RP Clients

RP Clients (Relying Party Clients) represent applications that trust Identity Broker as their OAuth2 / OpenID Connect or SAML 2.0 Identity Provider.

Every application that authenticates users through Identity Broker must be registered as an RP Client. This screen allows administrators to create, manage, rotate secrets, and monitor client usage.

RP Clients Overview

RP Clients Screen

The RP Clients page provides:

A searchable list of registered clients
Client identifiers and redirect URIs
Protocol configuration (OAuth2/OIDC, SAML)
Security settings (OBO, Secret Management)
Quick actions for lifecycle management

RP Client Configuration

Click Create Client or Edit an existing client to configure its settings.

1. General Settings

Client Name: Human-friendly name of the application.
Client ID: Unique identifier used during authentication flows.
Client Secret: Used by confidential clients to authenticate with Identity Broker.

2. OAuth 2.0 / OIDC Settings

Redirect URIs: Allowed callback URLs for authorization responses.
Grant Types: Select allowed grants (Authorization Code, Refresh Token, Implicit, Client Credentials).
On-Behalf-Of (OBO) Delegation:
- Enable OBO: If checked, this client is allowed to perform token exchanges (RFC 8693) for downstream services.
- Require Scope Downscoping: Ensures delegated tokens have equal or fewer permissions than the original user token.

3. SAML 2.0 Settings

Identity Broker can act as a SAML 2.0 IdP for this client.

SAML SP Entity ID: The unique identifier of the Service Provider.
SAML ACS URL: The Assertion Consumer Service URL where SAML assertions are sent.
NameID Format: Choose between Persistent, Email Address, or Transient.
SAML Signature Algorithm: Choose the algorithm used to sign assertions (e.g., RSA-SHA256).
SP Metadata: Download or upload SP metadata files for easy configuration.

Token & Session Lifetimes

Configure how long issued tokens and user sessions remain valid:

Authorization Code Lifetime: Expiration for short-lived authorization codes.
Access Token Lifetime: Duration for which an access token is valid (seconds).
Refresh Token Lifetime: Maximum duration for a refresh token (seconds).
Session Timeout: Inactivity timeout for the user's browser session.

Client Actions

View & Rotate Secret

View Secret: Displays the current client secret.
Rotate Secret: Generates a new secret and invalidates the old one immediately.

Protocol Metadata

OIDC Discovery: Link to the .well-known/openid-configuration endpoint.
SAML IdP Metadata: Download the IdP metadata XML for this specific client.

Best Practices

Register one RP Client per application.
Always use HTTPS redirect URIs in production.
Enable OBO only for confidential middle-tier services (e.g., API Gateways).
Rotate secrets regularly and monitor Last Used to detect abandoned integrations.
For SAML integrations, prefer Persistent NameID to ensure user identity remains consistent even if their email changes.

RP Clients Overview​

RP Client Configuration​

1. General Settings​

2. OAuth 2.0 / OIDC Settings​

3. SAML 2.0 Settings​

Token & Session Lifetimes​

Client Actions​

View & Rotate Secret​

Protocol Metadata​

Best Practices​