Feature Wiki
Tabs
OpenID Connect support
Page Overview
[Hide]- 1 Initial Problem
- 2 Conceptual Summary
- 3 User Interface Modifications
- 3.1 List of Affected Views
- 3.2 User Interface Details
- 3.2.1 Basic Configuration
- 3.2.2 User Attribute Mapping
- 3.2.3 Role Mapping
- 3.2.4 Login Screen
- 3.3 New User Interface Concepts
- 4 Technical Information
- 5 Contact
- 6 Funding
- 7 Discussion
- 8 Implementation
1 Initial Problem
ILIAS does not support login with OpenID Connect.
OpenID Connect is built on top of oAuth 2.0 and It extends the possibilities provided by oAuth 2.0 by allowing the clients to get the identity of an authenticated user. To date, there is now implementation of oAuth or OpenID Connect available for ILIAS, but there are some entries on ilias.de exemplify «oAuth».
- Authentication Plugin Slot
- Feature Request «oAuth1 and oAuth2»
- The REST-Plugin does support oAuth for ILIAS, but puts ILIAS to the oAuth Provider Role.
2 Conceptual Summary
The PH Zürich does need an implementation to use Office 365 as the authentication provider, but the solution should be build more generic to also support providers like google.
The login method «oAuth» should be available beside or instead of other login methods.
Login flow for a user
- User opens the ILIAS URL
- ILIAS redirects to login screen, if user is not authenticated.
- User klicks on «Login with OpenId-Connect-Provider» link on the Login screen
- User is redirected to the login screen of the oAuth provider eg. Office 365.
- If the user is already authenticated, he/she will be redirected back to ILIAS
- If the user is not authenticated, he/she logs in and will be redirected back to ILIAS
The redirection has to work in every case, no matter it the user opens the login screen of ILIAS or a direct link to an object. In the case of a direct link to an object, the user should be redirected to this object after login.
3 User Interface Modifications
3.1 List of Affected Views
- Loginscreen (modified): if the OpenID-Connect authentication is enabled, ILIAS provides a new login element, consisting of a link and a text/image (see basic settings) on the login page. A new login page editor placeholder will be introduced for the modification of the login presentation using the login page editor.
- OpenID Connect Adminpage (new): A new tab below "Administration -> Authentication -> (OpenID-Connect) containing all settings regarding the new authentication method.
3.2 User Interface Details
3.2.1 Basic Configuration
ILIAS Label | Input type | OpenID Connect Parameter | Description |
Login element | radio option | --- | Text for the link of the OpenID-Connect login element on the loginpage OR |
Authority | single line of text (URL) | --- | Login-URL of the OpenID Connect Provider |
Client ID | single line of text | client_id | ID provided by Azure, Google… |
Scope | single line of text | scope | Default Value: openid (fixed) |
Enforce Login | boolean | prompt | Defines whether or not a user has to login every time no matter if there is a valid login in the «oAuth-World» or not. |
Logout Scope | dropdown | --- | Defines whether a logout from ILIAS is a Logout for the application only or for the hole «oAuth-World». Default should be on «oAuth World» |
Field for Username | single line of text | --- | Field provided by OpenID Connect to use as the ILIAS Loginamen. |
Session Duration | number | Time in minutes | |
Create user if it does not already exist in ILIAS. | boolean | --- | Should the user be created in ILIAS if it not exists. |
Default Role | dropdown | --- | Default role for new user. Used when no other role assignments are found in the role mapping screen. |
3.2.2 User Attribute Mapping
Subtab "User profile Mapping":
The administrator can define which user profile fields are mapped to ILIAS profile fields
- Loginname
- Givenname (given_name)
- Family Name (family_name)
- eMail (email)
- Birthday (bithday)
3.2.3 Role Mapping
Subtab "Role Assignment":
If «Create user if it does not already exist in ILIAS» is set to «true», ILIAS provides options to map roles provided by OpenID Connect to global ILIAS-Roles*.
Group X maps to global ILIAS Role A
Group Y maps to global ILIAS Role B
Default role if no role mapping is possible (defined in basic settings).
* Could be extended as to also map local ILIAS Roles. Addtionally a role assignment by plugin slot could be implemented. Both assignment types are not part of this feature request.
3.2.4 Login Screen
Based on the configuration (basic settings) a link ("Text" or "Image") is shown on the login sceen.
A new login page editor placeholder will be introduced for the modification of the login presentation using the login page editor.
3.3 New User Interface Concepts
none
4 Technical Information
For more information about OpenID Connect as implemented with Office 365: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code
5 Contact
- Author of the Request: Schmitt, Pascal [pascal.schmitt] (pascal.schmitt@phzh.ch)
- Maintainer: Meyer, Stefan [smeyer]
- Implementation of the feature is done by: {The maintainer must add the name of the implementing developer.}
6 Funding
If you are interest in funding this feature, please add your name and institution to this list.
- PH Zürich
- others are very wellcome!
7 Discussion
JourFixe, ILIAS [jourfixe], 26 FEB 2018: We highly appreciate this feature request and schedule it for 5.4.
8 Implementation
Test Cases
Test cases completed on 2018-10-29 by Tödt, Alexandra [atoedt], adapted 2024-08-05 by Mela, Alix [ILIAS_LM]
- 42481 : Open ID Connect konfigurieren
- 36077 : OpenID-Login als Login-Seitenelement einfügen
- 24977 : Mit OpenID connect anmelden
- 36079 : Beitritt per Link über OpenID-Connect-Authentifizierung
- 24975 : OpenID Rollenmapping
Approval
Meyer, Stefan [smeyer] Approved at 29 Oct 2018 by Stefan Born
Last edited: 5. Aug 2024, 11:17, Mela, Alix [ILIAS_LM]