Test your external IDP

Generally, to test an external identity provider that you configured in the identity broker, you must log in to the OneWelcome Identity Provider console and select the tenant you are working on:

• Production-EU
• Production-US

For testing purposes, you can use OAuth tools as a test portal.

Set up the identity broker in Access

If an identity provider of the type identity broker exists, you can skip this step.

1. In the top-right of the OneWelcome Identity Platform console, select Applications > Access admin.

   

2. On the Access admin console, go to Configuration > Identity providers.

3. Click Add identity provider.

   

4. In the Type list, select Identity Broker.

5. Enter an Identifier and Name.

6. Select the Enabled check box, but leave the Default check box unchecked.

7. Click Save.

Set up a web client in Access

If you already set up a web client for testing, you can skip this step.

1. On the Access admin console, go to Configuration > Web clients.

   

2. Click Add Web client.

   

3. Enter a Name.

4. In the Credentials section, for the Client ID, click Generate and copy the value.

5. For the Authentication method, select Client secret (basic authentication).

6. For the Client secret, click Generate and copy the value.

7. In the OAuth settings section, for the Grant types, select Authorization code.

8. Enter this Redirect URL: https://oauth.tools/callback/code.

9. In the Scopes section, for the Default Scopes, select openid.

   

10. In the User registration section, for the Identity provider select the identity broker that you created.

11. In the User experience section, select the Skip Consent page check box.

12. Click Save, and then click Save again.

Set up your OAuth tools workspace

You can skip this step if you already set up a workspace in OAuth tools.

1. Go to OAuth tools.

2. Click New Workspace.

   

3. Enter a name and click Create Workspace.

   

4. On the Endpoints tab, enter this Metadata URL: https://<tenant-domain>/oauth/.well-known/openid-configuration, and click Discover.

   

   This fills all the required fields.

5. On the Clients tab, add a client.

   

6. Paste the Client ID and Client Secret that you generated when you set up a web client on the Access admin console.

7. Toggle the Code switch.

8. Close the Clients screen.

Add a flow in OAuth tools

1. On the OAuth tools page, next to Find flow, click the plus (+) sign.

   

2. In the Web and Mobile Flows section, click Code Flow.

   

3. In the Settings section, under Start with client ID, select the Client ID that you added.

   

4. Toggle the Use PKCE switch.

5. In the OpenID settings, set the acr value.

   To find the ACR value, go to the Identity Broker on the OneWelcome Identity Platform. On the Identity providers page, select the menu for the identity provider that you are testing, and then select View details. In the Variants section, copy the ACR value.

   

6. Click the big green Run button.

   If it's successful, you are redirected to the external IDP that you're testing.

   After you authenticate at the external IDP, you return to OAuth tools.

7. Click the Redeem code button. To make this easier next time, you can toggle the Auto-redeem code switch.

   If everything works, you receive an Access token (Token 1) and an ID token (Token 2).

   When you click Show decoded JWT for the ID token, you see all the attributes that were received from the external IDP.