Wiki.js - OpenID Connect (OIDC)
Authenticate to Wiki.js using OpenID Connect (OIDC).
Last updated
Authenticate to Wiki.js using OpenID Connect (OIDC).
Last updated
Wiki.js is a robust and versatile open-source Wiki software that empowers users to create and manage content with ease. This use case details the process of setting up integration between Wiki.js and Integrity Access, leveraging the powerful capabilities of OpenID Connect (OIDC). This integration ensures streamlined access management, enhancing security and authentication processes.
This scenario will use the following:
FortifiedID Integrity-access installed with OpenID Connect (OIDC) with the login method/methods of your choice and a LDAP connection to retrieve user information such as email-address.
Wiki.js
Active directory as LDAP source
Good knowledge of the FortifiedID Integrity Access product.
FortifiedID Integrity Access current version installed with OpenID Connect (OIDC) with the login method/methods of your choice and a LDAP connection to retrieve user information such as email-address.
Host (DNS) name of the Integrity service.
A trusted certificate for the https communication against FortifiedID Integrity Access.
Active directory / LDAP source with the users. Users will need a configured email-address.
In this guide, we are focusing on deploying Wiki.js using Docker containers. This method is efficient for running both Wiki.js and a PostgreSQL database within isolated environments. However, if Docker is not your tool of choice, you can explore other installation methods that may better suit your setup requirements.
Remember that this use case does not describe the installation of the products. Products are expected to be installed in advance.
Add the following Relying Party (RP) configuration to the "rps" part of both the "OIDCModule" module and the "OIDCAuthCodeFlow" authenticator in the Fortified Integrity Access configuration.
Make user that the required claims are provided via the "oidc_pre_pipe". If necessary, change to the values in your environment.
"sub": "{{{item.mail}}}", - the users email address
"family_name": "{{{item.family_name}}}", - the users lastname
"given_name": "{{{item.given_name}}}", - the users firsname
"name": "{{{item.name}}}", - the users displayname
"email": "{{{item.mail}}}" - the users email address
Use a web browser to surf to the FortifiedID Integrity Access OP using this link
https://<address to access>/oidc/<tenant name>/.well-known/openid-configuration
Replace <address to access> with the address to your FortifiedID Integrity Access server.
Replace <tenant name> with the tenant name in your FortifiedID Integrity Access configuration.
Example: https://demo.fortifiedid.se/oidc/tenant1/.well-known/openid-configuration
The following information from the "https://<address to access>/oidc/<tenant name>/.well-known/openid-configuration" will be used in the Wiki.js configuration in the steps below.
issuer
authorization_endpoint
token_endpoint
userinfo_endpoint
Note ! - Skip this step if you have used another method to install Wiki.js
To run Wiki.js with Docker Compose, follow these steps:
Create a new directory for your Wiki.js setup and change to that directory:
Create a docker-compose.yml file in this directory using the editor of your choice, in this example nano is used:
Paste the following content into the docker-compose.yml file:
Save and close the file.
Run the following command to start Wiki.js and its database containers:
This command will download the necessary images and start the containers in detached mode.
Once the containers are up and running, open your web browser and navigate to http://localhost (or your server's IP address if running on a remote machine).
You should see the Wiki.js setup wizard. Follow the on-screen instructions to complete the initial installation steps.
This guide will help you configure Wiki.js to use FortifiedID Integrity Access as an OpenID Connect 1.0 provider.
Login to Wiki.js as an Administrator.
Navigate to Modules > Authentication.
Select + Add Strategy.
Choose Generic OpenID Connect / OAuth2.
Enter the following values:
Display Name: FortifiedID-Integrity OpenID Connect
Client ID: wikijsid
Client Secret: insecure_wiki_secret
Authorization Endpoint URL: https://<address to access>/<url path>/authn/<oidc id>
Example:https://demo.fortifiedid.se/access/authn/oidc
Token Endpoint URL: https://<address to access>/oidc/<tenant name>/token-endpoint
Example: https://demo.fortifiedid.se/oidc/tenant1/token-endpoint
User Info Endpoint URL: https://<address to access>/oidc/<tenant name>/userinfo-endpoint
Example: https://demo.fortifiedid.se/oidc/tenant1/userinfo-endpoint
Issuer URL: https://<address to access>/oidc/<tenant name>
Example: https://demo.fortifiedid.se/oidc/tenant1
Email Claim: email
Display Name Claim: name
Map Groups: Disabled
Groups Claim: groups
For testing purposes, apply the following settings only. Do not use this in production
Allow self-registration: Enabled
Assign to group: Select both Guest and Administrator
Callback URL / Redirect URI:
Copy the Callback URL / Redirect URI provided by Wiki.js.
This will be used in the FortifiedID Integrity Access configuration.
Click Apply to save the configuration.
Your Wiki.js instance is now configured to authenticate users using FortifiedID as an OpenID Connect provider.
In the FortifiedID Integrity Access configuration, replace "<will be replace with the Callback URL / Redirect URI from wiki.js >" with the "Callback URL / Redirect URI" from Wiki.js configuration.
Example:
Browse to https://<wikijs_dns_name> and select Logga in med Fortified ID
You should be redirected to the OP (Integrity Access)
Authenticate with the method of your choice
You should be redirected back to Wiki.js and you should now be logged in.
If you don't already have an installation of FortifiedID Integrity Access with OpenID Connect (OIDC) you can use one of the use case with OpenID Connect (OIDC) and the login method of your choice for example .
