VIP Policy Configuration
About OIDC
Your organization can use VIP to act as the OIDC server to authenticate the second-factor during registration and authentication. To configure your OIDC client app to use VIP as the OIDC server, enable OIDC in VIP Manager and then add the OIDC client. Once you add the OIDC client app, VIP displays the information that you need to integrate VIP as the OIDC server into your OIDC client app. VIP also provides an ID Token certificate that you upload to your OIDC client to verify the signature of the ID Token Jar returned by VIP after successful authentication.
Refer to the documentation provided with your OIDC client app software for instructions on configuring your OIDC client app and integrating VIP as the OIDC server.
To set your OIDC server settings:
Once you have added the app, VIP displays the information that you need to integrate VIP as the OIDC server into your OIDC client app.
The Client ID and Client Secret are obscured by default. Click Show next to these fields to view them (they are also visible in Edit mode). Click Copy to add these values to your clipboard.
Click Download to obtain the ID Token Signature / ID Token Hint Encryption Key certificate. You need to provide this certificate to your OIDC client app.
After adding the app, you can edit or remove the app. To edit the app, click Edit. You can only change the following values:
To remove the app, click Remove App.
Your OIDC apps share the same ID Token Signature / ID Token Hint Encryption Key certificate. This certificate expires periodically (typically after 6 months). You receive email notifications at intervals before the certificate expires. To avoid service interruption, click Renew to renew the certificate before it expires. The Download link is immediately updated to provide the latest certificate.
Important: Renewing the OIDC ID Token Signature/ID Token Hint Encryption certificate causes OIDC authentication to fail until you provide the new certificate to your OIDC client apps. Symantec recommends that you temporarily disable ID Token verification before you renew the certificate and then continue ID Token verification once the certificate is replaced in your OIDC apps.
Your organization can use VIP to act as the OIDC server to authenticate the second-factor during registration and authentication. To configure your OIDC client app to use VIP as the OIDC server, enable OIDC in VIP Manager and then add the OIDC client. Once you add the OIDC client app, VIP displays the information that you need to integrate VIP as the OIDC server into your OIDC client app. VIP also provides an ID Token certificate that you upload to your OIDC client to verify the signature of the ID Token Jar returned by VIP after successful authentication.
Refer to the documentation provided with your OIDC client app software for instructions on configuring your OIDC client app and integrating VIP as the OIDC server.
To set your OIDC server settings:
| Select Policies in the navigation bar at the top of the page. | |
| Select the OIDC tab. | |
| If not already enabled, click Yes next to Enable OIDC. | |
| Click the Add App button to add the OIDC app to VIP Manager. |
Once you have added the app, VIP displays the information that you need to integrate VIP as the OIDC server into your OIDC client app.
The Client ID and Client Secret are obscured by default. Click Show next to these fields to view them (they are also visible in Edit mode). Click Copy to add these values to your clipboard.
Click Download to obtain the ID Token Signature / ID Token Hint Encryption Key certificate. You need to provide this certificate to your OIDC client app.
After adding the app, you can edit or remove the app. To edit the app, click Edit. You can only change the following values:
| App Name | |
| Redirect URL | |
| Skew Time (seconds) | |
| Upload a new ID Token Hint Certificate | |
| Upload a new ID Token Encryption Certificate |
To remove the app, click Remove App.
Your OIDC apps share the same ID Token Signature / ID Token Hint Encryption Key certificate. This certificate expires periodically (typically after 6 months). You receive email notifications at intervals before the certificate expires. To avoid service interruption, click Renew to renew the certificate before it expires. The Download link is immediately updated to provide the latest certificate.
Important: Renewing the OIDC ID Token Signature/ID Token Hint Encryption certificate causes OIDC authentication to fail until you provide the new certificate to your OIDC client apps. Symantec recommends that you temporarily disable ID Token verification before you renew the certificate and then continue ID Token verification once the certificate is replaced in your OIDC apps.