Skip to content

gluu_server_settings

Jump to bottom
Martin Vanbrabant edited this page Jul 11, 2017 · 9 revisions

Gluu server setup needed for SSO demo clients

This page highlights important Gluu Server settings needed to support SSO demo clients using OpenID Connect.

The Gluu-specific documentation on OpenID Connect can be found here.

The information on this page is indicative for people implementing a client but needed for administrators of the OpenID Connect Provider.

Default scopes

OpenID Connect lets clients query user information using scopes as explained here.

After registration, a client can only have access to scopes enabled for that client.

A client cannot ask a claim (= bit of user info, see Claims) that is not included in one of the scopes enabled for that client.

To avoid having to enable scopes manually on the server for each client after registration, you can select some scopes as default scopes.

These scopes will then automatically be enabled for each client registered after this action. Note that the action is not retro-active, i.e. scopes set as default are not added to clients that were already registered earlier.

Let's set the following scopes as default scopes:

  • openid (obligatory for OpenID Connect to work)
  • minimum
  • Navigate to OpenID Connect -> Scopes.
  • Click on a scope display name (e.g. openid).
  • Set the Default scope property to True.
  • Then click the Update button.
  • Navigate again to OpenID Connect -> Scopes.
  • Check that all wanted scopes and no others display True in the column Default.

default_scope

default_scope_check

Dynamic client registration

Enable dynamic client registration

Do this only on customer request and disable again as soon as possible. Let the expiration time at its default value. This means registration is normally only valid for 24 hours...

  • Navigate to Configuration -> JSON Configuration -> OxAuth Configuration.
  • Set the value fo attribute dynamicRegistrationEnabled to true.
  • Then click the Save Configuration button.

dynregistration

Let the customer execute client registration

Make sure he/she uses a meaningful client name.

Make sure he/she captures his/her client ID and client secret.

Let him/her set as much info as possible during client registration:

  • Redirect Login URIs

Let him/her notify you when the dynamic client registration is completed, and provide you:

  • the client name
  • the client ID
  • (not the client secret...)
  • any additional Redirect Login URIs

Disable dynamic client registration and complete client information

Disable client registration as soon as the customer notifies you about the completion of dynamic client registration.

  • Navigate to Configuration -> JSON Configuration -> OxAuth Configuration.
  • Set the value of attribute dynamicRegistrationEnabled to false.
  • Then click the Save Configuration button.

no_dynregistration

Complete client information immediately.

  • Navigate to OpenID Connect -> Clients -> (the client with the given name and ID).
  • Set the value of attribute Client Secret Expires to 1/1/30 12:00 (which is probably long enough).
  • Add any additional Login Redirect URIs.
  • Then click the Update button.

clientinfo

Manual client registration

  • Navigate to OpenID Connect-> Clients, then click the button Add Client.
  • Then a form is displayed, where you can fill in the required fields and some optional fields, if necessary.
  • Click Add at the bottom.

For a full explanation, see the Gluu docs.

Clone this wiki locally