OpenID, OpenID connect

Hi everybody!

Is any way to use OpenID/OpenIDConnect to authenticate via Google in the platform?

Thanks in advance.

Hi Juan

The short answer is probably yes :smile: with Sunstone as users frontend. You can use the new Sunstone remote authentication method and Apache 2 mod_auth_openidc:

The basic idea is to execute sunstone inside apache using passenger, is quite similar to the Kerberos or X509 authentication, you can see an example in the documentation. Apache will do the hard work, the web service will check if your openid credentials are valid or not, if so you will get a token and the REMOTE_USER will be set.

REMOTE_USER variable is used by OpenNebula to give you access to OpenNebula system but the user should be available in the OpenNebula database. It’s similar to X509 authentication using user certificates, in this case the password should match with the REMOTE_USER which should be unique.

In this case you should sync your local users database with the external SSO auth system. I never tried this with openID but we use Kerberos and freeIPA and is working perfectly fine. We have created a script to sync and create/disable our internal OpenNebula users with the external freeIPA SSO.

For openID the REMOTE_USER could be something like so you have to include this user in ONE using the public driver:

$ oneuser create mrsoandso “” --driver public

And that’s it. At least that’s the theory, I never tried openID, I hope that this will help you…