Provision OIDC Service Client Credentials

Environment

PHP, AFS virtual host

Issue

How to Provision OIDC Service Client Credentials.

Resolution

  1. Navigate to "OIDC Provisioning and Management" in the Wolverine Web Services portal application to provision OIDC service client credentials for your site:

https://admin.webservices.umich.edu/oidcprov/

"OIDC Provisioning and Management" tool main page

 

  1. Select "Provision New OIDC Service Client"
  2. Fill out the required information:

Provision new OIDC service client page with the following required information: Site identifier, College or business division, MCommunity manager group, Shortcode, and Redirect URL(s)

Field Description
Site Identifier A short identifier (or "slug") for the site that makes sense to you.  It can be at most 20 characters and can only contain letters and numbers.
College or business division Select your college or business division name from the pull-down menu
MCommunity manager group Select the MCommunity group whose members will be able to make changes to the OIDC client from the pull-down menu
Shortcode A valid U-M shortcode must be specified but will never be charged for provisioning OIDC client credentials
Mcommunity groups for groups-based authentication Select the MCommunity group(s) to be used for group-based authentication
Redirect URL(s) Your application URL that the authorization server will redirect the user back to after the user is successfully authenticated

Some common Redirect URI(s) are as follows where FQDN (Fully Qualified Domain Name) is the URL for your site (ex. mysite.umich.edu):

PHP Application Standard Redirect URI
Drupal (OpenID Connect generic plugin) https://[FQDN]/openid-connect/generic
Drupal 7 (Wolverine Web Services plugin) https://[FQDN]/openid-connect/umichoidc
Drupal 9 (Wolverine Web Services plugin) https://[FQDN]/openid-connect/WWSUmich
WordPress https://[FQDN]/wp-admin/admin-ajax.php?action=openid-connect-authorize
  1. Fill in all entries and press "Submit"
  2. Upon successful creation of your site's OIDC service client credentials, you will return to the original URL and should see a table entry for the newly created credentials
  3. Select the new Client ID in the table to see further details (including the OIDC Secret).  You should copy the OIDC Client ID and OIDC Secret and use them in your web application's configuration in order to configure your web application to authenticate visitors using OIDC.  Please protect the OIDC Secret as you would protect a password -- anyone who learns can compromise your web application's authentication and private data.

Additional Information

Need additional information or assistance? Contact the ITS Service Center.

 

Print Article