ID4ME support in Univention and Tutorials

Hi everyone,

I recently digged into the whole new world of id4me and saw that Univention is actively supporting the standard.

However information regarding the possible setup of an identity agent is absolutely rare.

In the App Center an OpenID Connect Provider is available marked as beta. (Btw. the version is 0.7 beta dating back one year ago to 17.07.2018. Current version would be 0.23.5!)
Is it fully compatible with id4me ?
Does the app, besides the identity agent also provide an identity authority for internal use ?
How does the correct DNS record the id4me discovery needs look like ?
Which urls need to be accessible for that ?

In the end my goal is to have my own identity agent which I can use in the internet as well as for local network applications.

Is there some kind of tutorial or howto planed for UCS ?

Cheers,
Ludwig

Hi @lw3234,

as far as I know Univention is currently working on an update of the app. This currently bundled Kopano Konnect would indeed not be compatible with ID4me as this would require at least the version 0.21.0.

The only setting one has to set in Konnect to be able to work as both an identify agent and identify authority in the context of ID4me would be to allow allow dynamic registrations of client by setting allow_dynamic_client_registration = yes.

Yes, that is actually its primary focus. Univention published a blog how to configure Wordpress for usage of OpenID Connect. Some more examples and background can be found in the Kopano documentation at https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#configure-3rd-party-applications-to-authenticate-using-konnect.

The biggest challenge for using ID4me for login is that your domain needs to be setup for dnssec. After this has been setup one just needs to create a txt dns record with the name _openid and v=OID1;iss=kopano.dev;clp=kopano.dev as the value of it (here you need to replace kopano.dev with the fqdn where Konnect is running).

All urls of Konnect need to publicly accessible and use a valid/trusted ssl cert.

Just for the record these urls are:

  • /.well-known/openid-configuration
  • /konnect/v1/
  • /signin/

Thank you very much for the update and the links.
So I just will give Univention a little bit more time to update the current version of Konnect before setting id4me up.

Thanks for the interest in using UCS as an ID4ME identity provider. @fbartels already pointed out the technical details.

It is correct that we plan to update the OpenID Connect app soon, the next step after that is to document how one can use the app to setup an ID4ME scenario.

@damrose
Any update on the planned tutorial ? The new version of OpenID Connect is available in the app center for quite a while ?

btw: What about ID4ME support in the univention help forum ? :wink:

I had some spare time and here is the way to go if you want to use the UCS OpenID Connect for authentication via ID4ME compatible services:

  1. You need a DNSSec enabled domain with a subdomain you want to use for the authority. In our example this will be id.domain.com
  2. Setup a TXT DNS record as follows:
  • Name: _openid
  • Value: v=OID1;iss=id.domain.com;clp=id.domain.com
  1. Obviously the domain needs to be accessible from the internet and you need to have a valid certificate e.g. from letsencrypt for it.
  2. Install OpenId Connect Provider from UCS app center.
  3. After successfully installed go to the app settings of OpenID Connect in UCS management console and edit:
  • OpenID Connect Issuer Identifier to match id.domain.com.
  • Enable dynamic client registration
  1. Create a new website config in apache as follows and enable it:
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key

        ServerName id.domain.com

        <Location />
                Deny from all
        </Location>

        <Location ~ "/(.well-known|konnect|signin)">
                Allow from all
        </Location>

        Include /etc/apache2/conf-available/openid-connect-provider.conf

</VirtualHost>

Well, that’s about it. You can use

To test your setup:

  • Select “signing with ID4ME”, type in a valid user of your system "user@domain.com".
  • You should be redirected for the login request to your server asking for the actual credentials.
  • If successful you will be sent back to the original website where you should be logged in now.

If you want to test your setup in a real world scenario I recommend http://www.androidpit.de/. Here you can register and login nicely with ID4ME.

However, one thing I could not figure out yet is where to manage the applications I granted access to my data ? I did neither find something in the self service portal nor in the management console when editing the user. How is one supposed to revoke given permissions of external applications ?

Cheers.