Go in Manager and click on OpenID Connect Service
node.
Set the issuer identifier, which should be the portal URL.
For example: http://auth.example.com
Name of different OpenID Connect endpoints. You can keep the default values unless you have a specific need to change them.
You can associate here an authentication context to an authentication level.
It is recommended to use a separate sessions storage for OpenID Connect sessions, else they will stored in the main sessions storage.
If dynamic registration is enabled, you can configure the following options to define attributes and extra claims when a new relying party is registered trough the /oauth2/register
endpoint:
OpenID Connect specification let the possibility to rotate keys to improve security. LL::NG provide a script to do this, that should be put in a cronjob.
The script is /usr/share/lemonldap-ng/bin/rotateOidcKeys
. It can be run for example each week:
5 5 * * 6 www-data /usr/share/lemonldap-ng/bin/rotateOidcKeys
LL::NG implements the change notification as defined here: http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
A changed
state will be sent if the user is disconnected from LL::NG portal (or has destroyed its SSO cookie). Else the unchanged
state will be returned.
httpOnly
option should be set to 0
).