Guides
System Settings
Authentication
Integrate OIDC

Integrate OIDC authentication

About OIDC

OpenID Connect (OIDC) is an identity authentication protocol based on "OAuth 2.0". It allows applications to verify a user's identity through an "authorization server" and obtain basic user information, such as "username" and "email". It adds an identity layer on top of OAuth 2.0, using an "ID Token" to transmit user identity information, and is widely used for Single Sign-On (SSO) and identity authentication systems.

Relying Party (RP) is an application or client that uses authentication services and relies on the OpenID provider to authenticate the user and provide identity information.

OpenID Provider (OP) is the server responsible for verifying the user's identity and providing identity information to the RP.

How to configure

1
In the upper-right corner of any page in JumpServer, click .image
2

Navigate to System settings > Authentication > OIDC.

3

In the OIDC field, check to enable OIDC authentication.

4

In the Base site URL field, type the full domain name of JumpServer, such as "https://​jumsperver.example.com/", which is used to construct the callback URL.

5

In the Client id field, type the client id provided by the OIDC server.

6

In the Client secret field, type the client secret provided by the OIDC server.

7

In the Request method field, select a method to obtain a token.

Request Method
Description
Client Secret Basic
Use the POST method to obtain the token, with the client ID and client secret included in the request headers.
Client Secret Post
Use the POST method to obtain a token, with client ID and client secret included as raw data in the request body.
8

In the Use keycloak field, check to use the Keycloak configuration, or uncheck to use the native OIDC configuration.

1

In the Server field, type the Keycloak server URI, such as "https://​keycloak.example.com".

2

In the Realm name field, type the Keycloak realm name, such as "JumpServer".

9

In the Always update user field, when checked, after OIDC user authentication, user information (only includes: name, username, email, phone, comment) will be updated each time, "groups" are only synchronized when the user is created.

10

In the Ignore SSL verification field, when checked, SSL certificate verification is ignored when sending requests to the OP.

11

In the Share session field, when checked, the session will be logged out simultaneously when a user logs out from other applications.

12

In the User attribute field, type the user attribute mapping. The key represents the JumpServer user attribute name (available options: name, username, email, groups, phone, comment), while the value corresponds to the OIDC user attribute name.

OIDC User Attribute Example
{
  "name": "name",
  "username": "preferred_username",
  "email": "email",
  "groups": "groups"
}
13

In the Organization field, after authentication and creation, the user will be added to the selected organization.

14

Click Submit.

JumpServer OIDC URLs

Login URL
https://jumpserver.example.com/core/auth/openid/login/
Login Success Callback URL
https://jumpserver.example.com/core/auth/openid/callback/
Logout URL
https://jumpserver.example.com/core/auth/openid/logout/
Integrate PasskeyIntegrate SAML2