Feature Wiki
Tabs
Additional fields for OpenID Connect (OIDC) SSO
Page Overview
[Hide]1 Initial Problem
The OpenID Connect implementation in ILIAS only supports a very limited set of user data.
- firstname
- lastname
- birthday
Side Note: Other Authentication Providers like SAML or LDAP support mapping of more fields
- SAML supports most standard user data fields AND all custom user data fields. The only exception are
- "interests" are not supported, since they can have multiple values (general interests, offering help, looking for help)
- salutation doesn't support explicit mappings - e.g. "w" (weiblich) cannot be mapped to "f" (female)
- LDAP supports most standard user data fields. There is NO support for
- "interests" are not supported, since they can have multiple values (general interests, offering help, looking for help)
- salutation doesn't support explicit mappings - e.g. "w" (weiblich) cannot be mapped to "f" (female)
- birthday
- country (dropdown)
- second e-mail
- how did you hear about ILIAS?
- all custom user data
2 Conceptual Summary
The OpenID Connect implementation is extended to support further mappings and predefined templates similar to the LDAP Profile Mapping.
For all user fields (standard + custom) a text input and checkbox (for updating automatic) will be provided.
The text input is used for the name of the claim which should be synced to the corresponding user field.
All user fields are always shown. Empty fields will simply be ignored when synchronizing a user.
The shown dropdown contains a list of some well known scopes.
When applying a scope template the assignment form is filled with claims which are known to be contained in the selected scope.
The claims of the available scopes are a static list (See https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes#standard-claims).
Additionally the scope configuration is removed from the server settings and placed into a new sub tab (e.g. Scope Settings).
The shown value of the discovery URL is used as a default:
2.1 Documentation
There should be an documentation in the README.md and an `messageBox` of type `info` which describe the `Scope` / `Claims` topic.
3 User Interface Modifications
3.1 List of Affected Views
- Administration > Authentication and Registration > OpenID Connect > Mapping of Profile-Data
- Administration > Authentication and Registration > OpenID Connect > Server Settings
3.2 User Interface Details
The form will be extended as follows
3.3 New User Interface Concepts
-
3.4 Accessibility Implications
-
4 Technical Information
{ The maintainer has to provide necessary technical information, e.g. dependencies on other ILIAS components, necessary modifications in general services/architecture, potential security or performance issues. }
5 Privacy
The SSO mapping rules specifiy which OIDC fields will be stored in the user account. This is the only processing of personal data of the mapping rules, but of course other components of ILIAS can process this data in further ways.
{ Please list all personal data that will need to be stored or processed to implement this feature. For each date give a short explanation why it is necessary to use that date. }
6 Security
-
7 Contact
- Author of the Request: Kiegel, Colin [kiegel], Scharmer, Lukas [lscharmer]
- Maintainer: Seeland, Per Pascal [PerPascalSeeland] / Jansen, Michael [mjansen]
- Implementation of the feature is done by: Vollbach, Guido [gvollbach] / Jansen, Michael [mjansen]
8 Funding
If you are interest in funding this feature, please add your name and institution to this list.
- item Industrietechnik GmbH
- Staatsbetrieb Sächsische Informatik Dienste
9 Discussion
Kiegel, Colin [kiegel] 2022-06-09 The feature has already been develeped for item Industrietechnik GmbH as shown above and can be provided as a pull request by Databay.
I kindly ask to approve this feature both (a) with and (b) without the stretch goals 1+2. This would allow us integrate the feature even if we don't get the funding for the stretch goals.
Seeland, Per Pascal [PerPascalSeeland] 2023-05-10: Thanks for this feature. Instead of just adding more and more fields I would like to rework the way the UI for oidc works. This would include the following:
- Split the server settings screen into two screen.
- One for setting up the connection the oidc provider
- One for the configuration of the scopes
- The scope screen should provide the following:
- Option to use oidc discovery to get the scopes which on can request. In this case, the form would change upon saving and displaying the scopes returned to be selecled with the option the request additional none returned to scopes.
- Option to just type in the scopes one once to request
- Rework the attribute screen to provide drop downs to select the name of the oidc attribute to map, if one requests common scopes like profile or email, which contain a predefined set of claims one can choose from. In addition, one could use the method from ldap to apply a given template of mapping
- I would further like split the feature apply a specific mapping for the gender to a given value to a new FR, as this topic has gained a lot more attraction in recent times
JourFixe, ILIAS [jourfixe], 02 OCT 2023: We highly appreciate this suggestion and schedule the feature for ILIAS 10. Please contact the UI Clinic to discuss a better solution for the current suggestion of dropdown and button for selecting the pre-fill templates on screenshot 1.
UI Clinic, 5 DEZ 2023: For this request we discussed a possible workflow in the UI Clinic of 05.12.2023 (see minutes).
10 Implementation
Implemented as described above, with the following exceptions:
- We integrated an "Auto Discovery" in the "Scopes" sub-tab as requested in the comments.
- We used a slightly different UI as suggested by the UI clinic, simply to the fact that the nature of OpenId Connect claims in relation to the scopes is not the same as the "Templates for objectClass" and the corresponding attributes in the configuration of LDAP servers.
Test Cases
Test cases completed at 2024-10-24 by Jansen, Michael [mjansen]
- 42476 : OpenID-Scopes bearbeiten (geänderter Testfall)
- 76999 : OpenID-Scopes: Auto-Discovery
- 77000 : OpenID-Claims: Mapping zu ILIAS-Profildaten anzeigen
- 77001 : OpenID-Claims: Mapping zu ILIAS-Profildaten speichern
- 77002 : OpenID-Claims: Mapping zu ILIAS-Profildaten auf Basis der konfigurierten Scopes anzeigen
- 77003 : OpenID-Claims: Mapping zu ILIAS-Profildaten auf Basis der konfigurierten Scopes speichern
Approval
Approved at 23 Oct 2024 by Dreßler, Andreas [dresslan].
Last edited: 12. Nov 2024, 09:41, Jansen, Michael [mjansen]