2015-06-16 16:49:09 +02:00
< !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
< html xmlns = "http://www.w3.org/1999/xhtml" xml:lang = "en"
lang="en" dir="ltr">
< head >
< meta http-equiv = "Content-Type" content = "text/html; charset=utf-8" / >
< title > < / title >
<!-- metadata -->
< meta name = "generator" content = "Offline" / >
< meta name = "version" content = "Offline 0.1" / >
<!-- style sheet links -->
< link rel = "stylesheet" media = "all" type = "text/css" href = "../../../css/all.css" / >
< link rel = "stylesheet" media = "screen" type = "text/css" href = "../../../css/screen.css" / >
< link rel = "stylesheet" media = "print" type = "text/css" href = "../../../css/print.css" / >
< / head >
< body >
< div class = "dokuwiki export" >
< h1 class = "sectionedit1" id = "openid_connect_provider" > OpenID Connect Provider< / h1 >
< div class = "level1" >
< / div >
<!-- EDIT1 SECTION "OpenID Connect Provider" [1 - 39] -->
< h2 class = "sectionedit2" id = "presentation" > Presentation< / h2 >
< div class = "level2" >
< p >
< p > < div class = "noteclassic" > OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE stacks. It is described here: < a href = "http://openid.net/connect/" class = "urlextern" title = "http://openid.net/connect/" rel = "nofollow" > http://openid.net/connect/< / a > .
< / div > < / p >
< / p >
< p >
< abbr title = "LemonLDAP::NG" > LL::NG< / abbr > can act as an OpenID Connect Provider (OP). It will answer to OpenID Connect requests to give user identity (trough ID Token) and information (trough User Info end point).
< / p >
< p >
As an OP, < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > supports a lot of OpenID Connect features:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Authorization Code, Implicit and Hybrid flows< / div >
< / li >
< li class = "level1" > < div class = "li" > Publication of JSON metadata and JWKS data (Discovery)< / div >
< / li >
< li class = "level1" > < div class = "li" > < code > prompt< / code > , < code > display< / code > , < code > ui_locales< / code > , < code > max_age< / code > parameters< / div >
< / li >
2015-06-19 11:41:50 +02:00
< li class = "level1" > < div class = "li" > Extra claims definition< / div >
< / li >
2015-06-16 16:49:09 +02:00
< li class = "level1" > < div class = "li" > Authentication context Class References (ACR)< / div >
< / li >
< li class = "level1" > < div class = "li" > Nonce< / div >
< / li >
< li class = "level1" > < div class = "li" > Dynamic registration< / div >
< / li >
< li class = "level1" > < div class = "li" > Access Token Hash generation< / div >
< / li >
< li class = "level1" > < div class = "li" > ID Token signature (HS256/HS384/HS512/RS256/RS384/RS512)< / div >
< / li >
< li class = "level1" > < div class = "li" > UserInfo end point, as JSON or as JWT< / div >
< / li >
< li class = "level1" > < div class = "li" > Request and Request < abbr title = "Uniform Resource Identifier" > URI< / abbr > < / div >
< / li >
< li class = "level1" > < div class = "li" > Session management< / div >
< / li >
< / ul >
< / div >
2015-06-19 11:41:50 +02:00
<!-- EDIT2 SECTION "Presentation" [40 - 922] -->
2015-06-16 16:49:09 +02:00
< h2 class = "sectionedit3" id = "configuration" > Configuration< / h2 >
< div class = "level2" >
< / div >
2015-06-19 11:41:50 +02:00
<!-- EDIT3 SECTION "Configuration" [923 - 949] -->
2015-06-16 16:49:09 +02:00
< h3 class = "sectionedit4" id = "openid_connect_service" > OpenID Connect Service< / h3 >
< div class = "level3" >
< p >
2015-12-18 10:46:34 +01:00
See < a href = "../../documentation/1.9/openidconnectservice.html" class = "wikilink1" title = "documentation:1.9:openidconnectservice" > OpenID Connect service< / a > configuration chapter.
2015-06-16 16:49:09 +02:00
< / p >
< / div >
2015-06-19 11:41:50 +02:00
<!-- EDIT4 SECTION "OpenID Connect Service" [950 - 1059] -->
2015-06-16 16:49:09 +02:00
< h3 class = "sectionedit5" id = "issuerdb" > IssuerDB< / h3 >
< div class = "level3" >
< p >
Go in < code > General Parameters< / code > » < code > Issuer modules< / code > » < code > OpenID Connect< / code > and configure:
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > Activation< / strong > : set to < code > On< / code > .< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Path< / strong > : keep < code > ^/oauth2/< / code > unless you need to use another path (in this case, you need to adapt Apache configuration)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Use rule< / strong > : a rule to allow user to use this module, set to < code > 1< / code > to always allow.< / div >
< / li >
< / ul >
< p >
< p > < div class = "notetip" >
For example, to allow only users with a strong authentication level:
< / p >
< pre class = "code" > $authenticationLevel > 2< / pre >
< p >
< / div > < / p >
< / p >
< / div >
2015-06-19 11:41:50 +02:00
<!-- EDIT5 SECTION "IssuerDB" [1060 - 1545] -->
2015-06-16 16:49:09 +02:00
< h3 class = "sectionedit6" id = "configuration_of_llng_in_relying_party" > Configuration of LL::NG in Relying Party< / h3 >
< div class = "level3" >
< p >
Each Relying Party has its own configuration way. < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > publish its OpenID Connect metadata to ease the configuration of client.
< / p >
< p >
The metadata can be found at the standard “Well Known” < abbr title = "Uniform Resource Locator" > URL< / abbr > : < a href = "http://auth.example.com/.well-known/openid-configuration" class = "urlextern" title = "http://auth.example.com/.well-known/openid-configuration" rel = "nofollow" > http://auth.example.com/.well-known/openid-configuration< / a >
< / p >
< p >
An example of its content:
< / p >
< pre class = "code file javascript" > < span class = "br0" > { < / span >
< span class = "st0" > " end_session_endpoint" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/logout" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " jwks_uri" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/jwks" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " token_endpoint_auth_methods_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " client_secret_post" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " client_secret_basic" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " token_endpoint" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/token" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " response_types_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " code" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " id_token" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " id_token token" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " code id_token" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " code token" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " code id_token token" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " userinfo_signing_alg_values_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " none" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS256" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS384" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS512" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS256" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS384" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS512" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " id_token_signing_alg_values_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " none" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS256" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS384" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS512" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS256" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS384" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS512" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " userinfo_endpoint" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/userinfo" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " request_uri_parameter_supported" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " true" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " acr_values_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " loa-4" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " loa-1" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " loa-3" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " loa-5" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " loa-2" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " request_parameter_supported" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " true" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " subject_types_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " public" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " issuer" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " grant_types_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " authorization_code" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " implicit" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " hybrid" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " authorization_endpoint" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/authorize" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " check_session_iframe" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/checksession" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " scopes_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " openid" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " profile" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " email" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " address" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " phone" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " require_request_uri_registration" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " false" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " registration_endpoint" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/register" < / span >
< span class = "br0" > } < / span > < / pre >
< / div >
2015-06-19 11:41:50 +02:00
<!-- EDIT6 SECTION "Configuration of LL::NG in Relying Party" [1546 - 3524] -->
2015-06-16 16:49:09 +02:00
< h3 class = "sectionedit7" id = "configuration_of_relying_party_in_llng" > Configuration of Relying Party in LL::NG< / h3 >
< div class = "level3" >
< p >
Go in Manager and click on < code > OpenID Connect Relying Parties< / code > , then click on < code > Add OpenID Relying Party< / code > . Give a technical name (no spaces, no special characters), like “sample-rp”;
< / p >
< p >
You can then access to the configuration of this RP.
< / p >
< / div >
< h4 id = "exported_attributes" > Exported attributes< / h4 >
< div class = "level4" >
< p >
You can map here the attribute names from the < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > session to an OpenID Connect claim.
< / p >
< p >
< p > < div class = "notetip" > See < a href = "http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" class = "urlextern" title = "http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" rel = "nofollow" > http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims< / a > to know the names of standards claims.
< / div > < / p >
< / p >
< p >
So you can define for example:
< / p >
< ul >
< li class = "level1" > < div class = "li" > name ⇒ cn< / div >
< / li >
< li class = "level1" > < div class = "li" > family_name ⇒ sn< / div >
< / li >
< li class = "level1" > < div class = "li" > email ⇒ mail< / div >
< / li >
< / ul >
< p >
< p > < div class = "noteimportant" > The specific < code > sub< / code > attribute is not defined here, but in User attribute parameter (see below).
< / div > < / p >
< / p >
2015-06-19 11:41:50 +02:00
< p >
You can also define extra claims and link them to attributes (see below). Then you just have to define the mapping of this new attributes, for example:
< / p >
< ul >
< li class = "level1" > < div class = "li" > birthplace ⇒ l< / div >
< / li >
< li class = "level1" > < div class = "li" > birthcountry ⇒ co< / div >
< / li >
< / ul >
2015-06-16 16:49:09 +02:00
< / div >
< h4 id = "options" > Options< / h4 >
< div class = "level4" >
< ul >
< li class = "level1" > < div class = "li" > < strong > Authentication< / strong > :< / div >
< ul >
< li class = "level2" > < div class = "li" > < strong > Client ID< / strong > : Client ID for this RP< / div >
< / li >
< li class = "level2" > < div class = "li" > < strong > Client secret< / strong > : Client secret for this RP (can be use for symmetric signature)< / div >
< / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < strong > Display< / strong > :< / div >
< ul >
< li class = "level2" > < div class = "li" > < strong > Display name< / strong > : Name of the RP application< / div >
< / li >
< li class = "level2" > < div class = "li" > < strong > Logo< / strong > : Logo of the RP application< / div >
< / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < strong > User attribute< / strong > : session field that with be used as main identifier (< code > sub< / code > )< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ID Token signature algorithm< / strong > : Select one of < code > none< / code > , < code > HS256< / code > , < code > HS384< / code > , < code > HS512< / code > , < code > RS256< / code > , < code > RS384< / code > , < code > RS512< / code > < / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ID Token expiration< / strong > : Expiration time of ID Tokens< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Access token expiration< / strong > : Expiration time of Access Tokens< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Redirection addresses< / strong > : Space separated list of redirect addresses allowed for this RP< / div >
< / li >
2015-06-19 11:41:50 +02:00
< li class = "level1" > < div class = "li" > < strong > Extra claims< / strong > : Associate attributes to extra claims if the RP request them, for example < code > birth< / code > ⇒ < code > birthplace birthcountry< / code > < / div >
< / li >
2015-06-16 16:49:09 +02:00
< / ul >
< / div >
< / div > <!-- closes <div class="dokuwiki export"> -->