|
|
# OIDC Authentication
|
|
|
|
|
|
For single sign-on, this project utilizes the [mozilla-django-oidc](https://github.com/mozilla/mozilla-django-oidc) library.
|
|
|
|
|
|
More information for the library can be found [here](https://mozilla-django-oidc.readthedocs.io/en/stable/).
|
|
|
|
|
|
## Obtaining a client ID and secret
|
|
|
|
|
|
To set this up in your deployed environment, you'll need to first [create a Shibboleth request](https://its.umich.edu/accounts-access/shibboleth/configuration-request-form).
|
|
|
|
|
|
To submit the request, you will need to provide the URL to your application. You may want to ensure that your route is HTTPS secured with SSL/TLS first or you may need to make another request later to update the callback.
|
|
|
|
|
|
When filling out the form, the redirect uri will be your application url + /oidc/callback/
|
|
|
|
|
|
e.g.
|
|
|
|
|
|
https://new-app.its.umich.edu/ (application url)
|
|
|
https://new-app.its.umich.edu/oidc/callback/ (redirect uri)
|
|
|
|
|
|
## Configuring your app
|
|
|
|
|
|
Once you have obtained a client ID and secret, you will need to set the following environment variables:
|
|
|
|
|
|
- OIDC_RP_CLIENT_ID
|
|
|
- OIDC_RP_CLIENT_SECRET
|
|
|
- OIDC_OP_AUTHORIZATION_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/authorize
|
|
|
- OIDC_OP_TOKEN_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/token
|
|
|
- OIDC_OP_USER_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/userinfo
|
|
|
- OIDC_OP_JWKS_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/keyset
|
|
|
|
|
|
Replace OIDC_RP_CLIENT_ID and OIDC_RP_CLIENT_SECRET with the values provided from your Shibboleth request. The UM metadata can be found [here](https://shibboleth.umich.edu/.well-known/openid-configuration) if any of the endpoints change.
|
|
|
|
|
|
The following values are configurable, but optional:
|
|
|
|
|
|
- OIDC_RP_SIGN_ALGO
|
|
|
- OIDC_USERNAME_ALGO
|
|
|
- OIDC_RP_SCOPES
|
|
|
- OIDC_CREATE_USER
|
|
|
|
|
|
## Notes
|
|
|
|
|
|
You may want to read the documentation [here](https://its.umich.edu/accounts-access/shibboleth/protocol-options) to decide if OIDC is sufficient for your needs or if you need SAML-based authentication. |
|
|
\ No newline at end of file |