VIP Manager - Help and Support - VIP Policy Configuration

VIP Policy Configuration

About OIDC
Your organization can use VIP to act as the OIDC server to authenticate the second-factor during registration and authentication. To configure your OIDC client app to use VIP as the OIDC server, enable OIDC in VIP Manager and then add the OIDC client. Once you add the OIDC client app, VIP displays the information that you need to integrate VIP as the OIDC server into your OIDC client app. VIP also provides an ID Token certificate that you upload to your OIDC client to verify the signature of the ID Token Jar returned by VIP after successful authentication.

Refer to the documentation provided with your OIDC client app software for instructions on configuring your OIDC client app and integrating VIP as the OIDC server.

To set your OIDC server settings:

Select Policies in the navigation bar at the top of the page.

Select the OIDC tab.

If not already enabled, click Yes next to Enable OIDC.

Click the Add App button to add the OIDC app to VIP Manager.

You are prompted to complete the following settings:

	App Name: Select a unique name to identify the OIDC client app to VIP. For convenience, the name should match the name that you use when you configured the OIDC client. Only use A - Z, a - z, 0 - 9 and spaces. Do not use any special characters.
	Redirect URL: Enter the URL where VIP redirects the user after completing authentication (successful or failed). VIP appends the error code and error description to the redirect URL in the case of failed authentication. The Redirect URL supports multiple comma-separated urls.
	Skew Time (seconds): Enter the number of seconds subtracted from the current time to account for the difference in the system clocks of the machines where the OIDC client and the OIDC server (VIP) are installed.
	ID Token Hint Certificate: The OIDC client sends identity information to VIP in an ID Token Hint JWT token. For security, the OIDC client uses the Token ID Hint certificate to sign the ID Token Hint JWT token. You must upload the ID Token Hint certificate to VIP Manager so that VIP can verify the signature on the ID Token Hint JWT token. The ID Token Hint certificate must be a single certificate file in .pem format. If you create multiple OIDC apps in VIP Manager, you can use the same certificate or upload different certificates for each app (or a combination of the same and different certificates). However, the certificate that you upload in VIP Manager for each OIDC app must match the certificate that you provide to the matching OIDC client.
	ID Token Encryption Certificate: The ID token is a security token that includes claims regarding the authentication of the user. VIP uses the ID Token encryption certificate to encrypt the ID Token. You must upload the ID Token Encryption certificate to VIP Manager so that VIP can encrypt the ID Token. This is an optional configuration. You can use the same certificate for both the ID Token Hint Certificate and the ID Token Encryption Certificate, or you can upload different certificates for each purpose (or a combination of the same and different certificates). However, the certificate that you upload in VIP Manager for each OIDC app must match the certificate used to encrypt the ID Token. The ID Token encryption certificate must be a single certificate file in .pem format.

Once you have added the app, VIP generates an ID Token Signature / ID Token Hint Encryption Key certificate and displays the information that you need to integrate VIP as the OIDC server into your OIDC client app.

	The Client ID and Client Secret are obscured by default. Click Show next to these fields to view them (they are also visible in Edit mode). Click Copy to add these values to your clipboard.
	Click Download to obtain the ID Token Signature / ID Token Hint Encryption Key certificate. You need to provide this certificate to your OIDC client app.

After adding the app, you can edit or remove the app. To edit the app, click Edit. You can only change the following values:

	App Name
	Redirect URL
	Skew Time (seconds)
	Upload a new ID Token Hint Certificate
	Upload a new ID Token Encryption Certificate

To remove the app, click Remove App.

Renewing your ID Token Signature / ID Token Hint Encryption Key certificate

Your OIDC apps share the same ID Token Signature / ID Token Hint Encryption Key certificate. It is a different certificate from the ID Token Hint certificate and ID Token encryption certificate uploaded to VIP Manager when you created this OIDC app. This certificate expires periodically (typically after 6 months). You receive email notifications at intervals before the certificate expires. To avoid service interruption, click Renew to renew the certificate before it expires. The Download link is immediately updated to provide the latest certificate.

Important: Renewing the OIDC ID Token Signature/ID Token Hint Encryption certificate causes OIDC authentication to fail until you provide the new certificate to your OIDC client apps. Symantec recommends that you temporarily disable ID Token verification before you renew the certificate and then continue ID Token verification once the certificate is replaced in your OIDC apps.