Setting up SSO with an external OpenID authentication server
This document describes the operation and configuration of BlueMind with an external OpenID authentication server.
Prerequisites
- Have an OpenID server up and running
- Have authorized the BlueMind authentication client with the OpenID server.
After configuration, note the following information, which will be used to configure BlueMind:
- third-party OpenID server URL
- OpenId client identifier (sometimes called Application ID)
- **OpenId customer secret
How OpenID authentication works
For initial authentication :
- The user tries to connect to BlueMind, which he opens in his browser.
- As it has not yet been authenticated, the BlueMind server redirects it to the OpenID server for authentication.
- Once authenticated, an openID cookie is placed in the user's browser, and the user is redirected to BlueMind with a ticket to validate.
- The BlueMind server :
- sees this ticket,
- asks the openID server if it is valid,
- si c'est bien le cas, autorise la connection et pose un cookie BlueMind dans le navigateur.
On next authentication:
- The customer requests access to the BlueMind server again.
- As it has the BlueMind cookie, it is automatically authenticated as long as this cookie is valid.
Configuration
-
In the administration console, go to System management > Supervised domains > choose domain > Security tab.
ℹ️ Compte administrateur
La procédure concerne la configuration du domaine, il est donc possible et préférable d'utiliser un compte administrateur de domaine plutôt que le superutilisateur admin0. -
Sélectionner le mode d'authentification OpenID dans le menu déroulant et renseigner les champs associés :

- third-party OpenID server URL: indicate the URL of the OpenID server used to retrieve the list of endpoints.
Par exemple, sur Keycloak, c'est une URL de la forme :https://{openid-server}/realms/{realm}/.well-known/openid-configuration
Remplacer:{openid-server}by OpenID server hostname{realm}by the realm configured on the server
- OpenId customer identifier
- **OpenId customer secret
- third-party OpenID server URL: indicate the URL of the OpenID server used to retrieve the list of endpoints.
-
Click on "Save" to save your changes.
Users will then be automatically redirected to the OpenID server when accessing the authentication page.