Setting up SSO with an external OpenID authentication server
This document describes the operation and configuration of BlueMind with an external OpenID authentication server.
Prerequisites
- Have an OpenID server up and running
- Have authorized the BlueMind authentication client with the OpenID server.
After configuration, note the following information, which will be used to configure BlueMind:
- third-party OpenID server URL
- OpenId client identifier (sometimes called Application ID)
- **OpenId customer secret
How OpenID authentication works
For initial authentication :
- The user tries to connect to BlueMind, which he opens in his browser.
- As it has not yet been authenticated, the BlueMind server redirects it to the OpenID server for authentication.
- Once authenticated, an openID cookie is placed in the user's browser, and the user is redirected to BlueMind with a ticket to validate.
- The BlueMind server :
- sees this ticket,
- asks the openID server if it is valid,
- If that is the case, authorize the connection and set a BlueMind cookie in the browser.
On next authentication:
- The customer requests access to the BlueMind server again.
- As it has the BlueMind cookie, it is automatically authenticated as long as this cookie is valid.
OpenID configuration for a single or primary domain
-
In the administration console, go to System management > Supervised domains > choose domain > Security tab.
ℹ️ Compte administrateur
La procédure concerne la configuration du domaine, il est donc possible et préférable d'utiliser un compte administrateur de domaine plutôt que le superutilisateur admin0. -
Select the OpenID authentication mode from the drop-down menu and fill in the associated fields:

- third-party OpenID server URL: indicate the URL of the OpenID server used to retrieve the list of endpoints.
Par exemple, sur Keycloak, c'est une URL de la forme :https://{openid-server}/realms/{realm}/.well-known/openid-configuration
Remplacer:{openid-server}by OpenID server hostname{realm}by the realm configured on the server
- OpenId customer identifier
- **OpenId customer secret
- third-party OpenID server URL: indicate the URL of the OpenID server used to retrieve the list of endpoints.
-
Click on "Save" to save your changes.
Users will then be automatically redirected to the OpenID server when accessing the authentication page.
OpenID configuration in a shared Environment
To use a single authentication server with multiple domains, you configure the server for a primary domain, to which the other domains are linked.
-
Set up your first domain using the method described above; it will then be considered the primary domain.
-
Enter an external URL for the primary domain (see External URL Configuration).
Configuring the external URL is required for authentication to work properly with all domains. -
Note the username(s) of the subdomain(s) (Domain UID) from the list of domains or their management page.
-
Go to the management page for the primary domain > Security tab. Sous le formulaire de configuration OpenID apparaît désormais un lien "Ajouter" :

→ cliquer pour ajouter autant de domaines secondaires que désiré. -
Dans les champs ajoutés, renseigner les UID des domaines à lier :
-
Click "Save" to confirm.
-
Dans la fiche de gestion des domaines secondaires, onglet Sécurité, le formulaire est désormais remplacé par une information contenant l'UID du domaine primaire :
