Integration with an OIDC identity provider gives your users single sign-on access to:
- Aporeto control plane
- Aporeto web interface
- Enforcer hosts via secure shell (SSH)
- Applications protected by Aporeto
Aporeto uses the OIDC authorization code flow with a confidential client, as described in the OIDC 1.0 specification.
You can use scopes to request basic information about the user from the identity provider. If the user consents to the requested scopes, the identity provider returns the information to Aporeto as claims in an ID token. The claims in the ID token allow you to control which users can gain access.
All identity providers should support the following list of scopes and claims.
profilescope requests the following claims:
addressscope requests the
phonescope requests the following claims:
Many identity providers support additional scopes and claims. Refer to the identity provider's documentation to learn more about their specific scopes and claims.
The OIDC sequence requires a browser and is not suitable for authenticating applications.
Configuring an integration with an OIDC identity provider varies by resource. Refer to the section that corresponds to your use case.