e.g., entrust1). This name needs to match the URI component in the callback URI set in the Entrust app. See Fig. 66 above for one way in which to obtain this.

  4. For the type, pick the Entrust option and click Next.

  5. On the next page, you can define all of the standard authenticator configuration options like any previous authenticator that should run, the resulting ACR, transformers that should executed, etc. At the top of the configuration page, the Entrust-IDaaS-specific options can be found. This is shown in Fig. 67

    ../../_images/entrust-idaas-authenticator-type-in-curity.png

    Fig. 67 Overview of the Entrust IDaaS authenticator settings in the admin UI

  6. In the Client ID text field, enter the Client ID from the Entrust IDaaS client application.

  7. Also enter the matching Client Secret.

  8. If you wish to request additional scopes from Entrust IDaaS, enter each one in the Additional Scopes multi-select widget (e.g., address or profile).

  9. If you wish to request additional claims beyond the ones that will be returned based on the requested scopes, enter each one in the Additional Claims multi-select widget (e.g., groups or authenticators).

  10. The Authentication Method should match the configuration for the client in Entrust IDaaS. The default is basic authentication.

  11. If Relay Prompt is configured and an OAuth client sends a prompt to the Curity OAuth server, then this parameter will be forwarded upstream to Entrust IDaaS.

  12. In the Issuer or Environment and Name dropdown select and configure one of the following:

    1. environment-and-name can be selected and one of the environments where your Entrust IDaaS is hosted should be selected. In this case, the instance name also has to be configured.
    2. issuer can be selected and the Entrust IDaaS OpenID Connect issuer URL can be configured.
  13. To rely only on the SSO session stored in Entrust IDaaS, do the following:

    1. Click Advanced to expand the advanced settings.
    2. In the SSO Expiration Time text field, enter 0.

Note

If you need to contact the Entrust IDaaS web services via a proxy, then you should also configure the optional HTTP client. Such an HTTP client can be done by following the as described in the Http Clients section of this guide. Once complete, select this HTTP client from the HTTP Client dropdown list.

After configuring all the required settings, the changes can be committed and the new Entrust IDaaS authenticator can be used by any service provider or OAuth client that is allowed to use it.