Table of Contents

OpenID Connect service configuration

Rewrite rules

Apache

Be sure that mod_rewrite is installed and that OpenID Connect rewrite rules are activated in Apache portal configuration:

    # OpenID Connect Issuer
    <IfModule mod_rewrite.c>
        RewriteEngine On
        #RewriteCond %{HTTP:Authorization} .
        #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
        RewriteRule ^/oauth2/.* /index.pl
        RewriteRule ^/.well-known/openid-configuration$ /openid-configuration.pl
    </IfModule>
You need to uncomment rewrite rule on Authorization header if you only have CGI enabled in your Apache server.

Nginx

Be sure that OpenID Connect rewrite rules are activated Nginx portal configuration:

  # OpenID Connect Issuer
  rewrite ^/oauth2/.* /index.pl last;
  rewrite ^/.well-known/openid-configuration$ /openid-configuration.pl last;

Service configuration

Go in Manager and click on OpenID Connect Service node.

Issuer identifier

Set the issuer identifier, which should be the portal URL.

For example: http://auth.example.com

End points

Name of different OpenID Connect endpoints. You can keep the default values unless you have a specific need to change them.

The end points are published inside JSON metadata.

Authentication context

You can associate here an authentication context to an authentication level.

Security

Sessions

It is recommended to use a separate sessions storage for OpenID Connect sessions, else they will stored in the main sessions storage.

Key rotation script

OpenID Connect specification let the possibility to rotate keys to improve security. LL::NG provide a script to do this, that should be put in a cronjob.

The script is /usr/share/lemonldap-ng/bin/rotateOidcKeys. It can be run for example each week:

5 5 * * 6 www-data /usr/share/lemonldap-ng/bin/rotateOidcKeys
Set the correct Apache user, else generated configuration will not be readable by LL::NG.

Session management

LL::NG implements the change notification as defined here: http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification

A changed state will be sent if the user is disconnected from LL::NG portal (or has destroyed its SSO cookie). Else the unchanged state will be returned.

To work, the LL::NG cookie must not be protected against javascript (httpOnly option should be set to 0).