OpenID Connect for the admin

GPP-Publicatiebank supports Single Sign On (SSO) using OpenID Connect identity providers. This means you can use your existing organisation account if you have centralized account management, like Azure AD for example.

Using OIDC usually also enables you to automatically assign users to the appropriate permission groups based on their roles managed in your Identity and Access Management (AIM) solution.

Configuration of the OpenID Connect Identity Provider (OIP)

First, the IAM administrators in your organization must create a set of credentials in your environment for GPP-Publicatiebank to use. Typically this requires them to create a Client or an App in some administration portal.

This app needs to put the callback endpoint on an allowlist. Usually this is called the Redirect URI. For its value, use: https://my-gpp-publicatiebank.example.com/auth/oidc/callback/, where you replace my-gpp-publicatiebank.example.com name with your real/actual domain.

Configuration parameters

At the end of this process, the technical administrator for GPP-Publicatiebank must have the following connection details:

  • Client ID, for example a7d14516-8b20-418f-b34e-25f53c930948

  • Client secret, for example 97d663a9-3624-4930-90c7-2b90635bd990

  • Discovery endpoint, for example https://login.microsoftonline.com/9c6a25fb-3f9a-4e8b-aa84-b7e2252bcc87/v2.0/

Configuration of OpenID Connect in GPP-Publicatiebank

Ensure that you have the discovery endpoint, client ID and secret as mentioned above.

Next, navigate to the Admin > Configuratie > OpenID Connect Configuration.

  1. Check Enable to allow users to log in with SSO.

  2. For OpenID Connect client ID, enter the obtained client ID, e.g. a7d14516-8b20-418f-b34e-25f53c930948.

  3. For OpenID Connect secret, enter the obtained secret, e.g. 97d663a9-3624-4930-90c7-2b90635bd990.

  4. Usually you can keep the default values for the OpenID Connect scopes.

  5. OpenID sign algorithm typically needs to be set to RS256.

  6. Leave Sign key blank.

Next, in the Endpoints section:

  1. Enter the obtained Discovery endpoint. Make sure to not include the .well-known/openid-configuration part. For example: https://login.microsoftonline.com/9c6a25fb-3f9a-4e8b-aa84-b7e2252bcc87/v2.0/

The discovery endpoint will be used to populate all the other endpoint parameters.

Finally, you can review the User profile section which configures synchronization details for the users:

  1. Username claim can typically be left as-is, unless instructed otherwise.

  2. Claim mapping can be adapted if other claims than family_name and given_name are used by your OIP.

  3. Check the Make users staff checkbox, otherwise they can’t log in to the admin interface.

  4. For the Superuser group names you can enter the role/group names in the ID token that mark a user as superuser (user that has all the permissions at all times), for example Superuser.

Click the Opslaan button to save the configuration.

Tip

You can test the configuration by opening a private window and navigating to the admin login page. You should now see an option to “Log in with organisation account” and follow the login steps by clicking it.

Pre-configured groups

A standard installation of GPP-publicatiebank comes with some user groups that permissions associated with them:

  • TechnischBeheer, intended for staff members that have to configure credentials to external services

  • FunctioneelBeheer, intended for staff members that know their way around the content managed in the application.

If these group names are present in the configured Groups claim, then user group membership will be synced automatically.

Tip

The permissions in the pre-configured groups are automatically updated every time the application is restarted. If you wish, you can create your own groups and add the group names to the user roles for automatic group assignment.