OpenID Connect
GroupOffice can be configured as client to use an external OpenID connect server for Single Sign On. But GroupOffice can also be configured as the OpenID connect server.
OpenID Connect client
To configure an external OpenID connect server for Single Sign On you must install the OIDC module. Then you can configure openID compliant providers such as:
Another GroupOffice installation
Once installed a button “Sign up with <MYPROVIDER>” will show on the login page of GroupOffice
Get started
Configure the OpenID App registration at the provider so you have an Authority URL, Client ID and Client secret*. You will need to add a redirect URL.
That is: https://yourgroupoffice.com/api/page.php/go/community/oidc/auth
You can get that from the OIDC module too at System Settings -> OIDC -> Add
Install the OIDC module at System Settings -> Modules
Create the new client at System Settings -> OIDC. You will the Authority URL, Client ID and Client secret from step 1 here.
Logout and find the new button to use the single sign on.
Password authentication
The SSO method above does not store a password in GroupOffice. That enhances the security. But because of this services like WebDAV, CalDAV and Microsoft ActiveSync can’t work. If your authentication backend supports LDAP too you can also setup LDAP authentication so it can offer password authentication for these services.
OpenID Connect server
OpenID connect 1.0. is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by GroupOffice as an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
You can add clients at System Settings -> OAuth 2.0.
We’ve used this to integrate:
But any system supporting OpenID connect should be able to use this feature.