Typos & Doc
This commit is contained in:
parent
9550230dd4
commit
f66fcc9ee8
|
@ -256,6 +256,4 @@ Options
|
||||||
with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
|
with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
|
||||||
|
|
||||||
|
|
||||||
Go to:
|
Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests``
|
||||||
|
|
||||||
``General Parameters > Advanced Parameters > Security > SSL options for server requests``
|
|
|
@ -162,7 +162,7 @@ Exported attributes
|
||||||
|
|
||||||
.. warning::
|
.. warning::
|
||||||
|
|
||||||
By default, only `standard OpenID Connect claims <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__ are visible to applications. If you want to add non-standard attributes, you must create a new scope in the *Scope values content* section and make your application request it
|
By default, only `standard OpenID Connect claims <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__ are exposed to applications. If you want to add non-standard attributes, you must create a new scope in the *Scope values content* section and make your application request it.
|
||||||
|
|
||||||
For each OpenID Connect attribute you want to release to applications, you can define:
|
For each OpenID Connect attribute you want to release to applications, you can define:
|
||||||
|
|
||||||
|
@ -281,8 +281,8 @@ Options
|
||||||
sharing consent screen (consent will be accepted by default).
|
sharing consent screen (consent will be accepted by default).
|
||||||
Bypassing the consent is **not** compliant with OpenID Connect
|
Bypassing the consent is **not** compliant with OpenID Connect
|
||||||
standard.
|
standard.
|
||||||
- **User attribute**: session field that will be used as main
|
- **User attribute**: Session field that will be used as main
|
||||||
identifier (``sub``)
|
identifier (``sub``). Default value is ``whatToTrace``.
|
||||||
- **Force claims to be returned in ID Token**: This options will
|
- **Force claims to be returned in ID Token**: This options will
|
||||||
make user attributes from the requested scope appear as ID Token
|
make user attributes from the requested scope appear as ID Token
|
||||||
claims.
|
claims.
|
||||||
|
|
|
@ -35,13 +35,12 @@ values unless you have a specific need to change them.
|
||||||
Authentication context
|
Authentication context
|
||||||
~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
You can associate here an authentication context to an authentication
|
You can associate here an authentication context to an authentication level.
|
||||||
level.
|
|
||||||
|
|
||||||
Security
|
Security
|
||||||
~~~~~~~~
|
~~~~~~~~
|
||||||
|
|
||||||
- **Keys** : define public/private key pair to do asymmetric signature. A JWKS
|
- **Keys**: Define public/private key pair to do asymmetric signature. A JWKS
|
||||||
``kid`` (Key ID) is automatically derived when generating new keys.
|
``kid`` (Key ID) is automatically derived when generating new keys.
|
||||||
- **Dynamic Registration**: Set to 1 to allow clients to register
|
- **Dynamic Registration**: Set to 1 to allow clients to register
|
||||||
themselves. This may be a security risk as this will create a new
|
themselves. This may be a security risk as this will create a new
|
||||||
|
@ -93,9 +92,8 @@ is registered through the ``/oauth2/register`` endpoint:
|
||||||
Key rotation script
|
Key rotation script
|
||||||
-------------------
|
-------------------
|
||||||
|
|
||||||
OpenID Connect specification let the possibility to rotate keys to
|
OpenID Connect specifications allow to rotate keys to improve security.
|
||||||
improve security. LL::NG provide a script to do this, that should be put
|
LL::NG provides a script to do this, that should be used in a cronjob.
|
||||||
in a cronjob.
|
|
||||||
|
|
||||||
The script is ``/usr/share/lemonldap-ng/bin/rotateOidcKeys``. It can be
|
The script is ``/usr/share/lemonldap-ng/bin/rotateOidcKeys``. It can be
|
||||||
run for example each week:
|
run for example each week:
|
||||||
|
@ -107,7 +105,7 @@ run for example each week:
|
||||||
|
|
||||||
.. tip::
|
.. tip::
|
||||||
|
|
||||||
Set the correct Apache user, else generated configuration will
|
Set the correct Web server user, else generated configuration will
|
||||||
not be readable by LL::NG.
|
not be readable by LL::NG.
|
||||||
|
|
||||||
Session management
|
Session management
|
||||||
|
|
Loading…
Reference in New Issue
Block a user