Integration via OAuth 2.0
If your identity management system does not support OpenID Connect, the integration is possible via OAuth 2.0.
The integration based on OAuth 2.0 is very similar to the integration based on OpenID Connect. This is a natural consequence of the fact that OAuth 2.0 is the foundation of the OpenID Connect standard.
The interactions between NVIDIA and your identity management system follow the authorization code grant flow specified in section 4.1 of RFC 6749.
Token Endpoint
The token endpoint of your identity management system must conform to the operations specified in sections 4.1.3 and 4.1.4 of RFC 6749.
Support for client authentication using the Basic authentication scheme (preferred) or including the credentials in the request body is required. Refer to 2.3.1 of RFC 6749 for the corresponding definitions.
Access to the token endpoint cannot be restricted on a per client source IP address basis. The NVIDIA identity federation system runs on AWS and uses dynamic IP Addresses to call the token endpoint.
User Info Endpoint
Your identity management system must support an endpoint that enables retrieval of information about the user in exchange for an access token. The endpoint must accept an access token presented using the Bearer authentication scheme specified in RFC 6750 and must return the user information as JSON body.
The response body should include at least the following data:
User info |
Description |
|---|---|
Subject identifier |
REQUIRED – Unique identifier assigned by your identity management system to the user |
Username |
REQUIRED – Short name that identifies the account used to log in |
Email address |
REQUIRED – Email address of the user |
Email address verification status |
RECOMMENDED – Email address verification status |
Full name |
RECOMMENDED – Full name of the user |
Note
NVIDIA can accommodate the use of any set of attribute names to identify the above data. If possible, alignment with the names of the corresponding standard OpenID Connect claims is recommended.
Access to the user info endpoint cannot be restricted on a per client source IP Address basis. The NVIDIA identity federation system runs on AWS and uses dynamic IP Addresses to call the user info endpoint.
Transport Layer Security
All the endpoints exposed by your identity management system must require the use of TLS and have server certificate traceable to a certification authority recognized by all major web browsers (Chrome, Safari, Firefox). Use of self-signed certificates is not acceptable in any phase of the integration. The domain names used for the endpoints must be owned by your company.
Client Credentials
The client credentials are the same as those specified in the Integration via OpenID Connect > Client Credentials section.
Email Domains
The Email domains are the same as those specified in the Integration via OpenID Connect > Email Domains section.
Support for User Groups
The user group guidelines are the same as those specified in the Integration via OpenID Connect > Support for User Groups section. The option to return the list of groups in the identity token is not applicable because there is no identity token with OAuth 2.0.
Information to Be Provided to NVIDIA
The following table specifies the information that NVIDIA needs to set up the integration.
Info |
Comments |
|---|---|
Full URL of the authorization endpoint |
Typically exposed at path |
Full URL of the token endpoint |
Typically exposed at path |
Full URL of the user info endpoint and sample request/response |
There is no standard definition of the user info endpoint in OAuth 2.0. The sample request/response is intended to help NVIDIA understand the usage supported by your identity management system |
Client credentials that NVIDIA can use for the integration |
Refer to the Client Credentials section for more details. |
List of email domains in use at your company |
Refer to the Email Domains section for more details. |
Description of how NVIDIA can obtain user groups memberships |
Only if groups are used. Refer to the Support for User Groups section for more details. |
Test account that NVIDIA can use to verify the integration |
If possible, please provide the username and password of one test account |