In this article we will describe how to integrate RedHat SSO with FranceConnect.

1) What is FranceConnect IDP
FranceConnect (https://franceconnect.gouv.fr/) is French gouvernment IDP provider with more 20 million accounts.
You can connect to it with credentials such as your National Insurance Number, postal adress …

FranceConnect is the IDP, and Service Provider can access to this IDP through the openID provider

2) Register to FranceConnect for your service

You should register to FranceConnectfor your service.
In return, you obtain client_ID, client_secret, you will obtain something such as :

 

3) FranceConnect Endpoints

France connect endpoints are described at https://partenaires.franceconnect.gouv.fr/fournisseur-service

Authorization
Token https://fcp.integ01.dev-franceconnect.fr/api/v1/token
UserInfo
Logout https://fcp.integ01.dev-franceconnect.fr/api/v1/logout

4) France connect supported scope and claims

They are as follows:

5) Creating a dummy test User to test France Connect IDP

It is possible to create at France Connect a dummy test user to test the service.
The URL to create this dummy test user is:
https://fip1.integ01.dev-franceconnect.fr/user/create

A dummy user with username user1_test_fc/password as been created.

also have been provided following information:
First Name : user1
Last Name: user1
Email: user1@foo.com

6) Configuring FranceConnect as an openID IDP for RH-SSO

When using FranceConnect as an openID IDP provide, it means that authentication will be done using FranceConnect Credentials.

To configure this with RH-SSO, the following has been done
1. create a new realm test_franceconnect
2. select identity Provider with type openId Connect

3. Fill in the following fields:
Display Name: France Connect
Authorization URL:
Token URL: https://fcp.integ01.dev-franceconnect.fr/api/v1/token
Logout URL:
Backchannel Logout: https://fcp.integ01.dev-franceconnect.fr/api/v1/logout
First Login Flow: Direct Grant

User Info URL:
Client ID: <client-id>
Client Secret: <client-secret>

Issuer: https://fcp.integ01.dev-franceconnect.fr

Default Scopes: openid profile email
Prompt
Validate Signatures: OFF

Note that the signauture is always OFF, as FranceConnect does not provide JKS for signature verification

7) RH-SSO Identity Provider Mappers

Select the Identity Provider « France Connect », and TAB « Mappers ».

The mapper feature allows to display in RedHat SSO, teh attributes returned from France Connect in the list of scopes provided on teh request

Here, has been specified as scope profile and email.
Profile is in fact an alias which corresponds teh following list given_name, family_name, preferred_username, birthdate et gender
So, with the scope specified are available teh attributes: given_name, family_name, preferred_username, birthdate, gender and email

The Mapper allows to specify which scope property will be exposed and the name.

For example, the first_name attribute mapper is mapped as follows:
Name: firstName_mapper
Mapper Type: attribute_mapper
Claim: given_name
User Attribute Name: First Name

8) Test

Log to https://sso-janua.app.itix.fr/auth/realms/test_france_connect/account
It will redirect to the login page of France Connect realm within RH-SSO

When you first click on FranceConnect, it will fail indicating that a parameter is missing.

invalid params : mandatory params missing

It is due to the fact that the URL forwarded to FranceConnect does not provide a nonce which is a mandatory parameter expected by franceConnect.

It is possible to pick exacly the same expanded URL and add a nonce such as nonce=1234 and copy it within a broswer

 

With this URL, you are presented FranceConnectLogin screen where you can pick any provider of the list presented.

Just pick one of them, and enter the dummy user credentials created earliar (user1_test_fc/password), and you willl connect to RedHat SSO user DashBoard presenting the user with:

First Name : user1
Last Name: user1
Email: user1@foo.com

Olivier Rivat

Olivier Rivat

Senior Software Engineer with over 25 years of experience doing Software Development, Support and Consulting in Identity and Access Management Solutions.
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Olivier Rivat