Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • Umich Django Project Template Umich Django Project Template
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 1
    • Issues 1
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

  • ITS Infrastructure Network - Software
  • Umich Django Project TemplateUmich Django Project Template
  • Wiki
  • OIDC Authentication

Last edited by Jon Yu Apr 08, 2020
Page history

OIDC Authentication

OIDC Authentication

For single sign-on, this project utilizes the mozilla-django-oidc library.

More information for the library can be found here.

Obtaining a client ID and secret

To set this up in your deployed environment, you'll need to first create a Shibboleth request.

To submit the request, you will need to provide the URL to your application. You may want to ensure that your route is HTTPS secured with SSL/TLS first or you may need to make another request later to update the callback.

When filling out the form, the redirect uri will be your application url + /oidc/callback/

e.g.

https://new-app.its.umich.edu/ (application url)
https://new-app.its.umich.edu/oidc/callback/ (redirect uri)

Configuring your app

Once you have obtained a client ID and secret, you will need to set the following environment variables:

  • OIDC_RP_CLIENT_ID
  • OIDC_RP_CLIENT_SECRET
  • OIDC_OP_AUTHORIZATION_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/authorize
  • OIDC_OP_TOKEN_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/token
  • OIDC_OP_USER_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/userinfo
  • OIDC_OP_JWKS_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/keyset

Replace OIDC_RP_CLIENT_ID and OIDC_RP_CLIENT_SECRET with the values provided from your Shibboleth request. The UM metadata can be found here if any of the endpoints change.

The following values are configurable, but optional:

  • OIDC_RP_SIGN_ALGO
  • OIDC_USERNAME_ALGO
  • OIDC_RP_SCOPES
  • OIDC_CREATE_USER

Notes

You may want to read the documentation here to decide if OIDC is sufficient for your needs or if you need SAML-based authentication.

Clone repository
  • Deployment Notes
  • Home
  • OIDC Authentication
  • docker