Configuring connection via OpenId Connect

import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem';

Sipmon is compatible with OAuth 2.0/OpenId Connect authentication.

Usage of Identity Providers (IdP) is available, such as Microsoft Azure AD, Okta, Keycloak, LemonLDAP::NG or other IdP which are compatible with the Authorization Code Flow.

Configure OpenID Connect authentication

Go to Administration > Authentication > OpenID Connect Configuration.

Step 1: Enable authentication

Enable OpenID Connect authentication:

Enable OpenId Connect authentication: enables or disables OpenId Connect authentication.
Authentication mode: indicates if the authentication should be done using only OpenId Connect or using local authentication as well (Mixed). In mixed mode, users created manually in Sipmon (and not identified via Open ID) will also be able to log in.

When setting the parameters, it is recommended to activate the "mixed" mode. This will allow you to retain access to the local admin account in the event of a misconfiguration.

Step 2: Configure Identity Provider access credentials

Configure Identity Provider information:

Base URL: defines the identity provider's base URL for OpenId Connect endpoints (mandatory).
Authorization Endpoint: defines the authorization endpoint, for example /authorize (mandatory).
Token Endpoint: defines the token endpoint, for example /token (mandatory).
Client ID: defines the Client ID (mandatory).
Client Secret: defines the Client secret (mandatory).
Scopes: defines the scopes of the identity provider, for example openid. Separate scopes by spaces.
Depending on the identity provider, it is necessary to enter several scopes in order to retrieve the claim which will identify users. This is indicated in the provider's configuration documentation.
Login attribute path: defines which of the variables returned by Introspection Token Endpoint or User Information Endpoint must be used to authenticate users. For example sub or email.
End Session Endpoint: defines the logout endpoint, for example /logout.

Depending on your identity provider, set either of the following two endpoints:

User Information Endpoint: defines the user information endpoint, for example /userinfo.
Introspection Token Endpoint: defines the introspection token endpoint, for example /introspect (mandatory).

You can also configure:

Use Basic Auth for Token Endpoint Authentication: the Authorization: Basic method will be used. Enable this option if your identity provider requires it.
Disable verify peer: allows you to disable SSL peer validation. The identity provider's certificate will not be checked: use this option for test purposes only.

You can define a full URL for the endpoints in case the base of the URL is different from the others.

You can enable Authentication debug through the Administration > Parameters > Debug menu to understand authentication failures and improve your setup.

Step 3: Configure authentication conditions

You can whitelist or blacklist IP addresses. If you leave the first two fields empty, all IP addresses will be authorized to access the Sipmon interface.
- Trusted client addresses: If you enter IP addresses in this field, only these IP addresses will be allowed to access the Sipmon interface. All other IP addresses will be blocked. IP addresses must be separated by commas.
- Blacklist client addresses: These IP addresses will be blocked. All other IP addresses will be allowed to access the Sipmon interface.
You can also define conditions according to which users will be allowed to log in or not, based on the data received by a particular endpoint.
- Activate Enable conditions on identity provider.
- Define which attribute from which endpoint will be used to validate the conditions.
- In Define authorized conditions values, define which will be the authorized values returned by this endpoint. If you enter several values, all will have to be met for the condition to be validated. All users that try to connect with another value will be unable to log in.
In the example below, the Conditions attribute path is status and Define authorized conditions values is activated. If the Introspection endpoint gives you the following response, then the user is allowed to log in:
json
```
{
	   ...
	   "name": "OpenId Connect OIDC",
    "given_name": "OpenId Connect",
    "family_name": "OIDC",
    "preferred_username": "oidc",
    "email": "oidc@localhost",
    "email_verified": false,
    ...
    "status": "activated"
}
```
Currently, only character string values can be used.

Step 4: Manage user creation

Step 5: Manage Authorizations

Step 6: Manage Contact groups

Step 7: Configure your Identity Provider (IdP)

Configure your IdP to add the Sipmon application to use the OpenID Connect protocol to authenticate your users, and to authorize the following redirect URI to forward your connected users to Sipmon:

shell

{protocol}://{server}:{port}/Sipmon/authentication/providers/configurations/openid

Replace {protocol}, {server} and {port} by the URI to access to your Sipmon server. For example: https://Sipmon.domain.net/Sipmon/authentication/providers/configurations/openid

Configure OpenID Connect authentication ​

Step 1: Enable authentication ​

Step 2: Configure Identity Provider access credentials ​

Step 3: Configure authentication conditions ​

Step 4: Manage user creation ​

Step 5: Manage Authorizations ​

Step 6: Manage Contact groups ​

Step 7: Configure your Identity Provider (IdP) ​

Examples of configuration ​