When you want to connect a service to the SCZ using OpenID Connect (OIDC), until we support self registration, the following steps are to be taken.
You need to send us the OIDC metadata of your .well-known endpoint so we can manually put this into our system. Contact us about your intention to connect via OIDC. We need a SP-name, a SP-description and a well-known-end point to configure the connection on our end. Fyi on what that looks like:
Upon completion, we will send you a secret to be used on your end. You can find our .well-known endpoints at https://proxy.pilot.scz.lab.surf.nl/.well-known/openid-configuration.
Configure the service in COmanage
A CO is needed in COmanage, so if there isn't any yet, we will need to create it and invite someone from your side to be admin of the CO.
As CO admin, you need to connect your service to the CO in SCZ COmanage. Log in to the SCZ and go to your CO. Choose Configuration/Services/Add service. Fill-out the form as shown below (with your SP-data):
Name, Description and service URL are text fields, Service Group can't be empty (choose CO:member:all to enable access to the SP for all members of the CO).
At Entitlement URI the OIDC clientid needs to be filled out; this is currently is kind of a hack, and a proper solution is on the COmanage roadmap.
Configure provisioning in COmanage
Now a Zone Provisioner needs to be configured in COmanage. This makes it so information about groups, people and services will be written in the database the SCZ uses during an authentication. To do this, in the SCZ, in your CO, go to Configuration/Provisioning Targets and add a new provisioner with the following settings (insert your SP-data were appropriate):
After this is saved, the actual provisioning is necessary. For this click "Reprovision all" in the Provisioning targets screen of COmanage.
Please mind: changes to services don't automatically initiate a new provisioning action. Every time a Service is added or changed, you need to do a "Reprovision all" manually so existing persons will be updated if necessary.
OIDC - explicitly ask for attributes