How to configure Apache Syncope to login via OpenID Connect
It is now possible to configure the Admin Console and the Enduser UI to act as a OpenID Connect Client.
In the following, a sample configuration will be shown, working with Google as OpenID Provider.
Before starting the configuration for Syncope, you need to obtain OAuth 2.0 credential, after that set the redirect URIs using the following values:
Start a simple embedded Syncope project:
mvn archetype:generate \ -DarchetypeGroupId=org.apache.syncope \ -DarchetypeArtifactId=syncope-archetype \ -DarchetypeRepository=http://repo1.maven.org/maven2 \ -DarchetypeVersion=2.0.9-SNAPSHOT
then build it with "all" profile in order to load OIDC Client extension:
cd [CREATED_PROJECT_FOLDER] mvn -P all clean install && cd enduser && mvn -P embedded,all
Now, from your browser login to Syncope Console by "http://[HOSTNAME]:9080/syncope-console/", and using the default "admin" / "password" credentials.
After you need to configure the OpedID Provider by going to Extensions → OIDC Client, clieck the add button to see this wizard.
In this wizard you are required to insert a unique name for the provider , the client_id and client_secret that you get from OAuth 2.0 credential you defined before, also flag Create unmatching users to automatically create OIDC user if it is not found in Syncope.
In the second wizard, you need to insert the issuer which it is in case of Google "https://accounts.google.com" , and flag Has Discovery Document because Google Provider supports the discovery document.
At the end, create a mapping like the following to let Syncope create a user correctly.
After creating the OpenID Provider successfully, logout from Admin Console and you are going to find a new dropdown list OpenID Connect
Choose the provider that you created and you will be redirected to Google page to login to your account (if you have not a valid session) and use it to login to Syncope Console.
You can also login in to Enduser UI by visiting "http://[NEW_HOSTNAME]:9080/syncope-enduser" where you will find a new dropdown list as in the Admin Console, and from that you can login to Enduser UI using OpenID Connect.