LogicalOutcomes is working on integrating with SingleSignOn, using service provider Okta, which works with OpenIDConnect (OIDC).
At present, DHIS2 is only compatible with OpenID and Oath2.
As we understand, OIDC is pretty close to Oauth 2.0 with the exception of an ID Token being passed to the client.
Wondering, what would it take for DHIS2 dev team to add openid as a scope in the request to the authorization server and include an ID token in the response to the client?
@jomutsani is there a certain UiO developer I can speak to / should we put this onto JIRA? We would appreciate a conversation about this soon. Thank you.
my name is Morten Svanæs and I’m the security engineer on the DHIS2 back-end team.
I’m not sure if you have talked to any other developers yet, but this task implementing support for (OIDC) is on my task list for the 2.35 version. That is all I can say for now, due to the COVID-19 situation there might be some changes to the time plan this year. This is a highly wanted feature so this has high priority now.
I hope this answers some of your questions.
Feel free to contact me directly on: msvanaes@dhis2.org if you have any other questions regarding JIRA issues etc.
Hi @netroms - if you’re able to point me to the right person - needing more information from DHIS2 about the authentication process. We are testing SSO service Okta using SWA and getting returned to the DHIS2 login screen with no messages…is it possible to check a log somewhere (?) to see why the access attempt is getting denied?
Thanks again for any help you may offer here.
-Sara
Are there any updates on this issue? I am having a similar issue while using 2.35(latest build). I have been able to link google Auth2.0, However, as soon as i try to login with my google account, it redirects me to the login page of DHIS2 as mentioned by Sara.
Also, i am getting this error message in my log(find below):
*** INFO 2021-01-07T13:02:28,436 Failed to look up DHIS2 user with OidcUser mapping, claim value:gneerajgupta83@gmail.com (DhisOidcUserService.java [http-nio-8080-exec-3])**
I have also added my email address in my user account as required and have generated a OpenID from appspot which i have added in my user account(the option of “external authentication only” has been checked).
Are there more steps i need to follow in DHIS2 in order to make this work.
I think I’m experiencing the same issue as @Neeraj_Gupta
Neeraj were you able to resolve this issue and @sgaudon has there been any progress on the same?
As far as I can tell the I’ve correctly followed steps on both DHIS2 documentation and Open Auth 2.0 configuration documentation (which align) and no success in doing verification just yet.
Are you sure there is an user in the DHIS2 server with that OIDC mapping? This is the error you will get if the user in DHIS2 don’t match the OIDC email with the DHIS2 user mapping claim.
