OpenID Connect service configuration

Be sure that mod_rewrite is installed and that OpenID Connect rewrite rules are activated in Apache portal configuration:

    # OpenID Connect Issuer
    <IfModule mod_rewrite.c>
        RewriteEngine On
        #RewriteCond %{HTTP:Authorization} .
        #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
        RewriteRule ^/oauth2/.* /
        RewriteRule ^/.well-known/openid-configuration$ /
You need to uncomment rewrite rule on Authorization header if you only have CGI enabled in your Apache server.

Be sure that OpenID Connect rewrite rules are activated Nginx portal configuration:

  # OpenID Connect Issuer
  rewrite ^/oauth2/.* / last;
  rewrite ^/.well-known/openid-configuration$ / last;

Go in Manager and click on OpenID Connect Service node.

Set the issuer identifier, which should be the portal URL.

For example:

Name of different OpenID Connect endpoints. You can keep the default values unless you have a specific need to change them.

  • Authorization
  • Token
  • User Info
  • JWKS
  • Registration
  • End of session
  • Check Session
The end points are published inside JSON metadata.

You can associate here an authentication context to an authentication level.

  • Keys : define public/private key pair to do asymmetric signature
  • Signing Key ID: ID of signing key
  • Dynamic Registration: Set to 1 to allow clients to register themselves. This may be a security risk as this will create a new configuration in the backend per registration request. You can limit this by protecting in the WebServer the registration end point with an authentication module, and give the credentials to clients.
  • Authorization Code flow: Set to 1 to allow Authorization Code flow
  • Implicit flow: Set to 1 to allow Implicit flow
  • Hybrid flow: Set to 1 to allow Hybrid flow

It is recommended to use a separate sessions storage for OpenID Connect sessions, else they will stored in the main sessions storage.

OpenID Connect specification let the possibility to rotate keys to improve security. LL::NG provide a script to do this, that should be put in a cronjob.

The script is /usr/share/lemonldap-ng/bin/rotateOidcKeys. It can be run for example each week:

5 5 * * 6 www-data /usr/share/lemonldap-ng/bin/rotateOidcKeys
Set the correct Apache user, else generated configuration will not be readable by LL::NG.

LL::NG implements the change notification as defined here:

A changed state will be sent if the user is disconnected from LL::NG portal (or has destroyed its SSO cookie). Else the unchanged state will be returned.

To work, the LL::NG cookie must not be protected against javascript (httpOnly option should be set to 0).