worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
LemonLDAP::NG Web SSO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11325 Commits
107 Branches
123 Tags
109 MiB
 
 
 
 
 
Tag: Branch: Tree: da2ca7fdea
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'da2ca7fdea'
${ noResults }
lemonldap-ng/doc/sources/admin/authopenidconnect.rst

248 lines
7.3 KiB
Raw Blame History

OpenID Connect
==============
============== ===== ========
Authentication Users Password
============== ===== ========
✔ ✔
============== ===== ========
Presentation
------------
.. note::
OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE
stacks. It is described here: http://openid.net/connect/.
LL::NG can act as an OpenID Connect Relying Party (RP) towards multiple
OpenID Connect Providers (OP). It will get the user identity through an
ID Token, and grab user attributes through UserInfo endpoint.
As an RP, LL::NG supports a lot of OpenID Connect features:
- Authorization Code flow
- Automatic download of JWKS
- JWT signature verification
- Access Token Hash verification
- ID Token validation
- Get UserInfo as JSON or as JWT
- Logout on EndSession end point
You can use this authentication module to link your LL::NG server to any
OpenID Connect Provider. Here are some examples, witch their specific
documentation:
.. toctree::
:hidden:
authopenidconnect_google
authopenidconnect_franceconnect
=============== ==================
Google France Connect
=============== ==================
|google| |franceconnect|
=============== ==================
.. |google| image:: applications/google_logo.png
:target: authopenidconnect_google.html
.. |franceconnect| image:: applications/franceconnect_logo.png
:target: authopenidconnect_franceconnect.html
.. attention::
OpenID-Connect specification is not finished for logout
propagation. So logout initiated by relaying-party will be forward to
OpenID-Connect provider but logout initiated by the provider (or another
RP) will not be propagated. LLNG will implement this when spec will be
published.
Configuration
-------------
OpenID Connect Service
~~~~~~~~~~~~~~~~~~~~~~
See :doc:`OpenIDConnect service<openidconnectservice>` configuration
chapter.
Authentication and UserDB
~~~~~~~~~~~~~~~~~~~~~~~~~
In ``General Parameters`` > ``Authentication modules``, set:
- **Authentication module**: OpenID Connect
- **Users module**: OpenID Connect
.. tip::
As passwords will not be managed by LL::NG, you can disable
:ref:`menu password module<portalmenu-menu-modules>`.
.. attention::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
does). Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in :
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
Then in ``General Parameters`` > ``Authentication modules`` >
``OpenID Connect parameters``, you can set:
- **Authentication level**: level of authentication to associate to
this module
- **Callback GET parameter**: name of GET parameter used to intercept
callback (default: openidconnectcallback)
- **State session timeout**: duration of a state session (used to keep
state information between authentication request and authentication
response) in seconds (default: 600)
Register LL::NG to an OpenID Connect Provider
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To register LL::NG, you will need to give some information like
application name or logo.
You will be asked to provide a *Redirect URI* for LemonLDAP::NG, which is constructed by appending the ``openidcallback=1`` parameter to the Portal URL.
For example:
- https://auth.example.com/?openidcallback=1
.. attention::
If you use the :doc:`choice backend<authchoice>`,
you need to set SameSite cookie value to "Lax" or "None".
See :doc:`SSO cookie parameters<ssocookie>`
After registration, the OP must give you a client ID and a client
secret, that will be used to configure the OP in LL::NG.
Declare the OpenID Connect Provider in LL::NG
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the Manager, select node ``OpenID Connect Providers`` and click on
``Add OpenID Connect Provider``. Give a technical name (no spaces, no
special characters), like "sample-op";
You can then access to the configuration of this OP.
Metadata
^^^^^^^^
The OP should publish its metadata in a JSON file (see for example
`Google
metadata <https://accounts.google.com/.well-known/openid-configuration>`__).
Copy the content of this file in the textarea.
Portal discovery document can be found here:
https://#portal#/.well-known/openid-configuration
If no metadata is available, you need to write them in the textarea.
Mandatory fields are:
- issuer
- authorization_endpoint
- token_endpoint
- userinfo_endpoint
You can also define:
- jwks_uri
- endsession_endpoint
Example template:
.. code-block:: javascript
{
"issuer": "https://auth.example.com/",
"authorization_endpoint": "https://auth.example.com/oauth2/authorize",
"token_endpoint": "https://auth.example.com/oauth2/token",
"userinfo_endpoint": "https://auth.example.com/oauth2/userinfo",
"end_session_endpoint":"https://auth.example.com/oauth2/logout"
}
JWKS data
^^^^^^^^^
JWKS is a JSON file containing public keys. LL::NG can grab them
automatically if jwks_uri is defined in metadata. Else you can paste the
content of the JSON file in the textarea.
.. tip::
If the OpenID Connect provider only uses symmetric encryption,
JWKS data is not useful.
Exported attributes
^^^^^^^^^^^^^^^^^^^
Define here the mapping between the LL::NG session content and the
fields provided in UserInfo response. The fields are defined in `OpenID
Connect
standard <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__,
and depends on the scope requested by LL::NG (see options in next
chapter).
.. include:: openidconnectclaims.rst
So you can define for example:
- cn => name
- sn => family_name
- mail => email
- uid => sub
Options
^^^^^^^
- **Configuration**:
- **Configuration endpoint**: URL of OP configuration endpoint
- **JWKS data timeout**: After this time, LL::NG will do a request
to get a fresh version of JWKS data. Set to 0 to disable it.
- **Client ID**: Client ID given by OP
- **Client secret**: Client secret given by OP
- **Store ID token**: Allows one to store the ID token (JWT) inside
user session. Do not enable it unless you need to replay this token
on an application, or if you need the id_token_hint parameter when
using logout.
- **Protocol**:
- **Scope**: Value of scope parameter (example: openid profile). The
``openid`` scope is mandatory.
- **Display**: Value of display parameter (example: page)
- **Prompt**: Value of prompt parameter (example: consent)
- **Max age**: Value of max_age parameter (example: 3600)
- **UI locales**: Value of ui_locales parameter (example: en-GB en
fr-FR fr)
- **ACR values**: Value acr_values parameters (example: loa-1)
- **Token endpoint authentication method**: Choice between
``client_secret_post`` and ``client_secret_basic``
- **Check JWT signature**: Set to 0 to disable JWT signature
checking
- **ID Token max age**: If defined, LL::NG will check the date of ID
token and refuse it if it is too old
- **Use Nonce**: If enabled, a nonce will be sent, and verified from
the ID Token
- **Display**:
- **Display name**: Name of the application
- **Logo**: Logo of the application
- **Order**: Number to sort buttons