SisuID authentication API supports the OpenID Connect protocol
- Service Provider (Relying Party) should request the
client_secretto be registered to SisuID Sandbox environment (https://auth.sandbox.sisuid.com)
- Authorization endpoint URL is: https://auth.sandbox.sisuid.com/oxauth/restv1/authorize
- Token endpoint URL is: https://auth.sandbox.sisuid.com/oxauth/restv1/token
- Userinfo endpoint URL is: https://auth.sandbox.sisuid.com/oxauth/restv1/userinfo
- Following scope value should be used:
openid profile linked_ids
SisuID will be integrated with the Service Provider as an external authentication method. The type of the authentication method will be set to OIDC. SSN or SisuUUID information returned by SisuID in the ID Token claims will be used to map to existing users in the Service Provider's local user directory.
- End-user initiates the flow by accessing a protected resource in the Web App.
- Web App notices that the user has not authenticated and construct redirection URL to the Service Provider's local access management endpoint.
- End-user's web browser sends an HTTP GET request to the Service Provider's access management endpoint with entityId uniquely identifying the Web App. and scope indicating that the access management end-point should return the user information of the authenticated user.
- Since it is assumed that SisuID external authentication method is being used, the access management end-point constructs redirection URL to the SisuID authorization endpoint.
End-user's browser sends an HTTP GET request to the SisuID authorization endpoint with following paramters:
client_iduniquely identifying the Web App.
acr_valuesindicates that mobileauth authentication method is used
scopeindicates that basic OpenID Connect
id_tokeninformation needs to be returned and that it needs to contain the user attributes of the basic profile and the linked government issued IDs
redirect_uripoints to the Service Provider's redirection endpoint
- SisuID authenticates the end-user and redirects back to Service Provider redirection endpoint with code and state parameters.
- End-user's browser send an HTTP GET request to the Service Provider redirect URI.
- Service Provider resolves the access token and ID token associated to the provided authorization code by making a call to the SisuID token endpoint.
- SisuID returns the
id_tokencontains the Social Security Number (SSN) or SisuUUID of the authenticated user in the claim.
- Service Provider uses its user directory mapping to perform a lookup to its internal user repository to determine whether an existing user is found with the given SSN or SisuUUID. If no user is found, an error is returned to the Web App.
- If a user is found, new local authentication session is created for that user.
- Finally after successful authentication, end-user's browser is redirected to the Web app ACS url which was provided in step 3. The final steps of the flow are omitted from this document.