Configuration takes places in configuration files or can be applied directly in Pimcore backend userinterface.
It is possible to configure multiple OpenID Connect providers in parallel. For each provider and separate login button will be displayed on Pimcore login page. This login button redirects to OpenID Connect provider and starts the OpenID flow.
Each provider has to have a unique name.
On provider side, you normally need to configure an application to allow Pimcore to access. Following informations you might need from Pimocore for that:
- Redirect URL:
- Allowed scopes:
openid profile groups email(see also settings below)
Following configuration values are necessary per provider on Pimcore side and be available as soon as the application on provider side is setup:
client_id: Client ID provided by the provider.
client_secret: Client secret provided by the provider.
url_discovery: Endpoint for openid configuration discovery, based on https://openid.net/specs/openid-connect-discovery-1_0.html. Typically it is something like
Optionally, following additional options can be provided for each provider:
scopes: Customize the scopes for the OpenId Connect flow. By default,
groupsis set as scope.
openidwill always be added automatically, as it is required for any OpenId Connect flow.
load_user_info: Sometimes it is necessary to also call the user info endpoint of the provider to get all the necessary information about the user as the
id-tokendoes not contain it. Setting this setting to
truewill initiate this additional call. If not necessary, it should be prevented, as it slows down the sign-on process.
claim_mapping: Some provides do not apply to claim names of the OpenId Connect standard. With this setting you can configure custom names for the supported claims
preferred_username(contains the username),
groups(should contain an array of groups the user is assigned to),
picture(URL to fetch the user avatar) and
sub(remote-id of the user).
Optionally it is possible to configure a default provider with its name. Once set, Pimcore automatically redirects to the providers login page (or directly logs in the current user) instead of redirecting to the Pimcore login page.
If default provider is set, it is still possible to open Pimcore login page when entering its url
https://<YOUR_DOMAIN>/admin/login) directly to login with local user accounts.
The configuration user interface utilizes the
LocationAwareConfigRepository for storing the configuration. With
the environment variable
PIMCORE_WRITE_TARGET_OIDC the storage location can be configured, possible values are
symfony-config- write configs as Symfony Config as YAML files to
settings-store- write configs to the SettingsStore
disabled- do not allow to edit/write configs at all
Details also see Pimcore Docs.
Additionally, it is also possible to define the configuration directly in a symfony configuration file without using the configuration user interface. In this case, the configuration user interface is just read only.
Sample Configuration File
pimcore_open_id_connect: default_provider: onelogin providers: onelogin: client_id: <CLIENT_ID> client_secret: <CLIENT_SECRET> url_discovery: https://<USERNAME>.onelogin.com/oidc/2/.well-known/openid-configuration okta: client_id: <CLIENT_ID> client_secret: <CLIENT_SECRET> url_discovery: https://<USERNAME>.okta.com/.well-known/openid-configuration load_user_info: true scopes: - profile - email - groups claim_mapping: preferred_username: preferred_username given_name: given_name family_name: family_name email: email groups: groups picture: picture sub: sub
The bundle provides a debug window for setting up the OpenId Connect integrations. It is located in the settings menu of the toolbar in the users sub menu. The debug window lists all the configured providers, allows to send test sign-on requests and see the response of the providers in order to setup the claim mappings properly.