Authentication | Users | Password |
---|---|---|
✔ | ✔ |
LL::NG can act as an OpenID Connect Relying Party (RP) towards multiple OpenID Connect Providers (OP). It will get the user identity trough an ID Token, and grab user attributes trough UserInfo endpoint.
As an RP, LL::NG supports a lot of OpenID Connect features:
You can use this authentication module to link your LL::NG server to any OpenID Connect Provider. Here are some examples, witch their specific documentation:
See OpenIDConnect service configuration chapter.
In General Parameters
> Authentication modules
, set:
In Manager, go in :
General Parameters
> Advanced Parameters
> Security
> Content Security Policy
> Form destination
Then in General Parameters
> Authentication modules
> OpenID Connect parameters
, you can set:
To register LL::NG, you will need to give some information like application name or logo. One of mandatory information is the redirect URL (one or many).
To know this information, just take the portal URL and the Callback GET parameter, for example:
After registration, the OP must give you a client ID and a client secret, that will be used to configure the OP in LL::NG.
In the Manager, select node OpenID Connect Providers
and click on Add OpenID Connect Provider
. Give a technical name (no spaces, no special characters), like “sample-op”;
You can then access to the configuration of this OP.
The OP should publish its metadata in a JSON file (see for example Google metadata). Copy the content of this file in the textarea.
If no metadata is available, you need to write them in the textarea. Mandatory fields are:
You can also define:
Example template:
{ "issuer": "https://auth.example.com/", "authorization_endpoint": "https://auth.example.com/oauth2/authorize", "token_endpoint": "https://auth.example.com/oauth2/token", "userinfo_endpoint": "https://auth.example.com/oauth2/userinfo", "end_session_endpoint":"https://auth.example.com/oauth2/logout" }
JWKS is a JSON file containing public keys. LL::NG can grab them automatically if jwks_uri is defined in metadata. Else you can paste the content of the JSON file in the textarea.
Define here the mapping between the LL::NG session content and the fields provided in UserInfo response. The fields are defined in OpenID Connect standard, and depends on the scope requested by LL::NG (see options in next chapter).
Claim name | Type | Example of corresponding LDAP attribute |
---|---|---|
sub | string | uid |
name | string | cn |
given_name | string | givenName |
family_name | string | sn |
middle_name | string | |
nickname | string | |
preferred_username | string | displayName |
profile | string | labeledURI |
picture | string | |
website | string | |
string | ||
email_verified | boolean | |
gender | string | |
birthdate | string | |
zoneinfo | string | |
locale | string | preferredLanguage |
phone_number | string | telephoneNumber |
phone_number_verified | boolean | |
updated_at | string | |
formatted | string | registeredAddress |
street_address | string | street |
locality | string | l |
region | string | st |
postal_code | string | postalCode |
country | string | co |
So you can define for example:
openid
scope is mandatory.client_secret_post
and client_secret_basic