Skip to main content
Skip table of contents

Set up OpenID Connect (OIDC) using Auth0

You can set up OpenID Connect (OIDC) as an authentication method for SignServer AdminWeb login using Auth0.

If using the default HTTPS port 443, do not specify the port in the URLs. This causes a known issue when trying to log in. Instead use:

  • Allowed Callback URLs: https://<YourDomain>/signserver/adminweb/callback

  • Allowed Logout URLs: https://<YourDomain>/signserver

Prerequisites

An Auth0 account and the Auth0 application.

Step 1 - Configure your Auth0 Application

To set up the SignServer authentication, configure the Auth0 application settings.

  1. Navigate to the Application Settings in your Auth0 application.

  2. Set the following:

    • Allowed Callback URLs: https://<YourDomain>:8443/signserver/adminweb/callback

    • Allowed Logout URLs: https://<YourDomain>:8443/signserver

For more information, see the Auth0 Documentation https://auth0.com/docs/get-started/applications/application-settings.

  1. Click Save.

  2. Navigate to the Tenant Settings.

  3. In the Login and Logout section under Advanced, set the following:

    • Allowed Logout URLs: https://<YourDomain>:8443/signserver

For more information, see https://auth0.com/docs/authenticate/login/logout/redirect-users-after-logout.

  1. Click Save.

  2. Create an Action which triggers after a user is authenticated but before a token is issued. To create a post-login trigger, follow the steps in https://auth0.com/docs/customize/actions/write-your-first-action.

  3. Replace the code in the trigger with the following:

CODE 
exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'kf.roles';
  if (event.authorization) {
    api.idToken.setCustomClaim('preferred_username', event.user.email);
    api.idToken.setCustomClaim(`${namespace}`, event.authorization.roles);
  }
}

  1. Click Deploy.

  2. Follow the steps to attach the Action to a flow, and click Apply.

Step 2 - Manage Auth0 User Roles

To complete the setup of your user profile in the Auth0 application, create and assign roles.

For more information and detailed steps, see https://auth0.com/docs/manage-users/user-accounts.

  1. Create a new user.

  2. Under Roles, create the following three roles:

    • admin

    • auditor

    • archive_auditor

  3. In the User Configuration section, click Assign Roles and assign the roles you want to your user.

Step 3 - Configure SignServer for OIDC

To complete the OIDC setup, configure SignServer with the Auth0 values.

For more information, see https://auth0.com/docs/get-started/applications/application-settings.

  1. In the Auth0 application, find the following values under Application Settings:

    • Client ID

    • Client Secret

    • Domain (used in providerUri and providerLogOutUri)

  2. Copy these values and paste them into SignServer, under the conf/oidc.properties section.

For example, for oidc.providerUri, the value is similar to:

CODE 
 https://<domain>/

For oidc.providerLogOutUri, the value is similar to:

CODE 
https://<domain>/v2/logout

Here is an example snippet of the oidc.properties:

CODE 
#Sample for Auth0
oidc.clientId=xxxxxxclient-idxxxxxxxxxxxxxx
oidc.clientSecret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
oidc.providerUri=https://dev-xxxxxxxxxxxxxxxx.us.auth0.com/
oidc.providerLogOutUri=https://dev-xxxxxxxxxxxxxxxx.us.auth0.com/v2/logout
oidc.logoutUri=https://localhost:8443/signserver
oidc.redirectUri=https://localhost:8443/signserver/adminweb/workers.xhtml
oidc.loginUri=https://localhost:8443/signserver/adminweb/callback
oidc.callerGroupsClaim=kf.roles
oidc.audience=xxxxxxclient-idxxxxxxxxxxxxxx

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close