Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • Upgrade to Enterprise edition
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums

Content

Development
  1. OpenProject
  2. Forums
  3. Development
  4. How to set up OpenID Connect SSO?

How to set up OpenID Connect SSO?

Added by JG S. over 6 years ago

Here's my set up:

My service embeds OpenProject in an Iframe. My service requires users to log in, so it would be best for OpenProject to reuse the session.

But as I understand it, OpenProject still needs to have an account for every user. That's why I set up a custom OpenID connect provider and configured it as follows in OpenProject:

```

openid_connect:
   my_provider:
     display_name: "Display Name"
     scheme: "https"
     host: "my_provider_uri"
     port: 443
     identifier: my_provider_id
     secret: my_provider_secret
     authorization_endpoint: "/api/v1/oauth/authorize"
     token_endpoint: "/api/v1/oauth/token"
     userinfo_endpoint: "/api/v1/oauth/userinfo"

```

This already works fine and after going through the OAuth process (granting access), OpenProject creates an user account.

Now I want to share the session of my service with OpenProject, so users never have to go through the OAuth process (but only once for the account creation). Is that possible?

OpenID Connect SSO seems promising, but I wasn't able to set it up with OpenProject. Here's what I did (additional configuration for my_provider):

```

sso: true
     discovery: false
     issuer: "openproject_uri/login"
     client_auth_method: "redirect"
     end_session_endpoint: "some_url_being_logged/end_session"
     check_session_iframe: "some_url_being_logged/check_session"
     redirect_uri: "https://op_nproject_domain/auth/my_provid_r/callback"

```

I checked my web server logs, but the URL configured in end_session_endpoint and check_session_iframe is never accessed.

What's the problem here? Thanks for helping.


Replies (2)

RE: How to set up OpenID Connect SSO? - Added by Graham Higgins about 6 years ago

Hi,

I am trying to do something similar. Were you able to get this working ?

I've got as far as getting the login page up in the iframe, but after logging in it doesn't work. I think it's a problem with the cookies.

What I really need is what you described above, where the user logs into my application and our application sets up the openproject session for use form the iframe.

Any solutions for this ?

RE: How to set up OpenID Connect SSO? - Added by Julia Limon over 1 year ago

Hello geometry dash lite,

you can enable SSO in OpenProject, but you are experiencing issues with the configuration. Here are a few points to consider:

a. issuer: The issuer is the URL that identifies the provider. Ensure that the "openproject_uri/login" is the correct URL for the OpenProject login page.

b. end_session_endpoint and check_session_iframe: These endpoints are used for handling session management and logout processes. Make sure that the URLs you have provided are correct and accessible. Check your web server logs to see if there are any errors related to accessing these URLs.

c. redirect_uri: The redirect URI is the URL where the provider should redirect the user after authentication. Make sure that "https://op_nproject_domain/auth/my_provid_r/callback" is the correct URL for OpenProject to receive the authentication response.

d. discovery: Setting this option to "false" disables the automatic discovery of the provider's configuration. If your provider does not support discovery, you need

  • (1 - 2/2)
Loading...