OpenID Connect

OpenID Connect provides a secure authentication mechanism, built on the OAuth 2.0 authorization protocol.

OpenID Connect is used by many identity providers, including Google, Facebook, Microsoft, Amazon, and Okta.

Availability Note. OpenID Connect is available in Arcadia Enterprise release 4.2 and onwards, and only with installs based on python 2.7, such as CentOS 7 and RHEL 7, but not on CentOS 6 and RHEL 6.

To configure OpenID Connect, you must use the following parameters:

service_discovery_url
This is the URL for the OIDC Provider.
client_id
Client name configured for Arcadia in the Identity Provider (IDP).
client_secret
A previously shared secret, usually a long hexadecimal string.
arcviz_hostname
The host that runs the ArcViz service.
idp_name
A name assigned to the I.

To set up OpenID Connect, follow the pattern from the following snippet of the settings.py file:

INSTALLED_APPS += ('djangooidc',)
# last of this URL must match the key of OIDC_Providers

LOGIN_URL = '/arc/openid/openid/<<idp_name>>'
PRE_LOGOUT_REDIRECT_URL = '/arc/openid/logout/'
AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',
    'djangoidc.backends.OpenIdConnectBackend',
)

OIDC_VERIFY_SSL = False
OIDC_CREATE_UNKNOWN_USER = True
OIDIC_ALLOW_DUYNAMIC_OP = False

OIDC_DEFAULT_BEHAVIOR - {
    "response_type": "code",
    "scope": ["openid", "profile", "email", "address", "phone"]
    }

# Add srv_discovery_url
OIDC_PROVIDERS = {
    "<<idb_name>>": {
        "srv_discovery_url": "<<service_discovery_url>>",
        "behaviour": OIDC_DEFAULT_BEHAVIOR,
        "client_regisration": {
            "client_id": "<<client_id>>",
            "client_secret": "<<client_sercret>>",
            "redirect_uris": ["http://<<arcviz_hostname>>/arc/openid/callback/login/"],
            "post_logout_redirect_uris": ["http://<<arcviz_hostname>>/arc/openid/callback/logout/"],
            "token_endpoint_auth_method": "<<client_secret_post>>"
        }
    },
}