Feature Wiki

Information about planned and released features

Tabs

Additional fields for OpenID Connect (OIDC) SSO

Page Overview

[Hide]

1 Initial Problem

The OpenID Connect implementation in ILIAS only supports a very limited set of user data.

  • firstname
  • lastname
  • email
  • birthday

Side Note: Other Authentication Providers like SAML or LDAP support mapping of more fields

  • SAML supports most standard user data fields AND all custom user data fields. The only exception are
    • "interests" are not supported, since they can have multiple values (general interests, offering help, looking for help)
    • salutation doesn't support explicit mappings - e.g. "w" (weiblich) cannot be mapped to "f" (female)
  • LDAP supports most standard user data fields. There is NO support for
    • "interests" are not supported, since they can have multiple values (general interests, offering help, looking for help)
    • salutation doesn't support explicit mappings - e.g. "w" (weiblich) cannot be mapped to "f" (female)
    • birthday
    • country (dropdown)
    • second e-mail
    • how did you hear about ILIAS?
    • all custom user data

2 Conceptual Summary

The OpenID Connect implementation is extended to support further mappings and predefined templates similar to the LDAP Profile Mapping.

For all user fields (standard + custom) a text input and checkbox (for updating automatic) will be provided.
The text input is used for the name of the claim which should be synced to the corresponding user field.
All user fields are always shown. Empty fields will simply be ignored when synchronizing a user.

The shown dropdown contains a list of some well known scopes.
When applying a scope template the assignment form is filled with claims which are known to be contained in the selected scope.
The claims of the available scopes are a static list (See https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes#standard-claims).

Additionally the scope configuration is removed from the server settings and placed into a new sub tab (e.g. Scope Settings).
The shown value of the discovery URL is used as a default:

2.1 Documentation

There should be an documentation in the README.md and an `messageBox` of type `info` which describe the `Scope` / `Claims` topic.

3 User Interface Modifications

3.1 List of Affected Views

  • Administration > Authentication and Registration > OpenID Connect > Mapping of Profile-Data
  • Administration > Authentication and Registration > OpenID Connect > Server Settings

3.2 User Interface Details

The form will be extended as follows

3.3 New User Interface Concepts

-

3.4 Accessibility Implications

-

4 Technical Information

{ The maintainer has to provide necessary technical information, e.g. dependencies on other ILIAS components, necessary modifications in general services/architecture, potential security or performance issues. }

5 Privacy

The SSO mapping rules specifiy which OIDC fields will be stored in the user account. This is the only processing of personal data of the mapping rules, but of course other components of ILIAS can process this data in further ways.

{ Please list all personal data that will need to be stored or processed to implement this feature. For each date give a short explanation why it is necessary to use that date. }

6 Security

-

7 Contact

8 Funding

If you are interest in funding this feature, please add your name and institution to this list.

9 Discussion

Kiegel, Colin [kiegel] 2022-06-09 The feature has already been develeped for item Industrietechnik GmbH as shown above and can be provided as a pull request by Databay.

I kindly ask to approve this feature both (a) with and (b) without the stretch goals 1+2. This would allow us integrate the feature even if we don't get the funding for the stretch goals.

Seeland, Per Pascal [PerPascalSeeland] 2023-05-10: Thanks for this feature. Instead of just adding more and more fields I would like to rework the way the UI for oidc works. This would include the following:

  • Split the server settings screen into two screen.
    • One for setting up the connection the oidc provider
    • One for the configuration of the scopes
  • The scope screen should provide the following:
    • Option to use oidc discovery to get the scopes which on can request. In this case, the form would change upon saving and displaying the scopes returned to be selecled with the option the request additional none returned to scopes.
    • Option to just type in the scopes one once to request
  • Rework the attribute screen to provide drop downs to select the name of the oidc attribute to map, if one requests common scopes like profile or email, which contain a predefined set of claims one can choose from. In addition, one could use the method from ldap to apply a given template of mapping
  • I would further like split the feature apply a specific mapping for the gender to a given value to a new FR, as this topic has gained a lot more attraction in recent times

JourFixe, ILIAS [jourfixe], 02 OCT 2023: We highly appreciate this suggestion and schedule the feature for ILIAS 10. Please contact the UI Clinic to discuss a better solution for the current suggestion of dropdown and button for selecting the pre-fill templates on screenshot 1.

UI Clinic, 5 DEZ 2023: For this request we discussed a possible workflow in the UI Clinic of 05.12.2023 (see minutes).

10 Implementation

{ The maintainer has to give a description of the final implementation and add screenshots if possible. }

Test Cases

Test cases completed at {date} by {user}

  • {Test case number linked to Testrail} : {test case title}

Approval

Approved at {date} by {user}.

Last edited: 15. Jan 2024, 14:33, Jansen, Michael [mjansen]