Integration with an OIDC identity provider gives your users single sign-on access to:
- Aporeto control plane
- Aporeto web interface
- Enforcer hosts via secure shell (SSH)
- Applications protected by Aporeto
Aporeto uses the OIDC authorization code flow with a confidential client, as described in the OIDC 1.0 specification.
You can use scopes to request basic information about the user from the identity provider. If the user consents to the requested scopes, the identity provider returns the information to Aporeto as claims in an ID token. The claims in the ID token allow you to control which users can gain access.
All identity providers should support the following list of scopes and claims.
profilescope requests the following claims:
addressscope requests the
phonescope requests the following claims:
Each identity provider supports additional scopes and claims. Refer to the documentation of the identity provider to learn more. Request only scopes that return claims as string or array values. Aporeto ignores integer, float, and boolean claim values.
The OIDC sequence requires a browser and is not suitable for authenticating applications.
Configuring an integration with an OIDC identity provider varies by resource. Refer to the section that corresponds to your use case.