-
Notifications
You must be signed in to change notification settings - Fork 0
gluu_server_settings
This page highlights Gluu Server settings of interest to SSO clients using OpenID Connect.
The Gluu-specific documentation on OpenID Connect can be found here.
OpenID Connect lets clients query user information using scopes as explained here.
After registration, a client can only have access to scopes enabled for that client.
A client cannot ask a claim (= bit of user info, see claims) that is not included in one of the scopes enabled for that client.
To avoid having to enable scopes manually on the server for each client after registration, some scopes are selected as default scopes. Here they are:
-
openid(obligatory for OpenID Connect to work) -
minimum(providing claimsgiven_name,family_name,email) -
extended(providing claimextended_picture_url) -
tcblactivity(providing claimtcbl_am)
This is a non-default scope, of interest to selected clients only:
-
tcblinfo(providing claimstcbl_pp,tcbl_nl)
The following table documents claims handling attributes that where added for the TCBL project specifically.
| Scope name | oxAuth claim name | Description |
|---|---|---|
| extended | extended_picture_url | String containing the user profile picture URL, e.g.: https://tcblsso.ilabt.iminds.be/usermanager/p/pp/abcdef, _ (meaning no picture) or no value (equivalent to _) |
| tcblactivity | tcbl_am | String indicating whether the user allowed to monitor TCBL activity, true, false or no value (equivalent to false) |
| tcblinfo | tcbl_nl | String indicating whether the user is subscribed to the TCBL newsletter, true, false or no value (equivalent to false) |
| tcblinfo | tcbl_pp | String indicating whether the user accepted the TCBL privacy policy, true, false or no value (equivalent to false) |
As an example, the demo client using the PHP programming language supports dynamic client registration.
These are the steps taken by the Gluu server administrator to support dynamic registration of a new client:
Enable client registration temporaily. We don't want our server to be open for dynamic client registration all the time.
Make sure he/she uses a meaningful client name.
Make sure he/she captures his/her client ID and client secret.
Let him/her set as much info as possible during client registration, including the redirect Login URI(s).
Let him/her notify you when the dynamic client registration is completed, and provide you:
- the client name
- the client ID
- (not the client secret...)
Disable client registration as soon as the customer notifies you about the completion of dynamic client registration.
Additional settings such as additional scopes, client secret expiry time, persistent client authorizations can be done now.
As an example, the Wordpress openid connect plugin example requires manual client registration.
For such clients, everything has to be configured from scratch...
For a full explanation, see the Gluu docs.