dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0d47bd9d20
lemonldap-ng/doc/pages/documentation/1.9/authopenidconnect.html
Clément Oudot 1b3063f271 Move documentation from 2.0 to 1.9
2015-12-18 09:46:34 +00:00

286 lines
12 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1 class="sectionedit1" id="openid_connect">OpenID Connect</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Authentication </th><th class="col1 centeralign"> Users </th><th class="col2 centeralign"> Password </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"></td><td class="col1 centeralign"></td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT2 TABLE [31-94] -->
</div>
<!-- EDIT1 SECTION "OpenID Connect" [1-95] -->
<h2 class="sectionedit3" id="presentation">Presentation</h2>
<div class="level2">
<p>
<p><div class="noteclassic">OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE stacks. It is described here: <a href="http://openid.net/connect/" class="urlextern" title="http://openid.net/connect/" rel="nofollow">http://openid.net/connect/</a>.
</div></p>
</p>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> can act as an OpenID Connect Relying Party (RP) towards multiple OpenID Connect Providers (OP). It will get the user identity trough an ID Token, and grab user attributes trough UserInfo endpoint.
</p>
<p>
As an RP, <abbr title="LemonLDAP::NG">LL::NG</abbr> supports a lot of OpenID Connect features:
</p>
<ul>
<li class="level1"><div class="li"> Authorization Code flow</div>
</li>
<li class="level1"><div class="li"> Automatic download of JWKS</div>
</li>
<li class="level1"><div class="li"> JWT signature verification</div>
</li>
<li class="level1"><div class="li"> Access Token Hash verification</div>
</li>
<li class="level1"><div class="li"> ID Token validation</div>
</li>
<li class="level1"><div class="li"> Get UserInfo as JSON or as JWT</div>
</li>
<li class="level1"><div class="li"> Logout on EndSession end point</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Presentation" [96-745] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT4 SECTION "Configuration" [746-772] -->
<h3 class="sectionedit5" id="openid_connect_service">OpenID Connect Service</h3>
<div class="level3">
<p>
See <a href="../../documentation/1.9/openidconnectservice.html" class="wikilink1" title="documentation:1.9:openidconnectservice">OpenIDConnect service</a> configuration chapter.
</p>
</div>
<!-- EDIT5 SECTION "OpenID Connect Service" [773-881] -->
<h3 class="sectionedit6" id="authentication_and_userdb">Authentication and UserDB</h3>
<div class="level3">
<p>
In <code>General Parameters</code> &gt; <code>Authentication modules</code>, set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Authentication module</strong>: OpenID Connect</div>
</li>
<li class="level1"><div class="li"> <strong>Users module</strong>: OpenID Connect</div>
</li>
</ul>
<p>
<p><div class="notetip">As passwords will not be managed by <abbr title="LemonLDAP::NG">LL::NG</abbr>, you can disable <a href="../../documentation/1.9/portalmenu.html#menu_modules" class="wikilink1" title="documentation:1.9:portalmenu">menu password module</a>.
</div></p>
</p>
<p>
Then in <code>General Parameters</code> &gt; <code>Authentication modules</code> &gt; <code>OpenID Connect parameters</code>, you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: level of authentication to associate to this module</div>
</li>
<li class="level1"><div class="li"> <strong>Callback GET parameter</strong>: name of GET parameter used to intercept callback (default: openidconnectcallback)</div>
</li>
<li class="level1"><div class="li"> <strong>State session timeout</strong>: duration of a state session (used to keep state information between autentication request and authentication response) in seconds (default: 600)</div>
</li>
</ul>
</div>
<!-- EDIT6 SECTION "Authentication and UserDB" [882-1672] -->
<h3 class="sectionedit7" id="register_llng_to_an_openid_connect_provider">Register LL::NG to an OpenID Connect Provider</h3>
<div class="level3">
<p>
To register <abbr title="LemonLDAP::NG">LL::NG</abbr>, you will need to give some information like application name or logo. One of mandatory information is the redirect <abbr title="Uniform Resource Locator">URL</abbr> (one or many).
</p>
<p>
To know this information, just take the portal <abbr title="Uniform Resource Locator">URL</abbr> and the Callback GET parameter, for example:
</p>
<ul>
<li class="level1"><div class="li"> <a href="http://auth.example.com/?openidcallback=1" class="urlextern" title="http://auth.example.com/?openidcallback=1" rel="nofollow">http://auth.example.com/?openidcallback=1</a></div>
</li>
<li class="level1"><div class="li"> <a href="http://auth.example.com/index.pl?openidcallback=1" class="urlextern" title="http://auth.example.com/index.pl?openidcallback=1" rel="nofollow">http://auth.example.com/index.pl?openidcallback=1</a></div>
</li>
<li class="level1"><div class="li"> <a href="http://auth.example.com/?lmAuth=oidc&amp;openidcallback=1" class="urlextern" title="http://auth.example.com/?lmAuth=oidc&amp;openidcallback=1" rel="nofollow">http://auth.example.com/?lmAuth=oidc&amp;openidcallback=1</a></div>
</li>
</ul>
<p>
<p><div class="noteimportant">If you use the <a href="../../documentation/1.9/authchoice.html" class="wikilink1" title="documentation:1.9:authchoice">choice backend</a>, you need to add the choice parameter in redirect <abbr title="Uniform Resource Locator">URL</abbr>
</div></p>
</p>
<p>
After registration, the OP must give you a client ID and a client secret, that will be used to configure the OP in <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</p>
</div>
<!-- EDIT7 SECTION "Register LL::NG to an OpenID Connect Provider" [1673-2387] -->
<h3 class="sectionedit8" id="declare_the_openid_connect_provider_in_llng">Declare the OpenID Connect Provider in LL::NG</h3>
<div class="level3">
<p>
In the Manager, select node <code>OpenID Connect Providers</code> and click on <code>Add OpenID Connect Provider</code>. Give a technical name (no spaces, no special characters), like “sample-op”;
</p>
<p>
You can then access to the configuration of this OP.
</p>
</div>
<h4 id="metadata">Metadata</h4>
<div class="level4">
<p>
The OP should publish its metadata in a JSON file (see for example <a href="https://accounts.google.com/.well-known/openid-configuration[Google metadata" class="urlextern" title="https://accounts.google.com/.well-known/openid-configuration[Google metadata" rel="nofollow">https://accounts.google.com/.well-known/openid-configuration[Google metadata</a>). Copy the content of this file in the textarea.
</p>
<p>
If no metadata is available, you need to write them in the textarea. Mandatory fields are:
</p>
<ul>
<li class="level1"><div class="li"> issuer</div>
</li>
<li class="level1"><div class="li"> authorization_endpoint</div>
</li>
<li class="level1"><div class="li"> token_endpoint</div>
</li>
<li class="level1"><div class="li"> userinfo_endpoint</div>
</li>
</ul>
<p>
You can also define:
</p>
<ul>
<li class="level1"><div class="li"> jwks_uri</div>
</li>
<li class="level1"><div class="li"> endsession_endpoint</div>
</li>
</ul>
</div>
<h4 id="jwks_data">JWKS data</h4>
<div class="level4">
<p>
JWKS is a JSON file containing public keys. <abbr title="LemonLDAP::NG">LL::NG</abbr> can grab them automatically if jwks_uri is defined in metadata. Else you can paste the content of the JSON file in the textarea.
</p>
<p>
<p><div class="notetip">If the OpenID Connect provider only uses symmetric encryption, JWKS data is not useful.
</div></p>
</p>
</div>
<h4 id="exported_attributes">Exported attributes</h4>
<div class="level4">
<p>
Define here the mapping between the <abbr title="LemonLDAP::NG">LL::NG</abbr> session content and the fields provided in UserInfo response. The fields are defined in OpenID Connect standards, and depends on the scope requested by <abbr title="LemonLDAP::NG">LL::NG</abbr> (see options in next chapter).
</p>
<p>
<p><div class="notetip">See <a href="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" class="urlextern" title="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" rel="nofollow">http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims</a> to know the names of standards claims.
</div></p>
</p>
<p>
So you can define for example:
</p>
<ul>
<li class="level1"><div class="li"> cn ⇒ name</div>
</li>
<li class="level1"><div class="li"> sn ⇒ family_name</div>
</li>
<li class="level1"><div class="li"> mail ⇒ email</div>
</li>
<li class="level1"><div class="li"> uid ⇒ sub</div>
</li>
</ul>
</div>
<h4 id="options">Options</h4>
<div class="level4">
<ul>
<li class="level1"><div class="li"> <strong>Configuration</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>Configuration endpoint</strong>: <abbr title="Uniform Resource Locator">URL</abbr> of OP configuration endpoint</div>
</li>
<li class="level2"><div class="li"> <strong>JWKS data timeout</strong>: After this time, <abbr title="LemonLDAP::NG">LL::NG</abbr> will do a request to get a fresh version of JWKS data. Set to 0 to disable it.</div>
</li>
<li class="level2"><div class="li"> <strong>Client ID</strong>: Client ID given by OP</div>
</li>
<li class="level2"><div class="li"> <strong>Client secret</strong>: Client secret given by OP</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Protocol</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>Scope</strong>: Value of scope parameter (example: openid profile). The <code>openid</code> scope is mandatory.</div>
</li>
<li class="level2"><div class="li"> <strong>Display</strong>: Value of display parameter (example: page)</div>
</li>
<li class="level2"><div class="li"> <strong>Prompt</strong>: Value of prompt parameter (example: consent)</div>
</li>
<li class="level2"><div class="li"> <strong>Max age</strong>: Value of max_age parameter (example: 3600)</div>
</li>
<li class="level2"><div class="li"> <strong>UI locales</strong>: Value of ui_locales parameter (example: en-<abbr title="Gigabyte">GB</abbr> en fr-FR fr)</div>
</li>
<li class="level2"><div class="li"> <strong>ACR values</strong>: Value acr_values parameters (example: loa-1)</div>
</li>
<li class="level2"><div class="li"> <strong>Token endpoint authentication method</strong>: Choice between <code>client_secret_post</code> and <code>client_secret_basic</code></div>
</li>
<li class="level2"><div class="li"> <strong>Check JWT signature</strong>: Set to 0 to disable JWT signature checking</div>
</li>
<li class="level2"><div class="li"> <strong>ID Token max age</strong>: If defined, <abbr title="LemonLDAP::NG">LL::NG</abbr> will check the date of ID token and refuse it if it is too old</div>
</li>
<li class="level2"><div class="li"> <strong>Use Nonce</strong>: If enabled, a nonce will be sent, and verified from the ID Token</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Display</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>Display name</strong>: Name of the application</div>
</li>
<li class="level2"><div class="li"> <strong>Logo</strong>: Logo of the application</div>
</li>
</ul>
</li>
</ul>
</div>
</div><!-- closes <div class="dokuwiki export">-->
Reference in New Issue View Git Blame Copy Permalink