Advanced Identity Cloud as a Temenos identity provider

Estimated time to complete: 30 minutes.

This use case shows how Temenos can use Advanced Identity Cloud as an OpenID Provider (OP) to authenticate end users. Specifically, you set up Advanced Identity Cloud as an OAuth 2.0 identity service in Temenos Quantum Fabric.

Advanced Identity Cloud supports OAuth 2.0 and OpenID Connect (OIDC) natively, making it a good choice for integrating with Temenos and other standards-based applications.

Goals

After completing this use case, you’ll know how to do the following:

Configure Advanced Identity Cloud as an OIDC identity provider
Configure Temenos to use PingOne AIC as an OIDC identity provider

What you’ll do

Create an OIDC application for Temenos.
Configure a Temenos identity service to connect as the application to Advanced Identity Cloud.

Before you begin

Before you start, make sure you have:

A basic understanding of:
- The Advanced Identity Cloud admin console and Advanced Identity Cloud end-user UI
- OAuth 2.0
- OIDC
Completed the Create test users and roles use case
Access to your test Advanced Identity Cloud environment as an administrator
Access to a Temenos development environment as an administrator

Tasks

This use case requires the use of third-party services. Use your environment-specific details where necessary.

Task 1: Configure Advanced Identity Cloud as an OpenID Provider

Sign on to the Advanced Identity Cloud admin console as an administrator.
Go to apps Applications > add Custom Application > OIDC - OpenId Connect > Web.
On the Application Details page, add a web application with the following configuration and click Next:

Field Value

Name

temenos_oidc

Description

Temenos OIDC

Owners

App Owner
On the Web Settings page, add the following configuration, and then click Create Application:

Field Value

Client ID

temenos_oidc

Client Secret

Enter a password for the client. Remember the password because you need it to configure Temenos.

The Temenos OIDC client page opens.

Field	Value
Name	`temenos_oidc`
Description	`Temenos OIDC`
Owners	`App Owner`

Field	Value
Client ID	`temenos_oidc`
Client Secret	Enter a password for the client. Remember the password because you need it to configure Temenos.

On the Temenos OIDC client page, click the Sign On tab, add the following configuration and click Save:

Field Value

Field	Value
Sign-in URLs	`https://<accountID>.auth.konycloud.com/OAuth2/Callback` where <accountID> is the Temenos account ID.
Grant Types	`Authorization Code`
Scopes	`openid`, `profile`, `email`, `phone`

Sign-in URLs

https://<accountID>.auth.konycloud.com/OAuth2/Callback where <accountID> is the Temenos account ID.

Grant Types

Authorization Code

Scopes

openid, profile, email, phone

(Optional) Require Advanced Identity Cloud to ask for consent to share information during authorization flows.

Go to General Settings, click Show advanced settings, and select Authentication.

Clear Implied Consent.

Task 2: Add Advanced Identity Cloud as an OAuth 2.0 identity service in Temenos

These instructions include steps for a third-party product. We’ve verified them to the best of our ability, but third-party functionality and interfaces may change. Read the official Temenos documentation if you notice any differences.

Sign on to the Temenos development environment as an administrator.

Go to the Quantum Fabric identity service designer page, create a new identity service with the following configuration, and click Save:

Field Value

Field	Value
Name	`Advanced Identity Cloud`
Type of Identity	`OAuth 2.0`
Provider Details > Grant Type	`Authorization Code`
Provider Details > Authorize endpoint	`https://<tenant-env-fqdn>/am/oauth2/alpha/authorize`
Provider Details > Token endpoint	`https://<tenant-env-fqdn>/am/oauth2/alpha/access_token`
Provider Details > Scope	`openid`, `profile`, `email`, `phone`
Client Details > Client Assertion Type	`Basic authentication`
Client Details > Client ID	`temenos_oidc`
Client Details > Client Secret	The password for the `temenos_oidc` client you created in the previous task.
User Profile Endpoint Details > Profile Endpoint Type	`Profile in response of URL`
User Profile Endpoint Details > URL	`https://<tenant-env-fqdn>/am/oauth2/alpha/userinfo`
User Attribute Selectors > Federation ID	`_id`

Name

Advanced Identity Cloud

Type of Identity

OAuth 2.0

Provider Details > Grant Type

Authorization Code

Provider Details > Authorize endpoint

https://<tenant-env-fqdn>/am/oauth2/alpha/authorize

Provider Details > Token endpoint

https://<tenant-env-fqdn>/am/oauth2/alpha/access_token

Provider Details > Scope

openid, profile, email, phone

Client Details > Client Assertion Type

Basic authentication

Client Details > Client ID

temenos_oidc

Client Details > Client Secret

The password for the temenos_oidc client you created in the previous task.

User Profile Endpoint Details > Profile Endpoint Type

Profile in response of URL

User Profile Endpoint Details > URL

https://<tenant-env-fqdn>/am/oauth2/alpha/userinfo

User Attribute Selectors > Federation ID

_id

Use the Test Login feature to test the identity service.

Sign on as an Advanced Identity Cloud test user you created in the Create test users and roles use case.
When the service works as expected, publish the Fabric application.

Reference material

Find background information for the procedures in this use case in the following documentation:

Learn how to connect any OIDC relying party to PingOne AIC in Register a custom OIDC application.
Learn how to configure a Quantum Fabric OAuth 2.0 Identity Service in Temenos Quantum Fabric OAuth 2.0 Identity Service.

PingOne Advanced Identity Cloud