Authentication | Users | Password |
---|---|---|
✔ | ✔ |
Note
OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE stacks. It is described here: http://openid.net/connect/.
LL::NG can act as an OpenID Connect Relying Party (RP) towards multiple OpenID Connect Providers (OP). It will get the user identity through an ID Token, and grab user attributes through UserInfo endpoint.
As an RP, LL::NG supports a lot of OpenID Connect features:
You can use this authentication module to link your LL::NG server to any OpenID Connect Provider. Here are some examples, with their specific documentation:
France Connect | Pro Santé Connect | |
---|---|---|
![]() |
![]() |
![]() |
Attention
OpenID Connect specification is not finished for logout propagation. So logout initiated by relaying-party will be forward to OpenID Connect provider but logout initiated by the provider (or another RP) will not be propagated. LLNG will implement this when spec will be published.
See OpenID Connect service configuration chapter.
In General Parameters
> Authentication modules
, set:
Tip
As passwords will not be managed by LL::NG, you can disable menu password module.
Attention
Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn’t block the redirects whereas Chrome does). Administrators may have to modify formAction value with wildcard likes *.
In Manager, go in :
General Parameters
> Advanced Parameters
> Security
>
Content Security Policy
> Form destination
Then in General Parameters
> Authentication modules
>
OpenID Connect parameters
, you can set:
To register LL::NG, you will need to give some information like application name or logo.
You will be asked to provide a Redirect URI for LL::NG, which is constructed
by appending the openidconnectcallback=1
parameter to the Portal URL.
For example:
Attention
If you use the choice backend, you need to set SameSite cookie value to “Lax” or “None”. See SSO cookie parameters
After registration, the OP must give you a Client ID and a Client secret required to configure the OP in LL::NG.
In Manager, select node OpenID Connect Providers
and click on
Add OpenID Connect Provider
. Set a technical name (without space or
special character) like “sample-op”.
You can then access to the configuration of this OP.
The OP should publish its metadata in a JSON file (see for example Google metadata). Copy the content of this file in the textarea. Portal discovery document can be found here: https://#portal#/.well-known/openid-configuration
If no metadata is available, you need to write them in the textarea. Mandatory fields are:
You can also define:
Example template:
{
"issuer": "https://auth.example.com/",
"authorization_endpoint": "https://auth.example.com/oauth2/authorize",
"token_endpoint": "https://auth.example.com/oauth2/token",
"userinfo_endpoint": "https://auth.example.com/oauth2/userinfo",
"end_session_endpoint":"https://auth.example.com/oauth2/logout"
}
JWKS is a JSON file containing public keys. LL::NG can grab them automatically if jwks_uri is defined in metadata. Else you can paste the JSON file content in the textarea.
Tip
If the OpenID Connect provider only uses symmetric encryption, JWKS data are useless.
Define here mapping between LL::NG session content and fields provided in UserInfo endpoint response. These fields are defined in OpenID Connect standard, and depends on the scope requested by LL::NG (see options below).
So you can define by example:
openid
scope is mandatory.client_secret_post
and client_secret_basic
Attention
With HTTPS authorization endpoint, you may have to set LWP::UserAgent object
with verify_hostname => 0
and SSL_verify_mode => 0
.
Go to: General Parameters > Advanced Parameters > Security > SSL options for server requests