dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4d7a3b8a33
lemonldap-ng/doc/pages/documentation/current/openidconnectservice.html
Xavier Guimard 8af300995c Update doc
2018-03-08 13:29:31 +01:00

189 lines
8.2 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:openidconnectservice</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,openidconnectservice"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="openidconnectservice.html"/>
<link rel="contents" href="openidconnectservice.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:openidconnectservice","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#service_configuration">Service configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#issuer_identifier">Issuer identifier</a></div></li>
<li class="level2"><div class="li"><a href="#end_points">End points</a></div></li>
<li class="level2"><div class="li"><a href="#authentication_context">Authentication context</a></div></li>
<li class="level2"><div class="li"><a href="#security">Security</a></div></li>
<li class="level2"><div class="li"><a href="#sessions">Sessions</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#key_rotation_script">Key rotation script</a></div></li>
<li class="level1"><div class="li"><a href="#session_management">Session management</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="openid_connect_service_configuration">OpenID Connect service configuration</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "OpenID Connect service configuration" [1-52] -->
<h2 class="sectionedit2" id="service_configuration">Service configuration</h2>
<div class="level2">
<p>
Go in Manager and click on <code>OpenID Connect Service</code> node.
</p>
</div>
<!-- EDIT2 SECTION "Service configuration" [53-148] -->
<h3 class="sectionedit3" id="issuer_identifier">Issuer identifier</h3>
<div class="level3">
<p>
Set the issuer identifier, which should be the portal <abbr title="Uniform Resource Locator">URL</abbr>.
</p>
<p>
For example: <a href="http://auth.example.com" class="urlextern" title="http://auth.example.com" rel="nofollow">http://auth.example.com</a>
</p>
</div>
<!-- EDIT3 SECTION "Issuer identifier" [149-275] -->
<h3 class="sectionedit4" id="end_points">End points</h3>
<div class="level3">
<p>
Name of different OpenID Connect endpoints. You can keep the default values unless you have a specific need to change them.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Authorization</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Token</strong></div>
</li>
<li class="level1"><div class="li"> <strong>User Info</strong></div>
</li>
<li class="level1"><div class="li"> <strong>JWKS</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Registration</strong></div>
</li>
<li class="level1"><div class="li"> <strong>End of session</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Check Session</strong></div>
</li>
</ul>
<div class="notetip">The end points are published inside JSON metadata.
</div>
</div>
<!-- EDIT4 SECTION "End points" [276-625] -->
<h3 class="sectionedit5" id="authentication_context">Authentication context</h3>
<div class="level3">
<p>
You can associate here an authentication context to an authentication level.
</p>
</div>
<!-- EDIT5 SECTION "Authentication context" [626-737] -->
<h3 class="sectionedit6" id="security">Security</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Keys</strong> : define public/private key pair to do asymmetric signature</div>
</li>
<li class="level1"><div class="li"> <strong>Signing Key ID</strong>: ID of signing key</div>
</li>
<li class="level1"><div class="li"> <strong>Dynamic Registration</strong>: Set to 1 to allow clients to register themselves. This may be a security risk as this will create a new configuration in the backend per registration request. You can limit this by protecting in the WebServer the registration end point with an authentication module, and give the credentials to clients.</div>
</li>
<li class="level1"><div class="li"> <strong>Authorization Code flow</strong>: Set to 1 to allow Authorization Code flow</div>
</li>
<li class="level1"><div class="li"> <strong>Implicit flow</strong>: Set to 1 to allow Implicit flow</div>
</li>
<li class="level1"><div class="li"> <strong>Hybrid flow</strong>: Set to 1 to allow Hybrid flow</div>
</li>
</ul>
</div>
<!-- EDIT6 SECTION "Security" [738-1388] -->
<h3 class="sectionedit7" id="sessions">Sessions</h3>
<div class="level3">
<p>
It is recommended to use a separate sessions storage for OpenID Connect sessions, else they will stored in the main sessions storage.
</p>
</div>
<!-- EDIT7 SECTION "Sessions" [1389-1543] -->
<h2 class="sectionedit8" id="key_rotation_script">Key rotation script</h2>
<div class="level2">
<p>
OpenID Connect specification let the possibility to rotate keys to improve security. <abbr title="LemonLDAP::NG">LL::NG</abbr> provide a script to do this, that should be put in a cronjob.
</p>
<p>
The script is <code>/usr/share/lemonldap-ng/bin/rotateOidcKeys</code>. It can be run for example each week:
</p>
<pre class="file">5 5 * * 6 www-data /usr/share/lemonldap-ng/bin/rotateOidcKeys</pre>
<div class="notetip">Set the correct Apache user, else generated configuration will not be readable by <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div>
</div>
<!-- EDIT8 SECTION "Key rotation script" [1544-2017] -->
<h2 class="sectionedit9" id="session_management">Session management</h2>
<div class="level2">
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> implements the change notification as defined here: <a href="http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification" class="urlextern" title="http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification" rel="nofollow">http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification</a>
</p>
<p>
A <code>changed</code> state will be sent if the user is disconnected from <abbr title="LemonLDAP::NG">LL::NG</abbr> portal (or has destroyed its <abbr title="Single Sign On">SSO</abbr> cookie). Else the <code>unchanged</code> state will be returned.
</p>
<div class="notetip">To work, the <abbr title="LemonLDAP::NG">LL::NG</abbr> cookie must not be protected against javascript (<code>httpOnly</code> option should be set to <code>0</code>).
</div>
</div>
<!-- EDIT9 SECTION "Session management" [2018-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink