Show last authors
1 This document presents a configuration guide for the XWiki OpenIDC authenticator with Univention Corporate Server (UCS).
2 This configuration has been tested using a standard UCS installation for version 4.4.
3
4 {{toc start=2 /}}
5
6 == XWiki Configuration ==
7
8 First the OpenIDC Authenticator must be enabled in xwiki.cfg:
9
10 {{code}}
11 xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
12 {{/code}}
13
14 And configured in xwiki.properties. Here are the properties to configure:
15
16 {{code}}
17 #-# The generic OpenId Connect endpoints to use to communicate with the provider.
18 #-# Not needed in case of XWiki based provider.
19 # oidc.endpoint.authorization=https://xwikiorg-node1.xwikisas.com/xwiki/oidc/authorization
20 # oidc.endpoint.token=https://xwikiorg-node1.xwikisas.com/xwiki/oidc/token
21 # oidc.endpoint.userinfo=https://xwikiorg-node1.xwikisas.com/xwiki/oidc/userinfo
22 # oidc.endpoint.logout=https://xwikiorg-node1.xwikisas.com/xwiki/oidc/logout
23 oidc.endpoint.authorization=https://ucs-sso.devxwiki.com/signin/v1/identifier/_/authorize
24 oidc.endpoint.token=https://ucs-sso.devxwiki.com/konnect/v1/token
25 oidc.endpoint.userinfo=https://ucs-sso.devxwiki.com/konnect/v1/userinfo
26 oidc.endpoint.logout=https://ucs-sso.devxwiki.com/signin/v1/identifier/_/endsession
27
28 #-# The scopes to use when redirecting to the provider
29 #-# The standard OpenID Connection scopes are:
30 #-# * openid: Informs the authorisation server that the client is making an OpenID Connect request (REQUIRED).
31 #-# * profile: Requests that access to the end-user's default profile claims at the UserInfo endpoint be granted by the issued access token.
32 #-# * email: Requests that access to the email and email_verified claims at the UserInfo endpoint be granted by the issued access token.
33 #-# * address: Requests that access to address claim at the UserInfo endpoint be granted by the issued access token.
34 #-# * phone: Requests that access to the {phone_number and phone_number_verified claims at the UserInfo endpoint be granted by the issued access token.
35 #-# * offline_access: Requests that an OAuth 2.0 refresh token be issued that can be used to obtain an access token that grants access the end-user's UserInfo endpoint even when the user is not present (not logged in).
36 #-#
37 #-# But depending on the provider more can be listed.
38 #-#
39 #-# The default is:
40 # oidc.scope=openid,profile,email,address,phone
41 oidc.scope=openid,profile,email
42
43
44
45 #-# The OpenID Connect client identifier used by the authenticator.
46 #-#
47 #-# The default is the automatically generated unique id of the XWiki instance.
48 # oidc.idtokenclaims=xwiki_instance_id
49 oidc.idtokenclaims=id_token
50
51 #-# The entire userinfo JSON received from the provider is also available using prefix "oidc.user.".
52 #-# For example if the provider send the following JSON for the user info:
53 #-# {
54 #-# "sub" : "248289761001",
55 #-# "name" : "Jane Doe",
56 #-# "given_name" : "Jane",
57 #-# "family_name" : "Doe",
58 #-# "preferred_username" : "j.doe",
59 #-# "email" : "[email protected]",
60 #-# "picture" : "http://example.com/janedoe/me.jpg"
61 #-# "customoject" :
62 #-# {
63 #-# "customproperty" : "customvalue"
64 #-# }
65 #-# }
66 #-# you can use the variable ${oidc.user.customoject.customproperty}.
67 #-#
68 #-# The following suffixes can be added:
69 #-# * "._lowerCase": the lower case version of the string
70 #-# * "._upperCase": the upper case version of the string
71 #-# * "._clean": a version of the string stripped from ".", ":", ",", "@", "^" characters and "\s" (all forms of white spaces).
72 #-# It can itself be suffixed with "._lowerCase" and "._uperCase".
73 #-#
74 #-# The variable syntax also have other features (fallback value, etc.) detailed on https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/StringSubstitutor.html.
75 #-#
76 #-# The default is:
77 # oidc.user.nameFormater=${oidc.issuer.host._clean}-${oidc.user.preferredUsername._clean}
78 oidc.user.nameFormater=${oidc.user.preferredUsername._clean}
79
80 #-# The custom claims to request to the provider for the UserInfo
81 #-#
82 #-# The available custom claims are:
83 #-# xwiki_groups (or whatever you indicated in oidc.groups.claim): the groups a user belong to in the provider (see "Group synchronization" section for more details)
84 #-# xwiki_user_<fieldname>: the suffix to use to request any field in the user profile document (generally when the provider is XWiki)
85 #-# The default is:
86 # oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype
87 oidc.userinfoclaims=
88
89 #-# The client identifier used by the authentication.
90 #-# The default is the identifier of the XWiki instance.
91 # oidc.clientid=
92 oidc.clientid=xwiki
93
94 #-# The client secret (optionally) registered on the provider.
95 #-# By default nothing is sent to the provider.
96 # oidc.secret=
97 oidc.secret=<secretsetontheUCSside>
98
99 {{/code}}
100
101 == UCS Configuration ==
102
103 You will need to install the OpenIDC connector. Once installed you need to add and OIDC application. This can be done by adding an OIDC provider entry in the LDAP directory.
104
105 image:ucs-xwiki-oidc-1.png
106
107 image:ucs-xwiki-oidc-2.png
108
109 The redirect_uri should be https:~/~/<xwikiserver>/xwiki/oidc/authenticator/callback

Get Connected