OpenID Connect

Authentification	Utilisateurs	Mot-de-passe
✔	✔

Présentation

OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE stacks. It is described here: http://openid.net/connect/.

LL::NG can act as an OpenID Connect Relying Party (RP) towards multiple OpenID Connect Providers (OP). It will get the user identity trough an ID Token, and grab user attributes trough UserInfo endpoint.

As an RP, LL::NG supports a lot of OpenID Connect features:

Authorization Code flow
Automatic download of JWKS
JWT signature verification
Access Token Hash verification
ID Token validation
Get UserInfo as JSON or as JWT
Logout on EndSession end point

You can use this authentication module to link your LL::NG server to any OpenID Connect Provider. Here are some examples, witch their specific documentation:

Google	France Connect

Configuration

OpenID Connect Service

See OpenIDConnect service configuration chapter.

Authentification et base d'utilisateurs

Dans Paramètres généraux > Modules d'authentification, choisir :

Authentication module: OpenID Connect
Users module: OpenID Connect

Comme les mots-de-passe ne sernt pas gérés par LL::NG, il est possile de désactiver le module mots-de-passe du menu.

Then in General Parameters > Authentication modules > OpenID Connect parameters, you can set:

Authentication level: level of authentication to associate to this module
Callback GET parameter: name of GET parameter used to intercept callback (default: openidconnectcallback)
State session timeout: duration of a state session (used to keep state information between autentication request and authentication response) in seconds (default: 600)

Register LL::NG to an OpenID Connect Provider

To register LL::NG, you will need to give some information like application name or logo. One of mandatory information is the redirect URL (one or many).

To know this information, just take the portal URL and the Callback GET parameter, for example:

If you use the choice backend, you need to add the choice parameter in redirect URL

After registration, the OP must give you a client ID and a client secret, that will be used to configure the OP in LL::NG.

Declare the OpenID Connect Provider in LL::NG

In the Manager, select node OpenID Connect Providers and click on Add OpenID Connect Provider. Give a technical name (no spaces, no special characters), like “sample-op”;

You can then access to the configuration of this OP.

Métadata

The OP should publish its metadata in a JSON file (see for example Google metadata). Copy the content of this file in the textarea.

If no metadata is available, you need to write them in the textarea. Mandatory fields are:

issuer
authorization_endpoint
token_endpoint
userinfo_endpoint

You can also define:

jwks_uri
endsession_endpoint

Example template:

{
  "issuer": "https://auth.example.com/",
  "authorization_endpoint": "https://auth.example.com/oauth2/authorize",
  "token_endpoint": "https://auth.example.com/oauth2/token",
  "userinfo_endpoint": "https://auth.example.com/oauth2/userinfo",
  "end_session_endpoint":"https://auth.example.com/oauth2/logout"
}

JWKS data

JWKS is a JSON file containing public keys. LL::NG can grab them automatically if jwks_uri is defined in metadata. Else you can paste the content of the JSON file in the textarea.

If the OpenID Connect provider only uses symmetric encryption, JWKS data is not useful.

Attributs exportés

Define here the mapping between the LL::NG session content and the fields provided in UserInfo response. The fields are defined in OpenID Connect standard, and depends on the scope requested by LL::NG (see options in next chapter).

Claim name	Type	Example of corresponding LDAP attribute
sub	chaîne	uid
nom	chaîne	cn
given_name	chaîne	givenName
family_name	chaîne	sn
middle_name	chaîne
nickname	chaîne
preferred_username	chaîne	displayName
profile	chaîne	labeledURI
picture	chaîne
website	chaîne
email	chaîne	mail
email_verified	boolean
gender	chaîne
birthdate	chaîne
zoneinfo	chaîne
locale	chaîne	preferredLanguage
phone_number	chaîne	telephoneNumber
phone_number_verified	boolean
updated_at	chaîne
formatted	chaîne	registeredAddress
street_address	chaîne	street
locality	chaîne	l
region	chaîne	st
postal_code	chaîne	postalCode
country	chaîne	co

So you can define for example:

cn ⇒ name
sn ⇒ family_name
mail ⇒ email
uid ⇒ sub

Options

Configuration:
- Configuration endpoint: URL of OP configuration endpoint
- JWKS data timeout: After this time, LL::NG will do a request to get a fresh version of JWKS data. Set to 0 to disable it.
- Client ID: Client ID given by OP
- Client secret: Client secret given by OP
Protocol:
- Scope: Value of scope parameter (example: openid profile). The openid scope is mandatory.
- Display: Value of display parameter (example: page)
- Prompt: Value of prompt parameter (example: consent)
- Max age: Value of max_age parameter (example: 3600)
- UI locales: Value of ui_locales parameter (example: en-GB en fr-FR fr)
- ACR values: Value acr_values parameters (example: loa-1)
- Token endpoint authentication method: Choice between client_secret_post and client_secret_basic
- Check JWT signature: Set to 0 to disable JWT signature checking
- ID Token max age: If defined, LL::NG will check the date of ID token and refuse it if it is too old
- Use Nonce: If enabled, a nonce will be sent, and verified from the ID Token
Affichage :
- Display name: Name of the application
- Logo: Logo of the application