Go in Manager and click on OpenID Connect Service node.
Set the issuer identifier, which should be the portal URL. For example: http://auth.example.com
Set a blank value to use Portal URL.
Name of different OpenID Connect endpoints. You can keep the default values unless you have a specific need to change them.
Tip
These endpoints are published in JSON metadata.
You can associate here an authentication context to an authentication level.
If Dynamic registration is enabled, you can configure Exported vars and Extra claims options to define attributes and extra claims released when a new relying party is registered through /oauth2/register endpoint.
Warning
Dynamic Registration can be a security risk because a new configuration will be created in the backend for each registration request. You can restrict this by protecting the WebServer registration endpoint with an authentication module, and give credentials to clients.
Changed in version 2.0.16.
Best pratice is to use a separate sessions storage for OpenID Connect sessions, else they will be stored in main sessions storage.
OpenID Connect specifications allow to rotate keys to improve security. LL::NG provides a script to do this, that should be used in a cronjob.
The script is /usr/share/lemonldap-ng/bin/rotateOidcKeys. It can be run for example each week:
5 5 * * 6 www-data /usr/share/lemonldap-ng/bin/rotateOidcKeys
Tip
Set the correct WebServer user, else generated configuration will not be readable by LL::NG.
LL::NG implements the OpenID Connect Change Notification specification
A changed state will be sent if the user is disconnected from LL::NG portal (or has removed its SSO cookie). Else the unchanged state will be returned.
Tip
This feature requires that the LL::NG cookie is exposed to javascript (httpOnly option must be set to 0).