Skip to content
Snippets Groups Projects

oidc

Last edited by matthias.bonn

OpenID Connect Configuration

GENERELLE FRAGE ZU BEGINN: WIE LÖSCHT MAN KONFIGURATIONEN WIEDER?

First of all, a closer look at the OpenID Connect Specification FAQ is recommended.

Local Providers

To act as an OIDC provider and to provide the necessary endpoints needed by clients, an OP configuration has to be created. To do this, navigate to OpenID Connect -> OpenID Connect config, click Add op config. Enter a name for the new configuration and a realm name. It is possible to have more than one realm per installation. When the new configuration is created, in the upper section of the table click on the name of the config and Edit to open the editor, where you can set the certificates and keys (both in .pem format) the OP needs so sign the generated tokens. The certificate will be published for the clients. The standby certificate/key entries are used for certificate rollover. The host property is important for installation, that are reachable under more than one URL.

The resulting OIDC discovery endpoint for the configured host and the realm is:

https://<host>/oidc/realms/<realm>/.well-known/openid-configuration

This URL delivers a JSON document showing all OIDC-related parameters of the OP. You will need this URL and/or the contents of the JSON when you are configuring your services for OIDC authentication.

Local Clients

To connect a service with OIDC-based authentication, an -individual OIDC client configuration has to be set up at OP-side for every service. Navigate to OpenID Connect -> OIDC client configs, click Add client config, enter a name (this name will be the client ID for the service) and select the new config from the table to open the settings dialog, click on Edit to change the properties. User-defined attributes and their values can be added to the Generic store.

  • name: This is the identifier for the service. You will need this ID when configuring the client on the service side. It is recommended to use an ID which reflects the service hostname or its function. You should only use characters allowed for hostnames.
  • Displayname: This name will be displayed when the service redirects to reg-app for login.
  • Secret: This is the preshared secret needed by confidential (server-side) clients when they exchange OIDC tokens with the OP. Choose a random alphanumeric value containing at least 16 characters. For clients running in a single page application (public clients), the value can be left empty.
  • oidc_op_configuration: Select the OP configuration which should be used for this client. This assigns the client to a realm and the properties of the realm (used certificates, endpoint URLs, ...).

Here you also can select which attribute mapper script should be applied and whether a second factor should be checked when users log in to this client. SERVICE UND ORDER CRITERIA, WAS IST DAMIT GEMEINT?

Brokering: Connect to external OIDC providers

To connect to an upstream/external OIDC provider (e.g. Helmholtz-AAI, ELIXIR-AAI, Azure AD, Google, ...) to authenticate users, an OIDC resource provider configuration has to be set up. Navigate to OpenID Connect -> OpenID Connect config, click Add rp config, enter a name. Then the new rp configuration should appear in the lower section of the table, click it and on Edit to open the details configuration page. User-defined attributes and their values can be added to the Generic store.

  • displayName: This name will be displayed on the login page.
  • clientId: This is the identifier under which the reg-app is registered as a client in the upstream OIDC provider.
  • Secret: This is the preshared secret associated with the reg-app, normally you get this secret from the upstream provider
  • Scopes: A scope describes the set of attributes a client will be able to retrieve in the OIDC tokens. There are predefined scopes in the OIDC standard. Enter the scopes needed for the upstream provider. If you have no further information what is needed by the external provider it is recommended to enter the standardized openid email profile value, which will release all mandatory attributes and the typical user profile attributes, as they are officially specified.
  • serviceUrl: Enter the main issur URL of the service.
  • callbackUrl: Enter the URL to which the browsers should be redirected back to the reg-app after user authentication at the external provider.

Comments

    Please register or sign in to add a comment.

    Help | Imprint | Privacy policy | Accessibility | Contact