OIDC Authentication

For single sign-on, this project utilizes the mozilla-django-oidc library.

More information for the library can be found here.

Obtaining a client ID and secret

To set this up in your deployed environment, you'll need to first create a Shibboleth request.

To submit the request, you will need to provide the URL to your application. You may want to ensure that your route is HTTPS secured with SSL/TLS first or you may need to make another request later to update the callback.

When filling out the form, the redirect uri will be your application url + /oidc/callback/

e.g.

https://new-app.its.umich.edu/ (application url)
https://new-app.its.umich.edu/oidc/callback/ (redirect uri)

Configuring your app

Once you have obtained a client ID and secret, you will need to set the following environment variables:

• OIDC_RP_CLIENT_ID
• OIDC_RP_CLIENT_SECRET
• OIDC_OP_AUTHORIZATION_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/authorize
• OIDC_OP_TOKEN_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/token
• OIDC_OP_USER_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/userinfo
• OIDC_OP_JWKS_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/keyset

Replace OIDC_RP_CLIENT_ID and OIDC_RP_CLIENT_SECRET with the values provided from your Shibboleth request. The UM metadata can be found here if any of the endpoints change.

The following values are configurable, but optional:

• OIDC_RP_SIGN_ALGO
• OIDC_USERNAME_ALGO
• OIDC_RP_SCOPES
• OIDC_CREATE_USER

Notes

You may want to read the documentation here to decide if OIDC is sufficient for your needs or if you need SAML-based authentication.