Can NAM Trust an External OIDC or OAuth Provider?

Is it possible for Access Manager to leverage an external OIDC or OAuth token provider to grant access to protected resources?

Here is the scenario, I have a "legacy" Access Manager environment with lots of typical proxied and protected resources, pretty much all protected with classic/standard Username/Password form auth.

Now this site is developing new applications in Azure and using Azure AD as their Identity Provider going forward.

What they'd like to do is use the Azure IdP for all auth and then allow users to access the "legacy" NAM resources without requiring them to authenticate a second time against NAM (we can match up the users and I can use password fetch for identity injection and form fill).  

Ideally, they want to do this with OIDC or OAuth.  I know I can do this with SAML (or at least pretty sure I can), but I don't see any way to do this scenario with OIDC or OAuth.  It seems NAM can only act as the token provider for OIDC or OAuth, not a consumer.  Is that true? Or am I missing something here?  Is there a way to do implementation this scenario with either OIDC or OAuth?

Matt

  • 0  

    Hi Matt!

    Unfortunately you are right. AM cannot use external IDP over OAuth/OIDC, at least no directly.

    Currently there is a social authentication class that is behind the scenes probably doing what we need (at least this is my impression looking at Itsme provider), but AM team needs to add a "standard" OIDC provider where we can configure our own OAuth/OIDC endpoints, scopes, clientid/secret, ...

    We are asking for this functionality for quite some time (there is also a quite old idea Proper OAuth/OpenID Connect federation features ) and I am really hoping this will be available quite soon, because with some of our customers government identity providers have already deprecated SAML and are completely disabling SAML support in January 2024.

    But if you urgently need this to be working, there are some other possibility to achieve this:

    • Use Web authentication method in AA although I have not found a way to automatically provision/match users, like we are used to do in AM - not so useful and costs additional money 
    • Code your own custom authentication class
    • Use additional component between external IDP and AM, like we are. That component acts as an OIDC to SAML bridge which is able to convert OIDC messages from external IDP to SAML messages that are understandable by AM.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0   in reply to   

    Thanks for confirming Sebastijan.  I was hoping I was wrong! I did vote for that idea, but I see it is 3 years old now so I doubt it's being implemented.  Very disappointing, but I'm becoming more used to that lately with these products :( .

    We actually did see the Social class and got excited for a moment, but after looking it appeared, as you state, that it is all hidden behind the covers and there is no way to configure a generic OIDC provider.  It looks like the "Itsme" provider does allow for all those configurations (endpoints, etc.).  Do you think that can be used generically?  How hard would it be to build a custom class to work with the social class?  I saw an OpenID class too, but I realized that is something quite old and not what I thought it was.

    The need is indeed urgent, but none of your options are very attractive. Buying AA is out of the question I think (this is basically the start of the end of NAM at this customer).   Not sure I could or want to build a custom class and adding a 3rd party component to bridge the gap I think is a non-starter too.

    We could do SAML, Azure B2C does support it, but from t what I'm told, there are other authentication issues with Azure if both OIDC and SAML are used (I don't know what they are, something about multiple authentication being required then).  But it seems SAML is our only short-term solution.  I was not aware that some providers are already deprecating SAML!  That seems a bit premature to me as I think OIDC and OAuth have plenty of foibles too.

    Matt

  • 0

    maybe, but just maybe you can leverage the Advanced Authentication integration for this ? this is also an OAuth integration