Single-Sign-On into Odoo using Admidio as an OpenID Provider

Starting with version 5.0, Admidio can be used by other applications to authenticate users against Admidio's user base. These instructions will guide you through the process of connecting Odoo to Admidio to use Admidio's login. For general instructions, and other apps, please visit the general Single-Sign-On overview page.

Odoo provides several apps that offer OpenID Connect login to Odoo, we are using and describing the Authentication OpenID Connect (auth_oidc) here. It supports auto-provisioning of users (i.e. new users are automatically created in Odoo, when they successfully log in through Admidio), but groups are not supported.

Throughout the document we will assume you have both Admidio and Odoo already set up properly at https://admidio.local/ and https://odoo.local/. Please modify these URLs to your actual installation.

As a first step, one needs to configure Admidio to act as an OpenID Provider (OP). This has to be done once and is not specific to Odoo. Please follow this guide: #a_basic_setup_for_admidio_as_an_oidc_id_provider

Basically, one (1) needs to create a cryptographic key to sign message and choose a unique EntityID. The page https://admidio.local/adm_program/modules/preferences.php?panel=sso also provides the link to the metadata xml, and the individual settings in case a client does not support auto-configuration via metadata.

Setting up a client (OpenID “Relying Party” - short RP) to use Admidio's user accounts for logging in consists of two steps: (1) The client (RP, Odoo in our case) needs to be set up with the data about the OpenID Provider (OP). One has to manually paste the Admidio endpoint URLs of the OpenID provider into the client's configuration. Admidio provides copy buttons in the preferences screen, so this is rather straightforward. (2) Admidio needs to be told about the client. In particular, the entity ID and the redirect URL must be given, and a custom-generated (random) secret must be copied to the client configuration.

The concrete steps are:

• At the Relying Party (RP) - Odoo in our case - install the extension to support OpenID login.
  • Configure it with Admidio's endpoint URLs for authentication, token and userinfo, and enter the EntityID.
  • Also, choose which scopes (groups of profile fields) should be requested from Admidio (“openid” is required; Since the OpenID Odoo plugin does not support groups mapping, the “groups” scope is not relevant and has no use.
• In Admidio, create a new OpenID client.
  • Choose an easily understood label for the client (only used in Admidio's list of clients, but has no technical use)
  • Enter the ClientID from the RP, Copy the created Client Secret (you will later need to paste it into the Odoo configuration), and enter the Redirect URI for the RP. The latter can be found on the plugin's configuration page in Odoo.
  • In Admidio, map the user ID, username, email and fullname to fields that are included in the OpenID login response (so-called “claims”) and enter the corresponding claim names in Odoo.

First, install the Authentication OpenID Connect (auth_oidc) app in Odoo:

• To configure it, one first has to enable developer mode in the “General Settings”, otherwise the “OAuth Providers” Menu item will not be shown.

• Make sure the OAuth Authentication is enabled in the “Integrations” section of the “General Settings”.

• You can now switch to the OAuth / OpenID Providers list either with the “OAuth Providers” link next to the checkbox, or via the menu item “Users & Companies” → “OAuth Providers”

• Create a new Provider using the “New” button.

It is now a good idea to keep two browser windows open with Admidio and Odoo's configuration so one can easily select and copy the settings. Admidio even provides little “copy” buttons/icons to copy the various settings to the clipboard for easy pasting into the Odoo configuration.

• Go to Admidio's Single-Sign-On Preferences and copy the endpoint URLs for OpenID (Authentication, token and userinfo endpoints). They should be pasted into Odoo's Client configuration as “Authorization URL”, “UserInfo URL” and “Token URL”. The “JWKS URL” (which provides access to the cryptographic key) is the same URL as the other endpoints, only with “jwks” instead of “authorize”, “token” and “userinfo.

The next step is to set up Admidio to receive login requests from Odoo. This is done by adding an OpenID client in Admidio.

Return to Admidio's SSO preferences page, go to the “Single-Sign-On Client Administration” (the button right below the endpoint URLs and above the “Save” button), and create a new client.

• The Client Name is the label of the client in Admidio's client list, it can be anything you like.
• The “Client ID” and “Client Secret” in Admidio and Odoo have to match exactly. The ID is typically the client's URL, although some clients allow any unique identifier. The Client Secret should a random string and will serve like a password. Admidio will create one and allow it to be copied to the client. Afterwards it is only stored as a hash in the database and not be recovered any more. However, one can create a new Client Secret in Admidio and copy that to the client's configuration.
• Enter the scopes you desire in the Odoo config and make sure that Admidio's config matches it. At least openid must be included (Admidio will implicitly add it). If group support is desired, the “groups” scope must be included (and the corresponding groups claim mapped, and group support selected in the Odoo config).

• In Admidio, choose which field should be sent to and used by the Odoo Plugin to uniquely identify users. This would typically be the login name, although the user ID or UUID area also possible.

• Odoo will not display its Redirect URL that must be entered in Admidio's settings. The documentation explains that the redirect URL is of the form https://[YOUR_ODOO_INSTALLATION]/auth_outh/signin. Enter this in Admidio

• In addition, Odoo also provides settings to map OpenID claims (defined profile fields with a fixed name, defined in the OpenID standard) to the Odoo user's profile data. None of them are required, but they can be mapped, if profile information should be transferred from Admidio to Odoo. If automatic account creation is desired, the email claim must be included.

After saving the changes (both in Odoo and Admidio), the apps should should now be set up for single-sign-on in Odoo.

Odoo can automatically create a new user when a new account logs in using OpenID Connect through Admidio. This functionality is provided by the auth_signup plugin, which must be activated and configured. In developer mode, go to “Settings” → “Technical” → “Parameters” ⇒ “System Parameters” and create a new key auth_signup.allow_uninvited with value 'True'.

This settings causes the “Don't have an account?” signup link to appear in the login form, and it will allow signup by anyone. However, in my tests, enabling this setting also enabled automatic account provisioning with OpenID Connect.

Admidio and Odoo should now be set up to use Admidio for logging in to Odoo. If you log out of Odoo and try to log in again, you will be shown the Admidio login screen and then redirected back to Odoo. The login buttons for each of the three possible OpenID plugins look very similar and work similar.

After successful login to Admidio, the user will be redirected back to Odoo and logged in.

If you look at the user profile in the admin backend, the Admidio account will be connected to the (existing or newly created) Odoo account and the user Id and OAuth Access Token stored in the user profile for future login.