Skip to main content

Service Registration

Authorized Stanford users could register and manage OIDC clients via SPDB, by clicking on "Manage OpenID RP configurations".

Before Registration

Stanford mailing list address

To register an OIDC relying party with SPDB, it is recommended that the user either uses a google group mailing address or use a Stanford mailing list address that comes with the format of @lists.stanford.edu. For mailman, please visit Stanford Mailman tools. For google group, please visit Google group and workgroup integration

Stanford workgroup

When registering you will need to have a non-personal workgroup that will be associated with the OIDC relying party. If you are not sure or do not have a workgroup, please visit Stanford Workgroup or consult UIT.

Client Registration

OpenID Connect

Stanford's OpenID Connect(OIDC) endpoint:

Relevant endpoints

Scopes

  • Please configure your client to request only the scope(s) it requires.
  • Do not assume users will consent to all claims.

  • Common scopes:

    • openid : this which would provide you with an immutable identifier of the authenticated user
    • email : this would provide you with the user's uid@stanford.edu (or eduPersonPrincipalName)
    • profile: include the given name, family name and display name of the authenticated user
    • edupersonentitlement: this is only needed if you intend to use workgroup release

  • For details on the scopes, please see scopes and claims

Client-id and secrets

  • Once the relying-party has been successfully created, the user can proceed to create the client secret.
  • The secret will expire after one year. An RP with an expired secret will not work.
Last modified