dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0d47bd9d20
lemonldap-ng/doc/pages/documentation/1.9/openidconnectservice.html
Clément Oudot 1b3063f271 Move documentation from 2.0 to 1.9
2015-12-18 09:46:34 +00:00

159 lines
6.3 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1 class="sectionedit1" id="openid_connect_service_configuration">OpenID Connect service configuration</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "OpenID Connect service configuration" [1-52] -->
<h2 class="sectionedit2" id="apache_rewrite_rules">Apache rewrite rules</h2>
<div class="level2">
<p>
Be sure that mod_rewrite is installed and that OpenID Connect rewrite rules are activated in <a href="../../documentation/1.9/configlocation.html#portal" class="wikilink1" title="documentation:1.9:configlocation">Apache portal configuration</a>:
</p>
<pre class="code file apache"> <span class="co1"># OpenID Connect Issuer</span>
&lt;<span class="kw3">IfModule</span> mod_rewrite.c&gt;
<span class="kw1">RewriteEngine</span> <span class="kw2">On</span>
<span class="kw1">RewriteRule</span> ^/oauth2/.* /index.pl
<span class="kw1">RewriteRule</span> ^/.well-known/openid-configuration$ /openid-configuration.pl
&lt;/<span class="kw3">IfModule</span>&gt;</pre>
</div>
<!-- EDIT2 SECTION "Apache rewrite rules" [53-479] -->
<h2 class="sectionedit3" id="service_configuration">Service configuration</h2>
<div class="level2">
<p>
Go in Manager and click on <code>OpenID Connect Service</code> node.
</p>
</div>
<!-- EDIT3 SECTION "Service configuration" [480-575] -->
<h3 class="sectionedit4" id="issuer_identifier">Issuer identifier</h3>
<div class="level3">
<p>
Set the issuer identifier, which should be the portal <abbr title="Uniform Resource Locator">URL</abbr>.
</p>
<p>
For example: <a href="http://auth.example.com" class="urlextern" title="http://auth.example.com" rel="nofollow">http://auth.example.com</a>
</p>
</div>
<!-- EDIT4 SECTION "Issuer identifier" [576-702] -->
<h3 class="sectionedit5" id="end_points">End points</h3>
<div class="level3">
<p>
Name of different OpenID Connect endpoints. You can keep the default values unless you have a specific need to change them.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Authorization</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Token</strong></div>
</li>
<li class="level1"><div class="li"> <strong>User Info</strong></div>
</li>
<li class="level1"><div class="li"> <strong>JWKS</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Registration</strong></div>
</li>
<li class="level1"><div class="li"> <strong>End of session</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Check Session</strong></div>
</li>
</ul>
<p>
<p><div class="notetip">The end points are published inside JSON metadata.
</div></p>
</p>
</div>
<!-- EDIT5 SECTION "End points" [703-1052] -->
<h3 class="sectionedit6" id="authentication_context">Authentication context</h3>
<div class="level3">
<p>
You can associate here an authentication context to an authentication level.
</p>
</div>
<!-- EDIT6 SECTION "Authentication context" [1053-1164] -->
<h3 class="sectionedit7" id="security">Security</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Keys</strong> : define public/private key pair to do asymmetric signature</div>
</li>
<li class="level1"><div class="li"> <strong>Signing Key ID</strong>: ID of signing key</div>
</li>
<li class="level1"><div class="li"> <strong>Dynamic Registration</strong>: Set to 1 to allow clients to register themselves. This may be a security risk as this will create a new configuration in the backend per registration request. You can limit this by protecting in the WebServer the registration end point with an authentication module, and give the credentials to clients.</div>
</li>
<li class="level1"><div class="li"> <strong>Authorization Code flow</strong>: Set to 1 to allow Authorization Code flow</div>
</li>
<li class="level1"><div class="li"> <strong>Implicit flow</strong>: Set to 1 to allow Implicit flow</div>
</li>
<li class="level1"><div class="li"> <strong>Hybrid flow</strong>: Set to 1 to allow Hybrid flow</div>
</li>
</ul>
</div>
<!-- EDIT7 SECTION "Security" [1165-1816] -->
<h2 class="sectionedit8" id="key_rotation_script">Key rotation script</h2>
<div class="level2">
<p>
OpenID Connect specification let the possibility to rotate keys to improve security. <abbr title="LemonLDAP::NG">LL::NG</abbr> provide a script to do this, that should be put in a cronjob.
</p>
<p>
The script is <code>/usr/share/lemonldap-ng/bin/rotateOidcKeys</code>. It can be run for example each week:
</p>
<pre class="file">5 5 * * 6 www-data /usr/share/lemonldap-ng/bin/rotateOidcKeys</pre>
<p>
<p><div class="notetip">Set the correct Apache user, else generated configuration will not be readable by <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div></p>
</p>
</div>
<!-- EDIT8 SECTION "Key rotation script" [1817-2290] -->
<h2 class="sectionedit9" id="session_management">Session management</h2>
<div class="level2">
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> implements the change notification as defined here: <a href="http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification" class="urlextern" title="http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification" rel="nofollow">http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification</a>
</p>
<p>
A <code>changed</code> state will be sent if the user is disconnected from <abbr title="LemonLDAP::NG">LL::NG</abbr> portal (or has destroyed its <abbr title="Single Sign On">SSO</abbr> cookie). Else the <code>unchanged</code> state will be returned.
</p>
<p>
<p><div class="notetip">To work, the <abbr title="LemonLDAP::NG">LL::NG</abbr> cookie must not be protected against javascript (<code>httpOnly</code> option should be set to <code>0</code>).
</div></p>
</p>
</div>
</div><!-- closes <div class="dokuwiki export">-->
Reference in New Issue View Git Blame Copy Permalink