OpenID Authentication with UCS

Last modified by Ludovic Dubost on 2021/06/02 17:22

This document presents a configuration guide for the XWiki OpenIDC authenticator with Univention Corporate Server (UCS).
This configuration has been tested using a standard UCS installation for version 4.4.

XWiki Configuration

First the OpenIDC Authenticator must be enabled in xwiki.cfg:

xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl

And configured in xwiki.properties. Here are the properties to configure:

#-# The generic OpenId Connect endpoints to use to communicate with the provider.
#-# Not needed in case of XWiki based provider.
# oidc.endpoint.authorization=https:
//xwikiorg-node1.xwikisas.com/xwiki/oidc/authorization
# oidc.endpoint.token=https://xwikiorg-node1.xwikisas.com/xwiki/oidc/token
# oidc.endpoint.userinfo=https://xwikiorg-node1.xwikisas.com/xwiki/oidc/userinfo
# oidc.endpoint.logout=https://xwikiorg-node1.xwikisas.com/xwiki/oidc/logout
oidc.endpoint.authorization=https://ucs-sso.devxwiki.com/signin/v1/identifier/_/authorize
oidc.endpoint.token=https://ucs-sso.devxwiki.com/konnect/v1/token
oidc.endpoint.userinfo=https://ucs-sso.devxwiki.com/konnect/v1/userinfo
oidc.endpoint.logout=https://ucs-sso.devxwiki.com/signin/v1/identifier/_/endsession

#-# The scopes to use when redirecting to the provider
#-# The standard OpenID Connection scopes are:
#-# * openid: Informs the authorisation server that the client is making an OpenID Connect request (REQUIRED).
#-# * profile: Requests that access to the end-user's default profile claims at the UserInfo endpoint be granted by the issued access token.
#-# * email: Requests that access to the email and email_verified claims at the UserInfo endpoint be granted by the issued access token.
#-# * address: Requests that access to address claim at the UserInfo endpoint be granted by the issued access token.
#-# * phone: Requests that access to the {phone_number and phone_number_verified claims at the UserInfo endpoint be granted by the issued access token.
#-# * offline_access: Requests that an OAuth 2.0 refresh token be issued that can be used to obtain an access token that grants access the end-user's UserInfo endpoint even when the user is not present (not logged in).
#-#
#-# But depending on the provider more can be listed.
#-#
#-# The default is:
# oidc.scope=openid,profile,email,address,phone
oidc.scope=openid,profile,email



#-# The OpenID Connect client identifier used by the authenticator.
#-#
#-# The default is the automatically generated unique id of the XWiki instance.
# oidc.idtokenclaims=xwiki_instance_id
oidc.idtokenclaims=id_token

#-# The entire userinfo JSON received from the provider is also available using prefix "oidc.user.".
#-# For example if the provider send the following JSON for the user info:
#-# {
#-#   "sub"                : "248289761001",
#-#   "name"               : "Jane Doe",
#-#   "given_name"         : "Jane",
#-#   "family_name"        : "Doe",
#-#   "preferred_username" : "j.doe",
#-#   "email"              : "janedoe@example.com",
#-#   "picture"            : "http:
//example.com/janedoe/me.jpg"
#-#   "customoject"        :
#-#   {
#-#     "customproperty"   :  "customvalue"
#-#   }
#-# }
#-# you can use the variable ${oidc.user.customoject.customproperty}.
#-#
#-# The following suffixes can be added:
#-# * "._lowerCase": the lower case version of the string
#-# * "._upperCase": the upper case version of the string
#-# * "._clean": a version of the string stripped from ".", ":", ",", "@", "^" characters and "\s" (all forms of white spaces).
#-#             It can itself be suffixed with "._lowerCase" and "._uperCase".
#-#
#-# The variable syntax also have other features (fallback value, etc.) detailed on https:
//commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/StringSubstitutor.html.
#-#
#-# The default is:
# oidc.user.nameFormater=${oidc.issuer.host._clean}-${oidc.user.preferredUsername._clean}
oidc.user.nameFormater=${oidc.user.preferredUsername._clean}

#-# The custom claims to request to the provider for the UserInfo
#-#
#-# The available custom claims are:
#-# xwiki_groups (or whatever you indicated in oidc.groups.claim): the groups a user belong to in the provider (see "Group synchronization" section for more details)
#-# xwiki_user_<fieldname>: the suffix to use to request any field in the user profile document (generally when the provider is XWiki)
#-# The default is:
# oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype
oidc.userinfoclaims=

#-# The client identifier used by the authentication.
#-# The default is the identifier of the XWiki instance.
# oidc.clientid=
oidc.clientid=xwiki

#-# The client secret (optionally) registered on the provider.
#-# By default nothing is sent to the provider.
# oidc.secret=
oidc.secret=<secretsetontheUCSside>

UCS Configuration

You will need to install the OpenIDC connector. Once installed you need to add and OIDC application. This can be done by adding an OIDC provider entry in the LDAP directory.

ucs-xwiki-oidc-1.png

ucs-xwiki-oidc-2.png

The redirect_uri should be https://<xwikiserver>/xwiki/oidc/authenticator/callback

Get Connected