Hide last authors
Ludovic Dubost 1.1 1
Ludovic Dubost 9.1 2 This document presents a configuration guide for the XWiki OpenIDC authenticator with LemonLDAP also used by OpenPAAS (Linagora).
3 This configuration has been tested with a docker installation of lemonLDAP.
Ludovic Dubost 1.1 4
Ludovic Dubost 9.1 5 {{toc start=2 /}}
Ludovic Dubost 1.1 6
Ludovic Dubost 9.1 7 == XWiki Configuration ==
Ludovic Dubost 1.1 8
Ludovic Dubost 9.1 9 First the OpenIDC Authenticator must be enabled in xwiki.cfg:
10
Ludovic Dubost 1.1 11 {{code}}
12 xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
13 {{/code}}
14
Ludovic Dubost 9.1 15 And configured in xwiki.properties. Here are the properties to configure:
Ludovic Dubost 1.1 16
17 {{code}}
18 oidc.endpoint.authorization=<url de lemon ldap>/oauth2/authorize
19 oidc.endpoint.token=<url de lemon ldap>/oauth2/token
20 oidc.endpoint.userinfo=<url de lemon ldap>/oauth2/userinfo
21
22 oidc.endpoint.token.auth_method=client_secret_post
23 oidc.endpoint.userinfo.method=post
24
25 oidc.idtokenclaims=id_token
26
27 oidc.userinfoclaims=profile,xwiki_user_first_name,xwiki_user_last_name,xwiki_user_company,xwiki_user_phone,xwiki_user_address
28 oidc.clientid=xwikiopenpaas
29 oidc.secret=<a remplir>
30 {{/code}}
31
Ludovic Dubost 9.1 32 For example <url of lemon ldap> can be http://auth.example.com (for LemonLDAP demo)
Ludovic Dubost 1.1 33
Ludovic Dubost 9.1 34 == Lemon LDAP Configuration ==
Ludovic Dubost 1.1 35
Ludovic Dubost 9.1 36 You have to connect to the LemonLDAP manager (for example http://manager.example.com).
Ludovic Dubost 1.1 37
Ludovic Dubost 9.1 38 The OpenIDC module must be activated in the section General Settings / Supplier Modules / OpenID Connect
Ludovic Dubost 1.1 39
Ludovic Dubost 10.1 40 image:lemonldap-activationopenidc.png
Ludovic Dubost 1.1 41
Ludovic Dubost 9.1 42 An XWiki application must be added in the General Settings / Portal / Menu / Categories and Application section.
43 The XWiki URL must be specified.
Ludovic Dubost 1.1 44
Ludovic Dubost 10.1 45 image:lemonldap-ajouterapp.png
Ludovic Dubost 1.1 46
Ludovic Dubost 9.1 47 A client configuration must be added in "OpenID Connect Clients". The name can be anything.
Ludovic Dubost 1.1 48
Ludovic Dubost 10.1 49 image:lemonldap-ajouterclientopenidc.png
Ludovic Dubost 1.1 50
Ludovic Dubost 9.1 51 The clientid and secret parameters must be added in the Options / Authentication section. These must be the same as in the xwiki.properties configuration
Ludovic Dubost 1.1 52
Ludovic Dubost 10.1 53 image:lemonldap-authentification.png
Ludovic Dubost 1.1 54
Ludovic Dubost 9.1 55 An authorized redirection address must be specified in the Options / Redirection Addresses Allowed for Connection and Options / Redirected Adresses for Disconnection options. This must match the URL of the XWiki and the URI part must be / xwiki / oidc / authenticator / callback.
Ludovic Dubost 1.1 56
Ludovic Dubost 10.1 57 image:lemonldap-redirectionauthorisee.png
Ludovic Dubost 1.1 58
Ludovic Dubost 9.1 59 In order to allow the synchronization of fields from LemonLDAP into the XWiki profile, new attributes starting with xwiki_user_ followed by the name of the XWiki field (first_name, last_name, company, address) must be added in the Export Attributes section. They must point to LemonLDAP field names themselves synchronized to the authentication source (often OpenLDAP). In demo mode, lemonLDAP does not have many available fields, so we synchronized the "cn".
Ludovic Dubost 1.1 60
Ludovic Dubost 10.1 61 image:lemonldap-attributes.png
Ludovic Dubost 1.1 62
Ludovic Dubost 9.1 63 Once the fields have been created, the "profile" value must be modified in the Options / Declarations section. It should contain the list of classic fields plus the new XWiki fields. For example:
Ludovic Dubost 1.1 64
Ludovic Dubost 9.1 65 name given_name country first_name last_name email mail xwiki_user_first_name xwiki_user_last_name xwiki_user_company
Ludovic Dubost 1.1 66
Ludovic Dubost 10.1 67 image:lemonldap-scopeclaims.png
Ludovic Dubost 9.1 68
69 == Troubleshooting ==
70
71 If all goes well when going to XWiki and clicking login, you should be redirected to the lemon ldap authentication screen and after authentication you should be redirected to XWiki and the XWiki user profile created and populated with the profile information.
72
73 In case of problems debugging is possible at XWiki level (in the preferences you can activate logging information for the oidc module) and in LemonLDAP by activating debug logs in the Apache configuration.

Get Connected