dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
9ae8fd9f83
lemonldap-ng/po-doc/fr/pages/documentation/current/idpopenidconnect.html
Xavier Guimard 79e65f5607 Update documentation
2017-02-07 16:35:26 +00:00

414 lines
21 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="fr" dir="ltr">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8" />
<title>documentation:2.0:idpopenidconnect</title><!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else --><!-- //endif -->
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,idpopenidconnect"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="idpopenidconnect.html"/>
<link rel="contents" href="idpopenidconnect.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:idpopenidconnect","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script><!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script><!-- //endif --><!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script><!-- //endif -->
</head>
<body>
<div class="dokuwiki export container"><!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Présentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#openid_connect_service">Service OpenID-Connect</a></div></li>
<li class="level2"><div class="li"><a href="#issuerdb">IssuerDB</a></div></li>
<li class="level2"><div class="li"><a href="#configuration_of_llng_in_relying_party">Configuration de LL::NG en "Relying Party" (client)</a></div></li>
<li class="level2"><div class="li"><a href="#configuration_of_relying_party_in_llng">Configuration du client (Relying Party) dans LL::NG</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#exported_attributes">Attributs exportés</a></div></li>
<li class="level3"><div class="li"><a href="#options">Options</a></div></li>
<li class="level3"><div class="li"><a href="#extra_claims">Extra claims</a></div></li>
</ul></li>
</ul></li>
</ul>
</div>
</div><!-- TOC END -->
<h1 class="sectionedit1" id="openid_connect_provider">Fournisseur OpenID-Connect</h1>
<div class="level1">
</div><!-- EDIT1 SECTION "OpenID Connect Provider" [1-39] -->
<h2 class="sectionedit2" id="presentation">Présentation</h2>
<div class="level2">
<div class="noteclassic">OpenID Connect est un protocole basé sur les piles REST, OAuth 2.0 et JOSE. Il est décrit ici : <a href="http://openid.net/connect/" class="urlextern" title="http://openid.net/connect/" rel="nofollow">http://openid.net/connect/</a>.
</div>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> peut agir comme fournisseur OpenID-Connect (OP). Il répond aux requêtes OpenID-Connect pour délivrer l'identité de l'utilisateur (via un jeton identifiant) et des informations (via le point d'accès "User Info").
</p>
<p>
Comme OP, <abbr title="LemonLDAP::NG">LL::NG</abbr> supporte de nombreuses fonctionnalités OpenID-Connect :
</p>
<ul>
<li class="level1"><div class="li"> Flux de codes d'authorisation, implicites et hybrides</div>
</li>
<li class="level1"><div class="li"> Publication de métadonnée JSON et JWKS (Discovery)</div>
</li>
<li class="level1"><div class="li"> paramètres <code>prompt</code>, <code>display</code>, <code>ui_locales</code> et <code>max_age</code></div>
</li>
<li class="level1"><div class="li"> Définitions réclamées supplémentaires</div>
</li>
<li class="level1"><div class="li"> Références de classe de contexte d'authentification (ACR)</div>
</li>
<li class="level1"><div class="li"> Nonce</div>
</li>
<li class="level1"><div class="li"> Enregistrement dynamique</div>
</li>
<li class="level1"><div class="li"> Génération de hash de jeton d'accès</div>
</li>
<li class="level1"><div class="li"> Signature du jeton identifiant (HS256/HS384/HS512/RS256/RS384/RS512)</div>
</li>
<li class="level1"><div class="li"> Point d'accès UserInfo, en JSON ou JWT</div>
</li>
<li class="level1"><div class="li"> Requête et <abbr title="Uniform Resource Identifier">URI</abbr> de requête</div>
</li>
<li class="level1"><div class="li"> Gestion de session</div>
</li>
</ul>
</div><!-- EDIT2 SECTION "Presentation" [40-922] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div><!-- EDIT3 SECTION "Configuration" [923-949] -->
<h3 class="sectionedit4" id="openid_connect_service">Service OpenID-Connect</h3>
<div class="level3">
<p>
Voir le chapître de configuration du <a href="openidconnectservice.html" class="wikilink1" title="documentation:2.0:openidconnectservice">service OpenID-Connect</a>.
</p>
</div><!-- EDIT4 SECTION "OpenID Connect Service" [950-1059] -->
<h3 class="sectionedit5" id="issuerdb">IssuerDB</h3>
<div class="level3">
<p>
Aller dans <code>Paramètres généraux</code> &gt; <code>Modules fournisseurs</code> » <code>OpenID-Connect</code> et configurer :
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong> : mettre à <code>Activé</code>.</div>
</li>
<li class="level1"><div class="li"> <strong>Path</strong> : conserver <code>^/oauth2/</code> sauf s'il faut un autre chemin (dans ce cas, adapter la configuration Apache)</div>
</li>
<li class="level1"><div class="li"> <strong>Règle d'utilisation</strong> : une règle pour autoriser l'usage de ce module, mettre 1 pour toujours l'autoriser.</div>
</li>
</ul>
<div class="notetip">Par exemple, pour n'autoriser que les utilisateurs authentifiés fortement :
<pre class="code">$authenticationLevel &gt; 2</pre>
</div>
</div><!-- EDIT5 SECTION "IssuerDB" [1060-1545] -->
<h3 class="sectionedit6" id="configuration_of_llng_in_relying_party">Configuration de LL::NG en "Relying Party" (client)</h3>
<div class="level3">
<p>
Chaque client (Relying Party) a sa propre forme de configuration. <abbr title="LemonLDAP::NG">LL::NG</abbr> publie ses métadonnées OpenID-Connect pour faciliter la configuration du client.
</p>
<p>
La métadonnée se trouve dans l'<abbr title="Uniform Resource Locator">URL</abbr> standard “Well Known” : <a href="http://auth.example.com/.well-known/openid-configuration" class="urlextern" title="http://auth.example.com/.well-known/openid-configuration" rel="nofollow">http://auth.example.com/.well-known/openid-configuration</a>
</p>
<p>
Un exemple de son contenu :
</p>
<pre class="code file javascript"><span class="br0">{</span>
<span class="st0">"end_session_endpoint"</span> <span class="sy0">:</span> <span class="st0">"http://auth.example.com/oauth2/logout"</span><span class="sy0">,</span>
<span class="st0">"jwks_uri"</span> <span class="sy0">:</span> <span class="st0">"http://auth.example.com/oauth2/jwks"</span><span class="sy0">,</span>
<span class="st0">"token_endpoint_auth_methods_supported"</span> <span class="sy0">:</span> <span class="br0">[</span>
<span class="st0">"client_secret_post"</span><span class="sy0">,</span>
<span class="st0">"client_secret_basic"</span>
<span class="br0">]</span><span class="sy0">,</span>
<span class="st0">"token_endpoint"</span> <span class="sy0">:</span> <span class="st0">"http://auth.example.com/oauth2/token"</span><span class="sy0">,</span>
<span class="st0">"response_types_supported"</span> <span class="sy0">:</span> <span class="br0">[</span>
<span class="st0">"code"</span><span class="sy0">,</span>
<span class="st0">"id_token"</span><span class="sy0">,</span>
<span class="st0">"id_token token"</span><span class="sy0">,</span>
<span class="st0">"code id_token"</span><span class="sy0">,</span>
<span class="st0">"code token"</span><span class="sy0">,</span>
<span class="st0">"code id_token token"</span>
<span class="br0">]</span><span class="sy0">,</span>
<span class="st0">"userinfo_signing_alg_values_supported"</span> <span class="sy0">:</span> <span class="br0">[</span>
<span class="st0">"none"</span><span class="sy0">,</span>
<span class="st0">"HS256"</span><span class="sy0">,</span>
<span class="st0">"HS384"</span><span class="sy0">,</span>
<span class="st0">"HS512"</span><span class="sy0">,</span>
<span class="st0">"RS256"</span><span class="sy0">,</span>
<span class="st0">"RS384"</span><span class="sy0">,</span>
<span class="st0">"RS512"</span>
<span class="br0">]</span><span class="sy0">,</span>
<span class="st0">"id_token_signing_alg_values_supported"</span> <span class="sy0">:</span> <span class="br0">[</span>
<span class="st0">"none"</span><span class="sy0">,</span>
<span class="st0">"HS256"</span><span class="sy0">,</span>
<span class="st0">"HS384"</span><span class="sy0">,</span>
<span class="st0">"HS512"</span><span class="sy0">,</span>
<span class="st0">"RS256"</span><span class="sy0">,</span>
<span class="st0">"RS384"</span><span class="sy0">,</span>
<span class="st0">"RS512"</span>
<span class="br0">]</span><span class="sy0">,</span>
<span class="st0">"userinfo_endpoint"</span> <span class="sy0">:</span> <span class="st0">"http://auth.example.com/oauth2/userinfo"</span><span class="sy0">,</span>
<span class="st0">"request_uri_parameter_supported"</span> <span class="sy0">:</span> <span class="st0">"true"</span><span class="sy0">,</span>
<span class="st0">"acr_values_supported"</span> <span class="sy0">:</span> <span class="br0">[</span>
<span class="st0">"loa-4"</span><span class="sy0">,</span>
<span class="st0">"loa-1"</span><span class="sy0">,</span>
<span class="st0">"loa-3"</span><span class="sy0">,</span>
<span class="st0">"loa-5"</span><span class="sy0">,</span>
<span class="st0">"loa-2"</span>
<span class="br0">]</span><span class="sy0">,</span>
<span class="st0">"request_parameter_supported"</span> <span class="sy0">:</span> <span class="st0">"true"</span><span class="sy0">,</span>
<span class="st0">"subject_types_supported"</span> <span class="sy0">:</span> <span class="br0">[</span>
<span class="st0">"public"</span>
<span class="br0">]</span><span class="sy0">,</span>
<span class="st0">"issuer"</span> <span class="sy0">:</span> <span class="st0">"http://auth.example.com/"</span><span class="sy0">,</span>
<span class="st0">"grant_types_supported"</span> <span class="sy0">:</span> <span class="br0">[</span>
<span class="st0">"authorization_code"</span><span class="sy0">,</span>
<span class="st0">"implicit"</span><span class="sy0">,</span>
<span class="st0">"hybrid"</span>
<span class="br0">]</span><span class="sy0">,</span>
<span class="st0">"authorization_endpoint"</span> <span class="sy0">:</span> <span class="st0">"http://auth.example.com/oauth2/authorize"</span><span class="sy0">,</span>
<span class="st0">"check_session_iframe"</span> <span class="sy0">:</span> <span class="st0">"http://auth.example.com/oauth2/checksession"</span><span class="sy0">,</span>
<span class="st0">"scopes_supported"</span> <span class="sy0">:</span> <span class="br0">[</span>
<span class="st0">"openid"</span><span class="sy0">,</span>
<span class="st0">"profile"</span><span class="sy0">,</span>
<span class="st0">"email"</span><span class="sy0">,</span>
<span class="st0">"address"</span><span class="sy0">,</span>
<span class="st0">"phone"</span>
<span class="br0">]</span><span class="sy0">,</span>
<span class="st0">"require_request_uri_registration"</span> <span class="sy0">:</span> <span class="st0">"false"</span><span class="sy0">,</span>
<span class="st0">"registration_endpoint"</span> <span class="sy0">:</span> <span class="st0">"http://auth.example.com/oauth2/register"</span>
<span class="br0">}</span></pre>
</div><!-- EDIT6 SECTION "Configuration of LL::NG in Relying Party" [1546-3524] -->
<h3 class="sectionedit7" id="configuration_of_relying_party_in_llng">Configuration du client (Relying Party) dans LL::NG</h3>
<div class="level3">
<p>
Aller dans le Manager et choisir <code>Clients OpenID-Connect</code>, cliquer ensuite sur <code>Ajouter un client OpenID</code>. Donner un nom technique (sans espaces ni caratères speciaux), tel “sample-rp” ;
</p>
<p>
On peut ensuite accéder à la configuration de ce RP.
</p>
</div>
<h4 id="exported_attributes">Attributs exportés</h4>
<div class="level4">
<p>
On peut faire correspondre les noms d'attributs de session <abbr title="LemonLDAP::NG">LL::NG</abbr> à des <a href="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" class="urlextern" title="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" rel="nofollow">"claim" OpenID-Connect</a>.
</p>
</div><!-- EDIT8 PLUGIN_INCLUDE_START_NOREDIRECT "documentation:2.0:openidconnectclaims" [0-] -->
<div class="plugin_include_content plugin_include__documentation:2.0:openidconnectclaims" id="plugin_include__documentation__2.0__openidconnectclaims">
<div class="level1">
<div class="table sectionedit10"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0"> Nom affiché </th><th class="col1"> Type </th><th class="col2"> Exemple de correspondance d'attributs LDAP </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> sub </td><td class="col1"> chaîne </td><td class="col2"> uid </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> nom </td><td class="col1"> chaîne </td><td class="col2"> cn </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> given_name </td><td class="col1"> chaîne </td><td class="col2"> givenName </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> family_name </td><td class="col1"> chaîne </td><td class="col2"> sn </td>
</tr>
<tr class="row5 rowodd">
<td class="col0"> middle_name </td><td class="col1"> chaîne </td><td class="col2"> </td>
</tr>
<tr class="row6 roweven">
<td class="col0"> nickname </td><td class="col1"> chaîne </td><td class="col2"> </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> preferred_username </td><td class="col1"> chaîne </td><td class="col2"> displayName </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> profile </td><td class="col1"> chaîne </td><td class="col2"> labeledURI </td>
</tr>
<tr class="row9 rowodd">
<td class="col0"> picture </td><td class="col1"> chaîne </td><td class="col2"> </td>
</tr>
<tr class="row10 roweven">
<td class="col0"> website </td><td class="col1"> chaîne </td><td class="col2"> </td>
</tr>
<tr class="row11 rowodd">
<td class="col0"> email </td><td class="col1"> chaîne </td><td class="col2"> mail </td>
</tr>
<tr class="row12 roweven">
<td class="col0"> email_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
</tr>
<tr class="row13 rowodd">
<td class="col0"> gender </td><td class="col1"> chaîne </td><td class="col2"> </td>
</tr>
<tr class="row14 roweven">
<td class="col0"> birthdate </td><td class="col1"> chaîne </td><td class="col2"> </td>
</tr>
<tr class="row15 rowodd">
<td class="col0"> zoneinfo </td><td class="col1"> chaîne </td><td class="col2"> </td>
</tr>
<tr class="row16 roweven">
<td class="col0"> locale </td><td class="col1"> chaîne </td><td class="col2"> preferredLanguage </td>
</tr>
<tr class="row17 rowodd">
<td class="col0"> phone_number </td><td class="col1"> chaîne </td><td class="col2"> telephoneNumber </td>
</tr>
<tr class="row18 roweven">
<td class="col0"> phone_number_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
</tr>
<tr class="row19 rowodd">
<td class="col0"> updated_at </td><td class="col1"> chaîne </td><td class="col2"> </td>
</tr>
<tr class="row20 roweven">
<td class="col0"> formatted </td><td class="col1"> chaîne </td><td class="col2"> registeredAddress </td>
</tr>
<tr class="row21 rowodd">
<td class="col0"> street_address </td><td class="col1"> chaîne </td><td class="col2"> street </td>
</tr>
<tr class="row22 roweven">
<td class="col0"> locality </td><td class="col1"> chaîne </td><td class="col2"> l </td>
</tr>
<tr class="row23 rowodd">
<td class="col0"> region </td><td class="col1"> chaîne </td><td class="col2"> st </td>
</tr>
<tr class="row24 roweven">
<td class="col0"> postal_code </td><td class="col1"> chaîne </td><td class="col2"> postalCode </td>
</tr>
<tr class="row25 rowodd">
<td class="col0"> country </td><td class="col1"> chaîne </td><td class="col2"> co </td>
</tr>
</table></div><!-- EDIT10 TABLE [38-861] -->
</div><!-- EDIT9 PLUGIN_INCLUDE_END "documentation:2.0:openidconnectclaims" [0-] -->
</div>
<div class="level4">
<p>
Ainsi on peut définir par exemple:
</p>
<ul>
<li class="level1"><div class="li"> name ⇒ cn</div>
</li>
<li class="level1"><div class="li"> family_name ⇒ sn</div>
</li>
<li class="level1"><div class="li"> email ⇒ mail</div>
</li>
</ul>
<div class="noteimportant">L'attribut spécifique <code>sub</code> n'est pas défini ici, mais dans le paramètre d'attribut "User" (voir ci-dessous).
</div>
<p>
On peut également définir des "claims" supplémentaires et les lier aux attributs (voir ci-dessous). Il faut ensuite définir la correspondance de ces nouveaux attributs, par exemple:
</p>
<ul>
<li class="level1"><div class="li"> birthplace ⇒ l</div>
</li>
<li class="level1"><div class="li"> birthcountry ⇒ co</div>
</li>
</ul>
</div>
<h4 id="options">Options</h4>
<div class="level4">
<ul>
<li class="level1"><div class="li"> <strong>Authentification</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>Identifiant</strong> : identifiant client de ce RP</div>
</li>
<li class="level2"><div class="li"> <strong>Mot-de-passe</strong> : secret partagé avec ce RP (peut être utilisé pour la signature symétrique)</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Affichage</strong> :</div>
<ul>
<li class="level2"><div class="li"> <strong>Affichage</strong> : Nom de l'application RP</div>
</li>
<li class="level2"><div class="li"> <strong>Logo</strong>: Logo l'application RP</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Attribut utilisateur</strong> : attribut de session à utiliser comme identifiant principal (<code>sub</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>Algorithme de signature des jetons d'identité</strong> : Choisir entre <code>none</code>, <code>HS256</code>, <code>HS384</code>, <code>HS512</code>, <code>RS256</code>, <code>RS384</code>, <code>RS512</code></div>
</li>
<li class="level1"><div class="li"> <strong>Expiration des jetons d'identité</strong>: Délai d'expiration des jetons d'identité</div>
</li>
<li class="level1"><div class="li"> <strong>Expiration des jetons d'accès</strong>: Délai d'expiration des jetons d'accès</div>
</li>
<li class="level1"><div class="li"> <strong>Adresses de redirection</strong> : liste d'adresses de redirection autorisées pour ce RP, séparées par des espaces</div>
</li>
<li class="level1"><div class="li"> <strong>Bypass consent</strong>: Enable if you never want to display the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is <strong>not</strong> compliant with OpenID Connect standard.</div>
</li>
</ul>
</div>
<h4 id="extra_claims">Extra claims</h4>
<div class="level4">
<p>
Associate attributes to extra claims if the RP request them, for example <code>birth</code><code>birthplace birthcountry</code>
</p>
</div><!-- EDIT7 SECTION "Configuration of Relying Party in LL::NG" [3525-] -->
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink