LL:NG
Make sure you have already
enabled OpenID Connect on your LemonLDAP::NG
server.
Make sure you have generated a set of signing keys in
OpenID Connect Service » Security » Keys
You also need to set a Signing key ID to a non-empty value of your choice.
Then, add a Relaying Party with the following configuration:
- Options » Basic » Client ID : choose a client ID, such as my_client_id
- Options » Basic » Client Secret : choose a client secret, such as my_client_secret
- Options » Basic » Allowed redirection address : https://my_redmine_server/oic/local_login
- Options » Advanced » Force claims to be returned in ID Token : On
- Options » Security » ID Token Signature Algorithm : RS512
- Options » Logou( » Allowed redirection address for logout : https://my_redmine_server/oic/local_logout
Define exported attributes:
- email
- family_name
- given_name
- name
- nickname: the user login
To transfer groups:
- Declare member_of exported attribute as an array
- Declare a new scope named groups whith value member_of
- Create a local macro member_of which will return ["admin"] is user is administrator and ["user"] else.
Redmine
Install OpenID Connect plugin.
Go in Redmine admin console and configure the OpenID Connect plugin:
- Enabled: check the box
- Client ID: my_client_id
- OpenID Connect server url: https://auth.example.com/
- Client Secret: my_client_secret
- OpenID Connect scopes: openid profile email groups
- Authorized group: leave blank
- Admins group: admin
- How often to retrieve openid configuration: leave blank
- Disable Ssl Validation: uncheck the box
- Login Selector: uncheck the box
- Create user if not exists: check the box
- Users from the following auth sources will be required to login with SSO: do not select anythin
Attention
A bug has been reported, you must apply a patch
if you transfer groups.