Skip to content

GitLab

Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

OIDC Authentication · Changes

Page history
Add oidc authentication authored by Jon Yu's avatar Jon Yu
Hide whitespace changes
Inline Side-by-side
OIDC-Authentication.md 0 → 100644
View page @ fcaa5f14
# OIDC Authentication
For single sign-on, this project utilizes the [mozilla-django-oidc](https://github.com/mozilla/mozilla-django-oidc) library.
More information for the library can be found [here](https://mozilla-django-oidc.readthedocs.io/en/stable/).
## Obtaining a client ID and secret
To set this up in your deployed environment, you'll need to first [create a Shibboleth request](https://its.umich.edu/accounts-access/shibboleth/configuration-request-form).
To submit the request, you will need to provide the URL to your application. You may want to ensure that your route is HTTPS secured with SSL/TLS first or you may need to make another request later to update the callback.
When filling out the form, the redirect uri will be your application url + /oidc/callback/
e.g.
https://new-app.its.umich.edu/ (application url)
https://new-app.its.umich.edu/oidc/callback/ (redirect uri)
## Configuring your app
Once you have obtained a client ID and secret, you will need to set the following environment variables:
- OIDC_RP_CLIENT_ID
- OIDC_RP_CLIENT_SECRET
- OIDC_OP_AUTHORIZATION_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/authorize
- OIDC_OP_TOKEN_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/token
- OIDC_OP_USER_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/userinfo
- OIDC_OP_JWKS_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/keyset
Replace OIDC_RP_CLIENT_ID and OIDC_RP_CLIENT_SECRET with the values provided from your Shibboleth request. The UM metadata can be found [here](https://shibboleth.umich.edu/.well-known/openid-configuration) if any of the endpoints change.
The following values are configurable, but optional:
- OIDC_RP_SIGN_ALGO
- OIDC_USERNAME_ALGO
- OIDC_RP_SCOPES
- OIDC_CREATE_USER
## Notes
You may want to read the documentation [here](https://its.umich.edu/accounts-access/shibboleth/protocol-options) to decide if OIDC is sufficient for your needs or if you need SAML-based authentication.
\ No newline at end of file