Table of Contents

OpenID Connect

Authentication Users Password

Presentation

OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE stacks. It is described here: http://openid.net/connect/.

LL::NG can act as an OpenID Connect Relying Party (RP) towards multiple OpenID Connect Providers (OP). It will get the user identity trough an ID Token, and grab user attributes trough UserInfo endpoint.

As an RP, LL::NG supports a lot of OpenID Connect features:

You can use this authentication module to link your LL::NG server to any OpenID Connect Provider. Here are some examples, witch their specific documentation:

Google France Connect

Configuration

OpenID Connect Service

See OpenIDConnect service configuration chapter.

Authentication and UserDB

In General Parameters > Authentication modules, set:

As passwords will not be managed by LL::NG, you can disable menu password module.

Then in General Parameters > Authentication modules > OpenID Connect parameters, you can set:

Register LL::NG to an OpenID Connect Provider

To register LL::NG, you will need to give some information like application name or logo. One of mandatory information is the redirect URL (one or many).

To know this information, just take the portal URL and the Callback GET parameter, for example:

If you use the choice backend, you need to add the choice parameter in redirect URL

After registration, the OP must give you a client ID and a client secret, that will be used to configure the OP in LL::NG.

Declare the OpenID Connect Provider in LL::NG

In the Manager, select node OpenID Connect Providers and click on Add OpenID Connect Provider. Give a technical name (no spaces, no special characters), like "sample-op";

You can then access to the configuration of this OP.

Metadata

The OP should publish its metadata in a JSON file (see for example Google metadata). Copy the content of this file in the textarea.

If no metadata is available, you need to write them in the textarea. Mandatory fields are:

You can also define:

Example template:

{
  "issuer": "https://auth.example.com/",
  "authorization_endpoint": "https://auth.example.com/oauth2/authorize",
  "token_endpoint": "https://auth.example.com/oauth2/token",
  "userinfo_endpoint": "https://auth.example.com/oauth2/userinfo",
  "end_session_endpoint":"https://auth.example.com/oauth2/logout"
}

JWKS data

JWKS is a JSON file containing public keys. LL::NG can grab them automatically if jwks_uri is defined in metadata. Else you can paste the content of the JSON file in the textarea.

If the OpenID Connect provider only uses symmetric encryption, JWKS data is not useful.

Exported attributes

Define here the mapping between the LL::NG session content and the fields provided in UserInfo response. The fields are defined in OpenID Connect standard, and depends on the scope requested by LL::NG (see options in next chapter).

Claim name Type Example of corresponding LDAP attribute
sub string uid
name string cn
given_name string givenName
family_name string sn
middle_name string
nickname string
preferred_username string displayName
profile string labeledURI
picture string
website string
email string mail
email_verified boolean
gender string
birthdate string
zoneinfo string
locale string preferredLanguage
phone_number string telephoneNumber
phone_number_verified boolean
updated_at string
formatted string registeredAddress
street_address string street
locality string l
region string st
postal_code string postalCode
country string co

So you can define for example:

Options