gluu_server_settings

Gluu server setup needed for SSO clients

This page highlights important Gluu Server settings needed to support SSO clients using OpenID Connect.

The Gluu-specific documentation on OpenID Connect can be found here.

The information on this page is indicative for people implementing a client but needed for administrators of the OpenID Connect Provider.

Default scopes

OpenID Connect lets clients query user information using scopes as explained here.

After registration, a client can only have access to scopes enabled for that client.

A client cannot ask a claim (= bit of user info, see claims) that is not included in one of the scopes enabled for that client.

To avoid having to enable scopes manually on the server for each client after registration, you can select some scopes as default scopes.

These scopes will then automatically be enabled for each client registered after this action. Note that the action is not retro-active, i.e. scopes set as default are not added to clients that were already registered earlier.

Let's set the following scopes as default scopes:

• openid (obligatory for OpenID Connect to work)
• minimum

This is how to do that:

• Navigate to OpenID Connect -> Scopes.
• Click on a scope display name (e.g. openid).
• Set the Default scope property to True.
• Then click the Update button.
• Navigate again to OpenID Connect -> Scopes.
• Check that all wanted scopes and no others display True in the column Default.

Dynamic client registration

As an example, the demo client using the PHP programming language supports dynamic client registration.

Enable dynamic client registration

Do this only on customer request and disable again as soon as possible. Let the expiration time at its default value. This means registration is normally only valid for 24 hours...

• Navigate to Configuration -> JSON Configuration -> OxAuth Configuration.
• Set the value fo attribute dynamicRegistrationEnabled to true.
• Then click the Save Configuration button.

Let the customer execute client registration

Make sure he/she uses a meaningful client name.

Make sure he/she captures his/her client ID and client secret.

Let him/her set as much info as possible during client registration, including the redirect Login URI(s).

Let him/her notify you when the dynamic client registration is completed, and provide you:

• the client name
• the client ID
• (not the client secret...)

Disable dynamic client registration

Disable client registration as soon as the customer notifies you about the completion of dynamic client registration.

• Navigate to Configuration -> JSON Configuration -> OxAuth Configuration.
• Set the value of attribute dynamicRegistrationEnabled to false.
• Then click the Save Configuration button.

Complete client information immediately

• Navigate to OpenID Connect -> Clients -> (the client with the given name and ID).
• Set the value of attribute Logo URI to https://tcblsso.ilabt.iminds.be/resources/logos/login-with-TCBL.png.
• Set the value of attribute Pre-Authorization to False; this will require the authorization page after login to a site.
• Set the value of attribute Persist Client Authorizations to True; this will skip the authorization page for all logins to a site except the first one.
• Set the value of attribute Client Secret Expires to 1/1/30 12:00 (which is probably long enough).
• Add any additional Login Redirect URIs.
• Then click the Update button.

Manual client registration

As an example, the Wordpress openid connect plugin example requires manual client registration.

• Navigate to OpenID Connect-> Clients, then click the button Add Client.
• Then a form is displayed, where you can fill in the required fields and some optional fields, if necessary.
• Click Add at the bottom.

Complete client information as documented above for dynamically registered clients.

For a full explanation, see the Gluu docs.