Feature Wiki

Information about planned and released features

Tabs

OpenID Connect support

Page Overview

[Hide]

1 Initial Problem
2 Conceptual Summary
3 User Interface Modifications
- 3.1 List of Affected Views
- 3.2 User Interface Details
  - 3.2.1 Basic Configuration
  - 3.2.2 User Attribute Mapping
  - 3.2.3 Role Mapping
  - 3.2.4 Login Screen
- 3.3 New User Interface Concepts
4 Technical Information
5 Contact
6 Funding
7 Discussion
8 Implementation

1 Initial Problem

ILIAS does not support login with OpenID Connect.

OpenID Connect is built on top of oAuth 2.0 and It extends the possibilities provided by oAuth 2.0 by allowing the clients to get the identity of an authenticated user. To date, there is now implementation of oAuth or OpenID Connect available for ILIAS, but there are some entries on ilias.de exemplify «oAuth».

2 Conceptual Summary

The PH Zürich does need an implementation to use Office 365 as the authentication provider, but the solution should be build more generic to also support providers like google.

The login method «oAuth» should be available beside or instead of other login methods.

Login flow for a user

User opens the ILIAS URL
ILIAS redirects to login screen, if user is not authenticated.
User klicks on «Login with OpenId-Connect-Provider» link on the Login screen
User is redirected to the login screen of the oAuth provider eg. Office 365.
1. If the user is already authenticated, he/she will be redirected back to ILIAS
2. If the user is not authenticated, he/she logs in and will be redirected back to ILIAS

The redirection has to work in every case, no matter it the user opens the login screen of ILIAS or a direct link to an object. In the case of a direct link to an object, the user should be redirected to this object after login.

3 User Interface Modifications

3.1 List of Affected Views

Loginscreen (modified): if the OpenID-Connect authentication is enabled, ILIAS provides a new login element, consisting of a link and a text/image (see basic settings) on the login page. A new login page editor placeholder will be introduced for the modification of the login presentation using the login page editor.
OpenID Connect Adminpage (new): A new tab below "Administration -> Authentication -> (OpenID-Connect) containing all settings regarding the new authentication method.

3.2 User Interface Details

3.2.1 Basic Configuration

ILIAS Label	Input type	OpenID Connect Parameter	Description
Login element	radio option	---	Text for the link of the OpenID-Connect login element on the loginpage OR Image for the link of the OpenID-Connect login element on the loginpage
Authority	single line of text (URL)	---	Login-URL of the OpenID Connect Provider
Client ID	single line of text	client_id	ID provided by Azure, Google…
Scope	single line of text	scope	Default Value: openid (fixed)
Enforce Login	boolean	prompt	Defines whether or not a user has to login every time no matter if there is a valid login in the «oAuth-World» or not.
Logout Scope	dropdown	---	Defines whether a logout from ILIAS is a Logout for the application only or for the hole «oAuth-World». Default should be on «oAuth World»
Field for Username	single line of text	---	Field provided by OpenID Connect to use as the ILIAS Loginamen.

Session Duration	number		Time in minutes
Create user if it does not already exist in ILIAS.	boolean	---	Should the user be created in ILIAS if it not exists.
Default Role	dropdown	---	Default role for new user. Used when no other role assignments are found in the role mapping screen.

3.2.2 User Attribute Mapping

Subtab "User profile Mapping":
The administrator can define which user profile fields are mapped to ILIAS profile fields

Loginname
Givenname (given_name)
Family Name (family_name)
eMail (email)
Birthday (bithday)

Other fields of the UserProfile-Response cannot be mapped directly and are not supported in a first implementation of OpenID-Connect support.

3.2.3 Role Mapping

Subtab "Role Assignment":

If «Create user if it does not already exist in ILIAS» is set to «true», ILIAS provides options to map roles provided by OpenID Connect to global ILIAS-Roles*.

Group X maps to global ILIAS Role A
Group Y maps to global ILIAS Role B

Default role if no role mapping is possible (defined in basic settings).

* Could be extended as to also map local ILIAS Roles. Addtionally a role assignment by plugin slot could be implemented. Both assignment types are not part of this feature request.

3.2.4 Login Screen

Based on the configuration (basic settings) a link ("Text" or "Image") is shown on the login sceen.
A new login page editor placeholder will be introduced for the modification of the login presentation using the login page editor.

3.3 New User Interface Concepts

none

4 Technical Information

For more information about OpenID Connect as implemented with Office 365: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code

5 Contact

Author of the Request: Schmitt, Pascal [pascal.schmitt] (pascal.schmitt@phzh.ch)
Maintainer: Meyer, Stefan [smeyer]
Implementation of the feature is done by: {The maintainer must add the name of the implementing developer.}

6 Funding

If you are interest in funding this feature, please add your name and institution to this list.

PH Zürich
others are very wellcome!

7 Discussion

JourFixe, ILIAS [jourfixe], 26 FEB 2018: We highly appreciate this feature request and schedule it for 5.4.

8 Implementation

Test Cases

Test cases completed on 2018-10-29 by Tödt, Alexandra [atoedt], adapted 2024-08-05 by Mela, Alix [ILIAS_LM]

42481 : Open ID Connect konfigurieren
36077 : OpenID-Login als Login-Seitenelement einfügen
24977 : Mit OpenID connect anmelden
36079 : Beitritt per Link über OpenID-Connect-Authentifizierung
24975 : OpenID Rollenmapping

Approval

Meyer, Stefan [smeyer] Approved at 29 Oct 2018 by Stefan Born

Last edited: 5. Aug 2024, 11:17, Mela, Alix [ILIAS_LM]