| At line 24 added one line |
| • IDP's Redirect URL [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-1.IdentityProviderSIdPGeneralConfiguration]\\ |
| At line 28 changed 3 lines |
| • Login Button Text \\ |
| • Claim as Username \\ |
| • User Template\\ |
| • Login Button Text [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.2.1LoginButtonRequired]\\ |
| • Claim as Username [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.1.5ClaimAndIdPSessionRelatedConfigs] \\ |
| • Username matching [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.2.3UsernameMatchingRequired]\\ |
| • User Template [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.2.5UserTemplatesRequired]\\ |
| • Custom VFS [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.2.7CustomVFSRequiredUnderSpecificConditions]\\ |
| At line 36 changed 3 lines |
| • __Client ID__\\ |
| • __Client Secret__: Authorization Code Flow requires it.\\ |
| • __Redirect URL__: The redirect URL is the endpoint in your IdP application where the IdP directs the user after successful authentication. This URL receives the authorization code or access token as part of the authentication process. The redirect URL must target the CrushFTP server and conclude with __/SSO_OIDC/__. Like:\\ |
| • __Client ID__(Required❗)\\ |
| • __Client Secret__(Required❗): Authorization Code Flow requires it.\\ |
| • __Redirect URL__(Required❗): The redirect URL is the endpoint in your IdP application where the IdP directs the user after successful authentication. This URL receives the authorization code or access token as part of the authentication process. The redirect URL must target the CrushFTP server and conclude with __/SSO_OIDC/__. Like:\\ |
| At line 46 added 2 lines |
| __Common Identity Providers (IdPs):__\\ |
| \\ |
| At line 111 changed one line |
| !2.1.2 App registration related information :\\ |
| !2.1.2 App registration related information:\\ |
| At line 184 changed one line |
| !2.1.6 Claim and IdP session related configs:\\ |
| !2.1.5 Claim and IdP session related configs:\\ |
| At line 186 changed one line |
| __Claim as Username__ {{''__(Required❗)__''}}: Specify the name of the claim within the IdP's response that should be used as the __username for the CrushFTP session__. |
| !2.1.5.1 Claim as Username {{''__(Required❗)__''}}:\\ |
| At line 188 changed one line |
| __⚠️__ If this claim is not present or its value is missing in the IdP's response (either within the ID Token or retrieved from the user endpoint), __the authentication will fail due to a missing username__.\\ |
| Specify the name of the claim within the IdP's response that should be used as the __username for the CrushFTP session__. |
| At line 195 added 2 lines |
| __❗__ If this claim is not present or its value is missing in the IdP's response (either within the ID Token or retrieved from the user endpoint), __the authentication will fail due to a missing username__.\\ |
| \\ |
| At line 192 changed one line |
| __End Session URL__: This URL is called at __the end of the CrushFTP session__ to terminate the user's session. You can use the "end_session_endpoint" provided in the OpenID configuration data by referencing it as the variable __{end_session_endpoint}__, or you can specify the URL manually.\\ |
| !2.1.5.2 End Session URL\\ |
| At line 201 added 39 lines |
| This URL is called at __the end of the CrushFTP session__ to terminate the user's session. You can use the "end_session_endpoint" provided in the OpenID configuration data by referencing it as the variable __{end_session_endpoint}__, or you can specify the URL manually.\\ |
| \\ |
| Examples:\\ |
| \\ |
| The placeholders like {id_token} and {oidc_client_id} are variables CrushFTP substitutes at runtime when the user logs out.\\ |
| \\ |
| {{{ |
| Microsoft Azure AD/B2C: {end_session_endpoint}?id_token_hint={id_token}&post_logout_redirect_uri=https%3A%2F%2FyourCrushFTP.example.com%2F |
|
| Okta: {end_session_endpoint}?id_token_hint={id_token}&post_logout_redirect_uri=https%3A%2F%2FyourCrushFTP.example.com%2F |
|
| Auth0: {end_session_endpoint}?federated&client_id={oidc_client_id}&returnTo=https%3A%2F%2FyourCrushFTP.example.com%2F |
| }}}\\ |
| \\ |
| For all providers, you must configure the logout redirect URI (post-logout / returnTo) in the IdP’s application settings. If it is not explicitly allowed there, the logout call will be rejected or will not redirect properly back to CrushFTP.\\ |
| \\ |
| __WebInterface Logout Customizations:__\\ |
| \\ |
| When using the OIDC plugin, CrushFTP can pass the OIDC provider’s end-of-session URL to the OIDC provider during logout. This ensures that not only does the CrushFTP session end, but also the user’s session at the external IDP.\\ |
| \\ |
| Configure one of the following WebInterface Customizations ([UserManager WebInterface|UserManagerWebInterface]) in the user template by using __Import settings from CrushFTP user__ [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushOIDC#section-CrushOIDC-2.2.5UserTemplatesRequired]:\\ |
| \\ |
| 1. URL to open in popup on logout\\ |
| \\ |
| [UserManagerWebInterface/oidc_end_session_pop_up_url.png]\\ |
| {{{ |
| {user_crushOIDC_end_session_url} |
| }}}\\ |
| When the user logs out of the CrushFTP WebInterface, CrushFTP opens the IdP’s end session endpoint in a popup window.\\ |
| \\ |
| 2. Redirect to this location after logout\\ |
| \\ |
| [UserManagerWebInterface/oidc_end_session_redirect_url.png]\\ |
| \\ |
| {{{ |
| {user_crushOIDC_end_session_url} |
| }}}\\ |
| Instead of (or in addition to) a popup, the user is redirected to the IdP’s end session URL after logging out.\\ |
| \\ |
| At line 240 changed 2 lines |
| __Template Username__: The signed-in user inherits both the settings and the VFS items(as Linked [VFS]). ⚠️ __It must have a value!__\\ |
| __Import settings from CrushFTP user__: The signed-in user inherits only the settings from the specified user. ⚠️ __It must have a value!__\\ |
| __Template Username__: The signed-in user inherits both the settings and the VFS items(as Linked [VFS]). ❗ __You must provide a username that already exists.__\\ |
| __Import settings from CrushFTP user__: The signed-in user inherits only the settings from the specified user. ❗__You must provide a username that already exists.__\\ |
| At line 252 changed one line |
| __⚠️ Important__: Template user must exist in the [User Manager], otherwise, it will have no effect.\\ |
| __⚠️ Important__: Template user must exist in the [User Manager], otherwise, the setting will not take effect.\\ |
| At line 289 changed one line |
| __⚠️ Important:__ If the CrushOIDC user has no assigned VFS, __authentication will be rejected due to the absence of an assigned [VFS]__. CrushOIDC user can inherit VFS configuration from:\\ |
| __❗Important:__ If the CrushOIDC user has no assigned VFS, __authentication will be rejected due to the absence of an assigned [VFS]__. CrushOIDC user can inherit VFS configuration from:\\ |
