Setup Identity as an OIDC Provider

Arc XP Identity has integrated the OpenID Connect protocol (OIDC) so clients can build a sign-in flow for any OIDC provider. As part of this work, ArcXP Identity can now become an OIDC provider, which allows sharing user accounts between several organizations or sites. Learn more about it on How to use Arc XP identity as IDP.

We will guide this documentation under the following scenario: The organization STAGING_QA wants to use the user accounts that already exist on “STAGING_DEV”. That means STAGING_DEV becomes in the OIDC Provider, and STAGING_QA needs to configure STAGING_DEV as the OIDC client.

1. Configuring Arc as an identity provider

   In STAGING_DEV or any organization with Arc XP Identity enabled that you want to use as an identity provider, you will need to create an OIDC Provider config. For this go into the settings tab, then OIDC providers.

   

   Click Add provider button to configure a new identity.

   

   Fill out the form.

   • ClientId: The OIDC client ID associated with this configuration. Clients are free to choose any name that is URL safe.
   • Name: A name which is only used to refer to the configuration within CSR Admin
   • Secret: The password used by the client’s backend application when calling Arc’s token API.

   Also, click on Add URI button to add Regular expression used for validating a return URI.

   Once satisfied with the configurations, click Add button to save.

2. Configuring newly created Arc OIDC Identity Provider as an OIDC client

   In STAGING_QA or in an organization that you want to use identity provider set up in another organization, you will need to create the OIDC client.

   See OIDC section on Configure third-party authetication providers, Facebook, Google, Apple, and OIDC to set up OIDC client.

   Note

   If you set up Arc XP Identity as the OIDC Provider, let’s provide the values you will need to introduce on the client side:

   • name: Name assigned to the configurtion.
   • publickey: The public key created on Arc XP. This info can be grabbed by calling https://[org]-[site]-[env].api.arc-cdn.net/identity/public/v2/oidc/provider/{id}/.well-known/jwks.json
   • secret: The secret to be used by the client.
   • redirectURI: Page URI where the end-user should be redirected after a successful login on the provider side (i.e. After successful login on Arc XP Identity).
   • authorizationEndpoint: Page URI where the end-user will ask for login using the Arc XP credentials (e.g. https://[org]-[site]-[env].web.arc-cdn.net/account/login/).
   • tokenEndpoint: endpoint used for the token exchange process (e.g. https://[org]-[site]-[env].api.arc-cdn.net/identity/public/v2/oidc/provider/token).
   • jwksEndpoint: endpoint from which the public provider keys can be downloaded (e.g. https://[org]-[site]-[env].api.arc-cdn.net/identity/public/v2/oidc/provider/{id}/.well-known/jwks.json)

   Follow through on Set up Identity as an OIDC Provider using sdks to finish setting up the Identity as an OIDC provider.