Agent Connect¶
Presentation¶
Agent Connect is an authentication platform made by French government for people working for the state. It relies on OpenID Connect protocol.
To select on which Identity Provider the user will be redirected, Agent Connect relies on the email domain :
Tip
All users of an email domain will use the same Identity Provider.
LemonLDAP::NG can be used as Relying Party or OpenID Provider for Agent Connect.
Official documentation is available on Github.
LL::NG as OpenID Provider¶
Registration on Agent Connect¶
As noticed in the official documentation, you need to fill a form to request the authorization of using Agent Connect.
You will provide one or more mail domains that will be associated with your Identity Provider.
Once the configuration is done on LL::NG, you will send them the client ID, client secret and OIDC metadata URL.
Configuration on LemonLDAP::NG¶
Add Agent Connect as Relying Party, with these options:
Client ID / Client Secret: generate random values
Redirect URIs: https://auth.agentconnect.gouv.fr/api/v2/oidc-callback
Redirect Logout URIs: https://auth.agentconnect.gouv.fr/api/v2/client/logout-callback
Exported attributes:
email (mandatory)
given_name (mandatory)
name (mandatory)
organizational_unit (must not contain some special characters, listed in this regex /^[^.*?{}()|[]trn\]*$/)
phone
preferred_username
siret
uid (mandatory, must contain only ASCII characters)
usual_name (mandatory)
User attribute: be sure to choose a unique and persistent attribute
ID Token signature algorithm: RS256
UserInfo response format: JWT/RS256
Scope / Scope value contents:
given_name: given_name
organizational_unit: organizational_unit
phone: phone
siret: siret
uid: uid
usual_name: usual_name
To match authencation levels required by Agent Connect, you must adapt the corresponding levels in OpenID Connect Service > Authentication context. You need at least the eidas1 level.
Tip
For test platform, you need to use the URLs listed on this page.
Configuration with CLI¶
If you want to configure it through CLI, you can adapt the following commands.
Main paarameters
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
oidcRPMetaDataOptions/rp-agent-connect oidcRPMetaDataOptionsAccessTokenExpiration 120 \
oidcRPMetaDataOptions/rp-agent-connect oidcRPMetaDataOptionsClientID client-id-for-agent-connect \
oidcRPMetaDataOptions/rp-agent-connect oidcRPMetaDataOptionsClientSecret client-secret-for-agent-connect \
oidcRPMetaDataOptions/rp-agent-connect oidcRPMetaDataOptionsIDTokenExpiration 3600 \
oidcRPMetaDataOptions/rp-agent-connect oidcRPMetaDataOptionsIDTokenSignAlg RS256 \
oidcRPMetaDataOptions/rp-agent-connect oidcRPMetaDataOptionsPostLogoutRedirectUris https://auth.agentconnect.gouv.fr/api/v2/oidc-callback \
oidcRPMetaDataOptions/rp-agent-connect oidcRPMetaDataOptionsRedirectUris https://auth.agentconnect.gouv.fr/api/v2/client/logout-callback \
oidcRPMetaDataOptions/rp-agent-connect oidcRPMetaDataOptionsUserIDAttr uid \
oidcRPMetaDataOptions/rp-agent-connect oidcRPMetaDataOptionsUserInfoSignAlg RS256
Attributes
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
oidcRPMetaDataExportedVars/rp-agent-connect email mail \
oidcRPMetaDataExportedVars/rp-agent-connect given_name givenName \
oidcRPMetaDataExportedVars/rp-agent-connect name cn \
oidcRPMetaDataExportedVars/rp-agent-connect organizational_unit ou \
oidcRPMetaDataExportedVars/rp-agent-connect phone telephoneNumber \
oidcRPMetaDataExportedVars/rp-agent-connect preferred_username displayName \
oidcRPMetaDataExportedVars/rp-agent-connect siret deparmentNumber \
oidcRPMetaDataExportedVars/rp-agent-connect uid uid \
oidcRPMetaDataExportedVars/rp-agent-connect usual_name sn
Extra scopes (only needed if you did not configure LL::NG to automatically send all exported attributes by default)
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
oidcRPMetaDataOptionsExtraClaims/rp-agent-connect given_name given_name \
oidcRPMetaDataOptionsExtraClaims/rp-agent-connect organizational_unit organizational_unit \
oidcRPMetaDataOptionsExtraClaims/rp-agent-connect phone phone \
oidcRPMetaDataOptionsExtraClaims/rp-agent-connect siret siret \
oidcRPMetaDataOptionsExtraClaims/rp-agent-connect uid uid \
oidcRPMetaDataOptionsExtraClaims/rp-agent-connect usual_name usual_name