Set up OpenID Connect (OIDC) using Auth0

You can set up OpenID Connect (OIDC) as an authentication method for SignServer AdminWeb login using Auth0.

If using the default HTTPS port 443, do not specify the port in the URLs. This causes a known issue when trying to log in. Instead use:

• Allowed Callback URLs: https://<YourDomain>/signserver/adminweb/callback

• Allowed Logout URLs: https://<YourDomain>/signserver

Prerequisites

An Auth0 account.

The application server running SignServer needs to support OIDC and have the appropriate extension(s) enabled. For SignServer software installations, refer to Application Server Setup and the sections about layers/extensions and any sections mentioning “OIDC”.

Step 1 - Configure your Application in Auth0

To set up the SignServer authentication in an Auth0 application:

Create an Application

1. In your Auth0 account, navigate to Applications.

2. Click Create New Application.

3. Choose Regular Web Applications as the type.

4. Navigate to Settings in your Auth0 application.

5. Set the following under Application URIs:

   • Allowed Callback URLs: https://<YourDomain>:8443/signserver/adminweb/callback

   • Allowed Logout URLs: https://<YourDomain>:8443/signserver

For more information, see the Auth0 Documentation Application Settings.

6. Click Save.

Set Allowed Logout URL

1. Navigate to the Settings for your Auth0 account.

2. Click on the Advanced tab in Tenant Settings.

3. In the Login and Logout section, set the following:

   • Allowed Logout URLs: https://<YourDomain>:8443/signserver

For more information, see Redirect Users After Logout.

4. Click Save.

Create a Trigger

1. Navigate to Triggers under Actions.

2. Choose post-login trigger.

3. Click Create Action.

4. Fill in the Name field and click Create.

5. Add the following code in the trigger:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'kf.roles';
  if (event.authorization) {
    api.idToken.setCustomClaim('preferred_username', event.user.email);
    api.idToken.setCustomClaim(`${namespace}`, event.authorization.roles);
  }
}

6. Click Deploy.

7. Drop the new Action into the flow.

For more information, see the Auth0 Documentation Write Your First Action.

8. Click Apply.

Step 2 - Manage Auth0 User Roles

To complete the setup of your user profile in the Auth0 application, create and assign roles.

For more information and detailed steps, see User Accounts.

1. Navigate to User Management.

2. Create a new user.

3. Under Roles, create the following three roles:

   • admin

   • auditor

   • archive_auditor

4. In the User Configuration section, click Assign Roles and assign the roles you want to your user.

Step 3 - Configure SignServer for OIDC

To complete the OIDC setup, configure SignServer with the Auth0 values.

For more information, see Application Settings.

1. In the Auth0 application, find the following values under Application Settings:

   • Client ID

   • Client Secret

   • Domain (used in providerUri and providerLogOutUri)

2. Copy these values and paste them into SignServer, under the conf/oidc.properties section.

For example, for oidc.providerUri, the value is similar to:

 https://<domain>/

For oidc.providerLogOutUri, the value is similar to:

https://<domain>/v2/logout

Here is an example snippet of the oidc.properties:

#Sample for Auth0
oidc.clientId=xxxxxxclient-idxxxxxxxxxxxxxx
oidc.clientSecret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
oidc.providerUri=https://dev-xxxxxxxxxxxxxxxx.us.auth0.com/
oidc.providerLogOutUri=https://dev-xxxxxxxxxxxxxxxx.us.auth0.com/v2/logout
oidc.logoutUri=https://localhost:8443/signserver
oidc.redirectUri=https://localhost:8443/signserver/adminweb/workers.xhtml
oidc.loginUri=https://localhost:8443/signserver/adminweb/callback
oidc.callerGroupsClaim=kf.roles
oidc.audience=xxxxxxclient-idxxxxxxxxxxxxxx

3. Re-deploy SignServer after the configuration changes.

The application server may fail to start SignServer if OIDC is configured but the application server is missing OIDC support.

See Prerequisites.