How to Integrate Redhat SSO with FranceConnect

In this article we will describe how to integrate RedHat SSO with FranceConnect.

1) What is FranceConnect IDP
FranceConnect (https://franceconnect.gouv.fr/) is French gouvernment IDP provider with more 20 million accounts.
You can connect to it with credentials such as your National Insurance Number, postal adress …

FranceConnect is the IDP, and Service Provider can access to this IDP through the openID provider

2) Register to FranceConnect for your service

You should register to FranceConnectfor your service.
In return, you obtain client_ID, client_secret, you will obtain something such as :

Identifiant client : 444d6d69052a4395d4cf470778c83afb086d39448e7d17fca5d1353fea0184b3
Clé secrète : 5a146d6223a40b5be4633d5f698ff8dfcd7cba0f0a9116da5753d0e3bdab60be

3) FranceConnect Endpoints

France connect endpoints are described at https://partenaires.franceconnect.gouv.fr/fournisseur-service

Authorization
Token
UserInfo
Logout

4) France connect supported scope and claims

They are as follows:

Les scopes principaux (identité pivot)
main scope:

openid * : l'identifiant technique (sub) de l'utilisateur au format OpenIDConnect sera retourné
gender : le sexe de la personne sera retourné
birthdate : la date de naissance de la personne sera retourné
birthcountry : le pays de naissance de la personne sera retourné
birthplace : la ville de naissance de la personne sera retourné
given_name : les prénoms de la personne seront retournés
family_name : le nom de naissance de la personne sera retourné
email : l'adresse e-mail de la personne sera retourné


"alias scopes"
identite_pivot : Regroupe les scopes given_name, family_name, preferred_username, birthdate, gender, birthplace et birthcountry
profile : Regroupe les scopes given_name, family_name, preferred_username, birthdate et gender
birth : Regroupe les scopes birthplace et birthcountry. Permet de récupérer la ville et le département de naissance de la personne.

5) Creating a dummy test User to test France Connect IDP

It is possible to create at France Connect a dummy test user to test the service.
The URL to create this dummy test user is:

A dummy user with username user1_test_fc/password as been created.

also have been provided following information:
First Name : user1
Last Name: user1
Email: user1@foo.com

6) Configuring FranceConnect as an openID IDP for RH-SSO

When using FranceConnect as an openID IDP provide, it means that authentication will be done using FranceConnect Credentials.

To configure this with RH-SSO, the following has been done
1. create a new realm test_franceconnect
2. select identity Provider with type openId Connect

3. Fill in the following fields:
Display Name: France Connect
Authorization URL:
Token URL:
Logout URL:
Backchannel Logout:
First Login Flow: Direct Grant

User Info URL:
Client ID: <client-id>
Client Secret: <client-secret>

Issuer: https://fcp.integ01.dev-franceconnect.fr

Default Scopes: openid profile email
Prompt
Validate Signatures: OFF

Note that the signauture is always OFF, as FranceConnect does not provide JKS for signature verification

7) RH-SSO Identity Provider Mappers

Select the Identity Provider « France Connect », and TAB « Mappers ».

The mapper feature allows to display in RedHat SSO, teh attributes returned from France Connect in the list of scopes provided on teh request

Here, has been specified as scope profile and email.
Profile is in fact an alias which corresponds teh following list given_name, family_name, preferred_username, birthdate et gender
So, with the scope specified are available teh attributes: given_name, family_name, preferred_username, birthdate, gender and email

The Mapper allows to specify which scope property will be exposed and the name.

For example, the first_name attribute mapper is mapped as follows:
Name: firstName_mapper
Mapper Type: attribute_mapper
Claim: given_name
User Attribute Name: First Name

8) Test

Log to
It will redirect to the login page of France Connect realm within RH-SSO

When you first click on FranceConnect, it will fail indicating that a parameter is missing.

invalid params : mandatory params missing

It is due to the fact that the URL forwarded to FranceConnect does not provide a nonce which is a mandatory parameter expected by franceConnect.

It is possible to pick exacly the same expanded URL and add a nonce such as nonce=1234 and copy it within a broswer

;
response_type=code&
client_id=444d6d69052a4395d4cf470778c83afb086d39448e7d17fca5d1353fea0184b3&
redirect_uri=https%3A%2F%2Fsso-janua.app.itix.fr%2Fauth%2Frealms%2Ftest_france_connect%2Fbroker%2Ftest-rh-fc%2Fendpoint&
prompt=consent&
nonce=1234

With this URL, you are presented FranceConnectLogin screen where you can pick any provider of the list presented.

Just pick one of them, and enter the dummy user credentials created earliar (user1_test_fc/password), and you willl connect to RedHat SSO user DashBoard presenting the user with:

First Name : user1
Last Name: user1
Email: user1@foo.com

• À propos
• Articles récents

janua

Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.

Les derniers articles par janua (tout voir)

• New Keycloak online training - 19 janvier 2022
• Sizing Keycloak or Redhat SSO projects - 8 juin 2021
• Keycloak.X Distribution - 28 janvier 2021