Onboarding OpenID Connect

Prerequisites

To enable OpenID Connect API authentication support, provide the following information to Qualys Support:

• IdP Name: The name of the Identity Provider (IdP) being configured. We can use any custom name for this. Example: TestNameforIDP Qualys Internal
  This is an optional requirement for onboarding with OIDC. We can use any custom name as an IdP name.
• Entity ID: The unique identifier for the customer’s IdP. Typically, this is a URN or URL that serves as the IdP’s primary identifier during OIDC communications. Example: https://example.com/idp
  This is a mandatory parameter to set up the password-less authentication using OIDC.
• Certificates/JWKS URL: Public signing certificates are required to verify the authenticity of SAML responses. The certificate must be in X.509 format (usually in .pem or .cer files). Up to 5 certificates can be provided. When you provide the multiple certificates, specify the certificates to be used for OIDC configuration.
  
  We use the JWKS URL to retrieve the certificate and KID pair. These details are necessary to set up the OIDC for your subscription. 
• Audiance and Issuer Values or JWT Token: The audiance and issuer values are important to set up the IdP initiated password-less API authentication. You can provide us these values either directly or you can share the JWT token. We can use the JWT token to fetch the audiance and issuer values and then use it configure certificates for password-less authentication.

Onboarding Steps

To start using OpenID Connect API authentication, the following onboarding process must be completed:

1. Contact Qualys Support to request OpenID Connect API authentication activation for your subscription.
2. Qualys Support requests the necessary technical information to enable OIDC. See the Prerequisites for details.
3. Once we receive the required technical information, we will enable OpenID Connect API authentication support.

Authentication Workflow using OIDC

Once the OIDC Authentication is activated for your account, you can leverage password less authentication for Qualys API using an Identity Provider (IdP). The following are the basic authentication workflow with OIDC.

1. Use the Authentication API to generate the JSON Web Token (JWT Token) for API access.
2. Use this JWT token in the API requests. Qualys verifies if the correct JWT token is provided or not.
3. Upon successful verification, you are allowed to access the Qualys APIs.