Redmine¶
Presentation¶
Redmine is is a flexible project management web application. Written using the Ruby on Rails framework, it is cross-platform and cross-database.
It can be configured to authenticate users with OpenID Connect with a plugin.
Configuration¶
LL:NG¶
Make sure you have already enabled OpenID Connect on your LemonLDAP::NG server.
Make sure you have generated a set of signing keys in
OpenID Connect Service
» Security
» Keys
You also need to set a Signing key ID to a non-empty value of your choice.
Then, add a Relaying Party with the following configuration:
- Options » Basic » Client ID : choose a client ID, such as
my_client_id
- Options » Basic » Client Secret : choose a client secret, such as
my_client_secret
- Options » Basic » Allowed redirection address :
https://my_redmine_server/oic/local_login
- Options » Advanced » Force claims to be returned in ID Token :
On
- Options » Security » ID Token Signature Algorithm :
RS512
- Options » Logou( » Allowed redirection address for logout :
https://my_redmine_server/oic/local_logout
Define exported attributes:
email
family_name
given_name
name
nickname
: the user login
To transfer groups:
- Declare
member_of
exported attribute as an array - Declare a new scope named
groups
whith valuemember_of
- Create a local macro
member_of
which will return["admin"]
is user is administrator and["user"]
else.
Redmine¶
Install OpenID Connect plugin.
Go in Redmine admin console and configure the OpenID Connect plugin:
- Enabled: check the box
- Client ID:
my_client_id
- OpenID Connect server url:
https://auth.example.com/
- Client Secret:
my_client_secret
- OpenID Connect scopes:
openid profile email groups
- Authorized group: leave blank
- Admins group:
admin
- How often to retrieve openid configuration: leave blank
- Disable Ssl Validation: uncheck the box
- Login Selector: uncheck the box
- Create user if not exists: check the box
- Users from the following auth sources will be required to login with SSO: do not select anythin
Attention
A bug has been reported, you must apply a patch if you transfer groups.
Note
To bypass SSO, you can connect to https://my_redmine_server/login?local_login=true