Go in Manager and click on OpenID Connect Service
node.
Set the issuer identifier, which should be the portal URL.
For example: http://auth.example.com
Name of different OpenID Connect endpoints. You can keep the default values unless you have a specific need to change them.
You can associate here an authentication context to an authentication level.
It is recommended to use a separate sessions storage for OpenID Connect sessions, else they will stored in the main sessions storage.
OpenID Connect specification let the possibility to rotate keys to improve security. LL::NG provide a script to do this, that should be put in a cronjob.
The script is /usr/share/lemonldap-ng/bin/rotateOidcKeys
. It can be run for example each week:
5 5 * * 6 www-data /usr/share/lemonldap-ng/bin/rotateOidcKeys
LL::NG implements the change notification as defined here: http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
A changed
state will be sent if the user is disconnected from LL::NG portal (or has destroyed its SSO cookie). Else the unchanged
state will be returned.
httpOnly
option should be set to 0
).