Be sure that mod_rewrite is installed and that OpenID Connect rewrite rules are activated in Apache portal configuration:
# OpenID Connect Issuer <IfModule mod_rewrite.c> RewriteEngine On #RewriteCond %{HTTP:Authorization} . #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteRule ^/oauth2/.* /index.pl RewriteRule ^/.well-known/openid-configuration$ /openid-configuration.pl </IfModule>
Be sure that OpenID Connect rewrite rules are activated Nginx portal configuration:
# OpenID Connect Issuer rewrite ^/oauth2/.* /index.pl last; rewrite ^/.well-known/openid-configuration$ /openid-configuration.pl last;
Go in Manager and click on OpenID Connect Service
node.
Set the issuer identifier, which should be the portal URL.
For example: http://auth.example.com
Name of different OpenID Connect endpoints. You can keep the default values unless you have a specific need to change them.
You can associate here an authentication context to an authentication level.
It is recommended to use a separate sessions storage for OpenID Connect sessions, else they will stored in the main sessions storage.
OpenID Connect specification let the possibility to rotate keys to improve security. LL::NG provide a script to do this, that should be put in a cronjob.
The script is /usr/share/lemonldap-ng/bin/rotateOidcKeys
. It can be run for example each week:
5 5 * * 6 www-data /usr/share/lemonldap-ng/bin/rotateOidcKeys
LL::NG implements the change notification as defined here: http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
A changed
state will be sent if the user is disconnected from LL::NG portal (or has destroyed its SSO cookie). Else the unchanged
state will be returned.
httpOnly
option should be set to 0
).