Third-party Authentication add-on for OpenID Connect. Customer Guide. ############################################################################# The OpenID Connect (OIDC) 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. OpenID Connect is a very flexible standard and supports many authentication flows. At this time we only support the most popular authentication flow which is the “authorization_code” flow¹. [1] https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth **Integration Requisites** - It is required to have your LMS site in a domain of your own. - Enterprise or performance subscription with the add-on third-party authentication enabled. Configuring the OpenID Connect OAuth Application ================================================= Configuring the OIDC requires a unique **ClientID** and a corresponding **ClientSecret**. These two values act as the identifier and the password for our service to your Identity Provider. Apart from that, we need a few other configuration variables. These variables are published by OIDC in a discovery endpoint which you only need to send us. In summary, to get started we need you to send us: **1. Client ID and Client Secret** **2. Configuration variables Using Discovery Endpoint** The discovery endpoint is a URL where there is a JSON document containing all the information required by OIDC to connect. It is present on your Identity service on a URL that ends with “.well-known/openid-configuration/”. As example, you can see the following |developers_console_google_link|. .. |developers_console_google_link| raw:: html Google’s OIDC openid-configuration The values of your own endpoint will be a little different, but the format and most of the JSON keys will be the same. **3. Provide eduNEXT with a valid test user.** Once you enable OIDC, our support personnel will have to run some final configurations on our side. For this, we need to be able to test your provider. Please create a user for us. If we can create it ourselves, let us know how to. When filling the profile of the test user on your side please fill the complete profile as you would with one of your regular users. .. code-block:: yaml Email: support+organizationname@edunext.co Username: edunext_support_organizationname First name: fn_edunext organizationname Last name: ln_support organizationname Full name: n_edunext_support organizationname .. note:: The organization name is the record you select when creating a new course for your LMS site. .. only:: html .. figure:: ../_assets/OIDC_configuration_orgname.png Field to enter organization name and view account information We also kindly recommend that you **not delete this user**. We will use it from time to time to solve support tickets that you might send us regarding authentication. Also, we use it to test that your SSO is working correctly when we do updates to the underlying tech of our service. You may submit this information to the Edunext customer support team via the `Edunext Control Center `_ > **Customer Support** > **Submit a Ticket**.