I recently digged into the whole new world of id4me and saw that Univention is actively supporting the standard.
However information regarding the possible setup of an identity agent is absolutely rare.
In the App Center an OpenID Connect Provider is available marked as beta. (Btw. the version is 0.7 beta dating back one year ago to 17.07.2018. Current version would be 0.23.5!)
Is it fully compatible with id4me ?
Does the app, besides the identity agent also provide an identity authority for internal use ?
How does the correct DNS record the id4me discovery needs look like ?
Which urls need to be accessible for that ?
In the end my goal is to have my own identity agent which I can use in the internet as well as for local network applications.
Is there some kind of tutorial or howto planed for UCS ?
as far as I know Univention is currently working on an update of the app. This currently bundled Kopano Konnect would indeed not be compatible with ID4me as this would require at least the version 0.21.0.
The only setting one has to set in Konnect to be able to work as both an identify agent and identify authority in the context of ID4me would be to allow allow dynamic registrations of client by setting allow_dynamic_client_registration = yes.
The biggest challenge for using ID4me for login is that your domain needs to be setup for dnssec. After this has been setup one just needs to create a txt dns record with the name _openid and v=OID1;iss=kopano.dev;clp=kopano.dev as the value of it (here you need to replace kopano.dev with the fqdn where Konnect is running).
All urls of Konnect need to publicly accessible and use a valid/trusted ssl cert.
Thank you very much for the update and the links.
So I just will give Univention a little bit more time to update the current version of Konnect before setting id4me up.
Thanks for the interest in using UCS as an ID4ME identity provider. @fbartels already pointed out the technical details.
It is correct that we plan to update the OpenID Connect app soon, the next step after that is to document how one can use the app to setup an ID4ME scenario.
I had some spare time and here is the way to go if you want to use the UCS OpenID Connect for authentication via ID4ME compatible services:
You need a DNSSec enabled domain with a subdomain you want to use for the authority. In our example this will be id.domain.com
Setup a TXT DNS record as follows:
Name: _openid
Value: v=OID1;iss=id.domain.com;clp=id.domain.com
Obviously the domain needs to be accessible from the internet and you need to have a valid certificate e.g. from letsencrypt for it.
Install OpenId Connect Provider from UCS app center.
After successfully installed go to the app settings of OpenID Connect in UCS management console and edit:
OpenID Connect Issuer Identifier to match id.domain.com.
Enable dynamic client registration
Create a new website config in apache as follows and enable it:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
ServerName id.domain.com
<Location />
Deny from all
</Location>
<Location ~ "/(.well-known|konnect|signin)">
Allow from all
</Location>
Include /etc/apache2/conf-available/openid-connect-provider.conf
</VirtualHost>
Select “signing with ID4ME”, type in a valid user of your system "user@domain.com".
You should be redirected for the login request to your server asking for the actual credentials.
If successful you will be sent back to the original website where you should be logged in now.
If you want to test your setup in a real world scenario I recommend http://www.androidpit.de/. Here you can register and login nicely with ID4ME.
However, one thing I could not figure out yet is where to manage the applications I granted access to my data ? I did neither find something in the self service portal nor in the management console when editing the user. How is one supposed to revoke given permissions of external applications ?
