| At line 4 changed 5 lines |
| __!!!Important__: Ensure that all {{''__(Required)__''}} fields are properly configured as outlined on this wiki page.\\ |
| \\ |
| __!!! Proxy Configuration__: If your server accesses the internet through a proxy, ensure that the __Identity Provider__’s (IdP’s) domains are whitelisted to allow the authentication process.\\ |
| \\ |
| __!!! Constraints__:\\ |
| ---- |
| __⚠️ Important__: Ensure that all {{''__(Required❗)__''}} fields are properly configured as outlined on this wiki page.\\ |
| ---- |
| __⚠️ Proxy Configuration__: If your server accesses the internet through a proxy, ensure that the __Identity Provider__’s (IdP’s) domains are whitelisted to allow the authentication process.\\ |
| ---- |
| __⚠️ Constraints__:\\ |
| At line 18 added 18 lines |
| !!! Quick Start Configuration\\ |
| \\ |
| These are the essential settings you must configure in the CrushOIDC plugin so that it functions properly with an OpenID Connect (OIDC) Identity Provider (IdP). All “Required” items must be set correctly.\\ |
| \\ |
| • Enable Plugin [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.2CrushFTPRelatedPluginSettings]\\ |
| • OpenID Configuration URL [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.1.1OpenIDConfigurationURLRequired]\\ |
| • IDP's Redirect URL [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-1.IdentityProviderSIdPGeneralConfiguration]\\ |
| • Client ID [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.1.2AppRegistrationRelatedInformation]\\ |
| • Client Secret [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.1.2AppRegistrationRelatedInformation]\\ |
| • Authorization URL [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.1.3AuthorizationRelatedSettingsRequired]\\ |
| • Scope(s) [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.1.3AuthorizationRelatedSettingsRequired]\\ |
| • Login Button Text [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.2.1LoginButtonRequired]\\ |
| • Claim as Username [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.1.5ClaimAndIdPSessionRelatedConfigs] \\ |
| • Username matching [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.2.3UsernameMatchingRequired]\\ |
| • User Template [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.2.5UserTemplatesRequired]\\ |
| • Custom VFS [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.2.7CustomVFSRequiredUnderSpecificConditions]\\ |
| \\ |
| ---- |
| At line 37 added one line |
| \\ |
| At line 19 changed 3 lines |
| • __Client ID__\\ |
| • __Client Secret__: Authorization Code Flow requires it.\\ |
| • __Redirect URL__: The redirect URL is the endpoint in your IdP application where the IdP directs the user after successful authentication. This URL receives the authorization code or access token as part of the authentication process. The redirect URL must target the CrushFTP server and conclude with __/SSO_OIDC/__. Like:\\ |
| • __Client ID__(Required❗)\\ |
| • __Client Secret__(Required❗): Authorization Code Flow requires it.\\ |
| • __Redirect URL__(Required❗): The redirect URL is the endpoint in your IdP application where the IdP directs the user after successful authentication. This URL receives the authorization code or access token as part of the authentication process. The redirect URL must target the CrushFTP server and conclude with __/SSO_OIDC/__. Like:\\ |
| At line 46 added 2 lines |
| __Common Identity Providers (IdPs):__\\ |
| \\ |
| At line 29 changed one line |
| __!!!See details at__: [Apple Sign In Configuration]\\ |
| __⚠️ See details at__: [Apple Sign In Configuration]\\ |
| At line 40 changed one line |
| As a reference example, see the [Google OAuth 2.0 Link| https://www.crushftp.com/crush11wiki/Wiki.jsp?page=SMTP%20Google%20Mail%20Integration#section-SMTP+Google+Mail+Integration-1.GoogleMailOAuth2.0] documentation.\\ |
| As a reference example, see the [GDriveSetup] documentation.\\ |
| At line 56 changed one line |
| !2.1.1 OpenID Configuration URL {{''__(Required)__''}}: \\ |
| !2.1.1 OpenID Configuration URL {{''__(Required❗)__''}}: \\ |
| At line 61 changed one line |
| • Authorization endpoint {{''__(Required)__''}}\\ |
| • Authorization endpoint {{''__(Required❗)__''}}\\ |
| At line 94 changed one line |
| !2.1.2 App registration related informations:\\ |
| !2.1.2 App registration related information:\\ |
| At line 99 changed one line |
| !2.1.3 Authorization related settings {{''__(Required)__''}}:\\ |
| !2.1.3 Authorization related settings {{''__(Required❗)__''}}:\\ |
| At line 110 changed one line |
| • {oidc_redirect_url}: An autogenerated URL by CrushFTP, composed of the initial host and port, followed by __/SSO_IDC/__. This URL is used to redirect the user after successful authentication. __!!! It must exactly match the redirect URL registered and configured in the IdP.__\\ |
| • {oidc_redirect_url}: An autogenerated URL by CrushFTP, composed of the initial host and port, followed by __/SSO_IDC/__. This URL is used to redirect the user after successful authentication. __⚠️ It must exactly match the redirect URL registered and configured in the IdP.__\\ |
| At line 126 changed one line |
| __The refresh token enables access to the user's cloud storage through the IdP. __CrushFTP supports cloud storage integration with services such as Google Drive ([GDriveSetup]), OneDrive ([OneDriveSetup]), SharePoint ([SharePoint Integration]), and Dropbox ([Dropbox Integration]).\\ |
| __The refresh token enables access to the user's cloud storage through the IdP. __CrushFTP supports cloud storage integration with services such as Google Drive ([GDriveSetup]), Google Cloud Storage ([Google Cloud Storage Integration]), OneDrive ([OneDriveSetup]), SharePoint ([SharePoint Integration]), and Dropbox ([Dropbox Integration]).\\ |
| At line 130 changed 2 lines |
| Google: https://www.googleapis.com/auth/drive |
| Dropbox: files.metadata.write files.content.write files.content.read |
| Google: https://www.googleapis.com/auth/drive |
|
| GStorage: https://www.googleapis.com/auth/devstorage.full_control |
|
| Dropbox: files.metadata.write files.content.write files.content.read |
| At line 143 changed one line |
| __Verify ID Token:__ The Authorization Code Flow uses the code value returned by the IdP to obtain the ID token. Although this step is not mandatory in the OpenID protocol, you can enable an additional verification of the returned ID token by selecting this checkbox. __!!!__ This feature works only if the OpenID configuration includes the "__jwks_uri__" endpoint. __It provides an extra layer of validation for the ID token.__\\ |
| __Verify ID Token:__ The Authorization Code Flow uses the code value returned by the IdP to obtain the ID token. Although this step is not mandatory in the OpenID protocol, you can enable an additional verification of the returned ID token by selecting this checkbox. ⚠️ This feature works only if the OpenID configuration includes the "__jwks_uri__" endpoint. __It provides an extra layer of validation for the ID token.__\\ |
| At line 147 changed one line |
| __Check User Endpoint URL?__: This option enables CrushFTP to retrieve additional information about the user from the IdP via the "__user_info__" endpoint URL. __!!!__ This feature only works if the OpenID configuration includes a "userinfo_endpoint" URL or if you manually specify it in the "__User Endpoint URL__" input field. \\ |
| __Check User Endpoint URL?__: This option enables CrushFTP to retrieve additional information about the user from the IdP via the "__user_info__" endpoint URL. ⚠️ This feature only works if the OpenID configuration includes a "userinfo_endpoint" URL or if you manually specify it in the "__User Endpoint URL__" input field. \\ |
| At line 151 changed one line |
| __Special Case for Microsoft Azure AD:__ When using __Microsoft Azure AD__ as the Identity Provider (IdP), a specific user endpoint is required to retrieve group information for the authenticated user:\\ |
| ⚠️ __Special Case for Microsoft Azure AD:__ When using __Microsoft Azure AD__ as the Identity Provider (IdP), a specific user endpoint is required to retrieve group information for the authenticated user:\\ |
| At line 164 changed one line |
| !2.1.6 Claim and IdP session related configs:\\ |
| !2.1.5 Claim and IdP session related configs:\\ |
| At line 166 changed one line |
| __Claim as Username__ {{''__(Required)__''}}: Specify the name of the claim within the IdP's response that should be used as the __username for the CrushFTP session__. |
| !2.1.5.1 Claim as Username {{''__(Required❗)__''}}:\\ |
| At line 168 changed one line |
| __!!!__ If this claim is not present or its value is missing in the IdP's response (either within the ID Token or retrieved from the user endpoint), __the authentication will fail due to a missing username__.\\ |
| Specify the name of the claim within the IdP's response that should be used as the __username for the CrushFTP session__. |
| At line 195 added 2 lines |
| __❗__ If this claim is not present or its value is missing in the IdP's response (either within the ID Token or retrieved from the user endpoint), __the authentication will fail due to a missing username__.\\ |
| \\ |
| At line 172 changed one line |
| __End Session URL__: This URL is called at __the end of the CrushFTP session__ to terminate the user's session. You can use the "end_session_endpoint" provided in the OpenID configuration data by referencing it as the variable __{end_session_endpoint}__, or you can specify the URL manually.\\ |
| !2.1.5.2 End Session URL\\ |
| At line 201 added 39 lines |
| This URL is called at __the end of the CrushFTP session__ to terminate the user's session. You can use the "end_session_endpoint" provided in the OpenID configuration data by referencing it as the variable __{end_session_endpoint}__, or you can specify the URL manually.\\ |
| \\ |
| Examples:\\ |
| \\ |
| The placeholders like {id_token} and {oidc_client_id} are variables CrushFTP substitutes at runtime when the user logs out.\\ |
| \\ |
| {{{ |
| Microsoft Azure AD/B2C: {end_session_endpoint}?id_token_hint={id_token}&post_logout_redirect_uri=https%3A%2F%2FyourCrushFTP.example.com%2F |
|
| Okta: {end_session_endpoint}?id_token_hint={id_token}&post_logout_redirect_uri=https%3A%2F%2FyourCrushFTP.example.com%2F |
|
| Auth0: {end_session_endpoint}?federated&client_id={oidc_client_id}&returnTo=https%3A%2F%2FyourCrushFTP.example.com%2F |
| }}}\\ |
| \\ |
| For all providers, you must configure the logout redirect URI (post-logout / returnTo) in the IdP’s application settings. If it is not explicitly allowed there, the logout call will be rejected or will not redirect properly back to CrushFTP.\\ |
| \\ |
| __WebInterface Logout Customizations:__\\ |
| \\ |
| When using the OIDC plugin, CrushFTP can pass the OIDC provider’s end-of-session URL to the OIDC provider during logout. This ensures that not only does the CrushFTP session end, but also the user’s session at the external IDP.\\ |
| \\ |
| Configure one of the following WebInterface Customizations ([UserManager WebInterface|UserManagerWebInterface]) in the user template by using __Import settings from CrushFTP user__ [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.2.5UserTemplatesRequired]:\\ |
| \\ |
| 1. URL to open in popup on logout\\ |
| \\ |
| [UserManagerWebInterface/oidc_end_session_pop_up_url.png]\\ |
| {{{ |
| {user_crushOIDC_end_session_url} |
| }}}\\ |
| When the user logs out of the CrushFTP WebInterface, CrushFTP opens the IdP’s end session endpoint in a popup window.\\ |
| \\ |
| 2. Redirect to this location after logout\\ |
| \\ |
| [UserManagerWebInterface/oidc_end_session_redirect_url.png]\\ |
| \\ |
| {{{ |
| {user_crushOIDC_end_session_url} |
| }}}\\ |
| Instead of (or in addition to) a popup, the user is redirected to the IdP’s end session URL after logging out.\\ |
| \\ |
| At line 178 changed one line |
| __Enable__: Activate the plugin. {{''__(Required)__''}}\\ |
| __Enable__: Activate the plugin. {{''__(Required❗)__''}}\\ |
| At line 184 changed one line |
| !2.2.1 Login Button {{''__(Required)__''}}:\\ |
| !2.2.1 Login Button {{''__(Required❗)__''}}:\\ |
| At line 189 changed one line |
| !2.2.2 Username matching {{''__(Required)__''}}:\\ |
| !2.2.2 Key Mapping in CrushFTP (IDP → User Keys):\\ |
| At line 257 added 11 lines |
| [CrushOIDC/oidc_key_mappings.png]\\ |
| \\ |
| The Key Mapping feature in CrushFTP allows attributes received from an external Identity Provider (IDP) to be mapped directly into CrushFTP’s internal user properties.\\ |
| • IDP Key: This is the attribute name coming from the Identity Provider (e.g., phone, email, displayName).\\ |
| • CrushFTP Key: This is the corresponding property in the CrushFTP user account where the IDP value will be stored.\\ |
| \\ |
| How it works:\\ |
| When a user authenticates through the OIDC plugin, CrushFTP receives attribute data from the IDP. Using the key mapping configuration, CrushFTP will copy the IDP attribute value into the designated user property.\\ |
| \\ |
| !2.2.3 Username matching {{''__(Required❗)__''}}:\\ |
| \\ |
| At line 207 changed one line |
| !2.2.5 User Templates {{''__(Required)__''}}:\\ |
| !2.2.5 User Templates {{''__(Required❗)__''}}:\\ |
| At line 209 changed 2 lines |
| __Template Username__: The signed-in user inherits both the settings and the VFS items(as Linked [VFS]). __It must have a value!__\\ |
| __Import settings from CrushFTP user__: The signed-in user inherits only the settings from the specified user. __It must have a value!__\\ |
| __Template Username__: The signed-in user inherits both the settings and the VFS items(as Linked [VFS]). ❗ __You must provide a username that already exists.__\\ |
| __Import settings from CrushFTP user__: The signed-in user inherits only the settings from the specified user. ❗__You must provide a username that already exists.__\\ |
| At line 218 changed one line |
| __!!! Important__: If roles are configured and the IdP's user does not match any of the predefined roles, the authentication will be rejected due to the absence of matching roles.\\ |
| __⚠️ Important__: If roles are configured and the IdP's user does not match any of the predefined roles, the authentication will be rejected due to the absence of matching roles.\\ |
| At line 221 changed one line |
| __!!! Important__: Template user must exist in the [User Manager], otherwise, it will have no effect.\\ |
| __⚠️ Important__: Template user must exist in the [User Manager], otherwise, the setting will not take effect.\\ |
| At line 230 removed one line |
|
| At line 256 changed one line |
| !2.2.7 Custom VFS {{''__(Required Under Specific Conditions)__''}}: |
| !2.2.7 Custom VFS {{''__(Required Under Specific Conditions❗)__''}}: |
| At line 259 changed one line |
| __!!! Important:__ If the CrushOIDC user has no assigned VFS, __authentication will be rejected due to the absence of an assigned [VFS]__. CrushOIDC user can inherit VFS configuration from:\\ |
| __❗Important:__ If the CrushOIDC user has no assigned VFS, __authentication will be rejected due to the absence of an assigned [VFS]__. CrushOIDC user can inherit VFS configuration from:\\ |
| At line 264 changed one line |
| __Custom VFS examples:__ Uses the refresh token obtained through OpenID Connect authentication.\\ |
| __Custom VFS examples:__ This Custom VFS setup allows access to remote resources using a refresh token obtained through OpenID Connect (OIDC) authentication.\\ |
| At line 269 removed one line |
| |
| At line 271 removed one line |
| |
| At line 273 changed 2 lines |
| \\ |
| __!!! It requires the scope__:\\ |
| __More info at__: [GDriveSetup]\\ |
| __⚠️ It requires the scope__:\\ |
| At line 351 added one line |
| [CrushOIDC/oidc_gdrive_settings.png] |
| At line 278 changed one line |
| __b.) OneDrive__:\\ |
| __b.) Google Cloud Storage__:\\ |
| \\ |
| {{{ |
| gstorage://{oidc_client_id}~{oidc_client_secret_decoded}:{oidc_refresh_token}@storage.googleapis.com/ |
| }}}\\ |
| \\ |
| __More info at__: [Google Cloud Storage Integration]\\ |
| __⚠️ It requires the scope__:\\ |
| {{{ https://www.googleapis.com/auth/devstorage.full_control}}}\\ |
| Check the description of : __2.1.3 Authorization related settings__ [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.1.3AuthorizationRelatedSettingsRequired] regarding scope.\\ |
| [CrushOIDC/oidc_gstorage_settings.png]\\ |
| \\ |
| __c.) OneDrive__:\\ |
| \\ |
| At line 280 changed 3 lines |
|
| OneDrive: onedrive://{oidc_client_id}~{oidc_client_secret_encoded}:{oidc_refresh_token}@graph.microsoft.com/ |
|
| Onedrive Personal Type: onedrive://{oidc_client_id}~{oidc_client_secret_encoded}:{oidc_refresh_token}@graph.microsoft.com/ |
| or |
| OneDrive Business Type: onedrive://app_permission~{oidc_client_id}:{oidc_client_secret_decoded}@graph.microsoft.com/ |
| At line 284 changed 2 lines |
|
| __!!!__ Ensure the __Azure App Registration__ includes the required __API Permission__ (More info at [OneDriveSetup]).\\ |
| __More info at__: [OneDriveSetup]\\ |
| __⚠️ Note__:\\ |
| -Ensure the __Azure App Registration__ includes the required __API Permission__ (More info at [OneDriveSetup]).\\ |
| -__User id or User principal name__: Provide the user's ID or the user principal name (UPN) or {user_name} variable.\\ |
| [CrushOIDC/oidc_onedrive_settings.png]\\ |
| At line 287 changed one line |
| __c.) DropBox__:\\ |
| __d.) SharePoint__:\\ |
| \\ |
| {{{ |
| Sharepoint Delegated Permission: sharepoint://{oidc_client_id}~{oidc_client_secret_encoded}:{oidc_refresh_token}@graph.microsoft.com/ |
| or |
| Sharepoint Application Permission: sharepoint://app_permission~{oidc_client_id}:{oidc_client_secret_decoded}@graph.microsoft.com/ |
| or |
| SharePoint REST service API-based: sharepoint2://delegated_permission~{oidc_client_id}~{oidc_client_secret_encoded}:{oidc_refresh_token}@graph.microsoft.com/ |
| }}}\\ |
| __More info at__: [SharePoint Integration]\\ |
| __⚠️ Note__:\\ |
| - Ensure the __Azure App Registration__ includes the required __API Permission__ (More info at [SharePoint Integration]).\\ |
| - __Configure the Sharepoint-specific settings__ too (More info at [SharePoint Integration]):\\ |
| __Tennant:__ See at App Registration -> Overview -> Directory (tenant) ID. Based on the App Registration Account type it can be an ID, common, or consumer. |
| __Site id__ : The SharePoint domain name.\\ |
| __Site Path__: The path of the SharePoint site. It should start and end with a slash.\\ |
| __Drive name__: Each SharePoint site has a Document Library where the site-related files are stored. See [SharePoint: Documents and Libraries Description Link|https://support.microsoft.com/en-us/office/what-is-a-document-library-3b5976dd-65cf-4c9e-bf5a-713c10ca2872] Provide its name\\ |
| __Folder__: Relative path of the document library of the SharePoint site.\\ |
| [CrushOIDC/oidc_sharepoint2_settings.png]\\ |
| \\ |
| __e.) DropBox__:\\ |
| \\ |
| At line 289 removed one line |
|
| At line 291 removed one line |
| |
| At line 403 added 2 lines |
| More info at: [Dropbox Integration]\\ |
| [CrushOIDC/oidc_dropbox_settings.png]\\ |
