OIDC Single Sign-On (SSO)
Please read the allauth docs here: OIDC setup config
You can add that config in your environment variables under SSO_PROVIDERS
(dict). Due to security reasons, your openid connect server must return the email_verified
parameter in the response or you can force it by default through the setting "VERIFIED_EMAIL": True
in the SSO_PROVIDERS
dict.
Role Mapping
By default OIDC_ROLE_PATH_IN_RETURN
is set to an empty string. You should change it depending on where it can find the info for mapping the user info.
If your groups (roles) are stored deeper in the JSON structure, like:
{
"A": "A",
"B": {
"roles": [
"ROLE_A",
"ROLE_B"
]
}
}
You can set OIDC_ROLE_PATH_IN_RETURN='B.roles'
using dots.
There are three patterns to map ChiefOnboarding's role with OIDC_ROLE
:
- For
Admin
, applyOIDC_ROLE_ADMIN_PATTERN
- For
Manager
, applyOIDC_ROLE_MANAGER_PATTERN
- For
Newhire
, applyOIDC_ROLE_NEW_HIRE_PATTERN
You can use regex to match the pattern.
The default is a "other", this is a user with only access to the colleagues and resources page (resources page will be empty as none are assigned by default).
Configuration example
Here's the updated configuration example:
SOCIALACCOUNT_PROVIDERS={"openid_connect": {"APPS": [{"provider_id": "other-server",...}]}}
SSO_AUTO_CREATE_USER=True # disable this if you don't want to create new users, you can ignore the ones below in that case
OIDC_ROLE_NEW_HIRE_PATTERN='^cn=Newhires.*'
OIDC_ROLE_ADMIN_PATTERN='^cn=Administrators.*'
OIDC_ROLE_MANAGER_PATTERN='^cn=Managers.*'
OIDC_ROLE_PATH_IN_RETURN='groups'
ALLAUTH_PROVIDERS="openid_connect"