This plugin will enable you to authenticate users against any standard OpenID Connect Provider. You’ll need to also run a local oxd OpenID Connect client service. The oxd middleware service is easy to install, and makes it easier to keep up-to-date with the latest security fixes for OAuth2. There are oxd plugins, modules and extennsions for many popular platforms and frameworks like: Wordpress, Magento, OpenCart, SugarCRM, SuiteCRM, Drupal, Roundcube, Spring Framework, Play Framework, Ruby on Rails and Python Flask. Using this plugin, you’ll be able to request a certain type of authentication using the OpenID Connect “acr” parameter. You may want to use strong two-factor authentication (2FA), or social login to Google, Facebook or other popular sites. Also supported is Super Gluu--a free mobile two factor authentication app. If you are also looking for a modern access management platform, you should consider the Gluu Server Community Edition. The Gluu Server includes an OpenID Connect Provider that will enable you to create local accounts for people in your domain, and to manage single sign-on (SSO) across your websites.

Installs: 39

Dependents: 0

Suggesters: 0

Stars: 7

Watchers: 13

Forks: 3

Open Issues: 0

Type: roundcube-plugin

3.0.1 2017-03-28 15:03 UTC



Gluu's OpenID Connect Single Sign-On (SSO) Roundcube plugin will enable you to authenticate users against any standard OpenID Connect Provider (OP). If you don't already have an OP you can deploy the free open source Gluu Server.


In order to use the RoundCube plugin you will need to have a standard OP (like Google or a Gluu Server) and the oxd server.



Github source.

Link to RoundCube repository

To install RoundCube OpenID Connect Single Sign On (SSO) Plugin By Gluu via Composer, execute the following command

$ composer install `composer require "gluufederation/roundcube_oxd_plugin": "3.0.1"`



In your RoundCube admin menu panel you should now see the OpenID Connect menu tab. Click the link to navigate to the General configuration page:


  1. Automatically login any user with an account in the OpenID Provider: By setting login to automatic, any user with an account in the OP will be able to dynamically login for an account in your Roundcube site.
  2. Only register and allow ongoing access to users with one or more of the following roles in the OP: Using this option you can limit login to users who have a specified role in the OP, for instance roundcube. This is not configurable in all OP's. It is configurable if you are using a Gluu Server. Follow the instructions below to limit access based on an OP role.
  3. URI of the OpenID Provider: insert the URI of the OpenID Connect Provider.
  4. Custom URI after logout: custom URI after logout (for example "Thank you" page).
  5. oxd port: enter the oxd-server port (you can find this in the oxd-server/conf/oxd-conf.json file).
  6. Click Register to continue.

If your OpenID Provider supports dynamic registration, no additional steps are required in the general tab and you can navigate to the OpenID Connect Configuration tab.

If your OpenID Connect Provider doesn't support dynamic registration, you will need to insert your OpenID Provider client_id and client_secret on the following page.


To generate your client_id and client_secret use the redirect uri: https://{site-base-url}/index.php?option=oxdOpenId.

If you are using a Gluu server as your OpenID Provider, you can make sure everything is configured properly by logging into to your Gluu Server, navigate to the OpenID Connect > Clients page. Search for your oxd id.

Enrollment and Access Management

Navigate to your Gluu Server admin GUI. Click the Users tab in the left hand navigation menu. Select Manage People. Find the person(s) who should have access. Click their user entry. Add the User Permission attribute to the person and specify the same value as in the plugin. For instance, if in the plugin you have limit enrollment to user(s) with role = roundcube, then you should also have User Permission = roundcube in the user entry. Update the user record, and now they are ready for enrollment at your Roundcube site.

OpenID Connect Configuration


User Scopes

Scopes are groups of user attributes that are sent from the OP to the application during login and enrollment. By default, the requested scopes are profile, imapData, email, and openid.

To view your OP's available scopes, in a web browser navigate to https://OpenID-Provider/.well-known/openid-configuration.

If you are using a Gluu server as your OpenID Provider, you can view all available scopes by navigating to the OpenID Connect > Scopes interface.

In the plugin interface you can enable, disable and delete scopes.

If you have chosen to limit enrollment to users with specific roles in the OP, you will also need to request the Permission scope, as shown in the above screenshot.


For doing login to your RoundCube site, it is very important that your OP supports imapData scope, which contains your imap connection climes (imapHost,imapPort,imapUsername,imapPassword). This is not configurable in all OP's. It is configurable if you are using a Gluu Server. For example : imapHost = ssl:// ; imapPort = 993 ; imapUsername = ; imapPassword = password ;

Authentication Bypass the local RoundCube login page and send users straight to the OP for authentication

Check this box so that when users attempt to login they are sent straight to the OP, bypassing the local RoundCube login screen. When it is not checked, it will give proof the following screen.


Select acr

To signal which type of authentication should be used, an OpenID Connect client may request a specific authentication context class reference value (a.k.a. "acr"). The authentication options available will depend on which types of mechanisms the OP has been configured to support. The Gluu Server supports the following authentication mechanisms out-of-the-box: username/password (basic), Duo Security, Super Gluu, and U2F tokens, like Yubikey.

Navigate to your OpenID Provider configuration webpage https://OpenID-Provider/.well-known/openid-configuration to see supported acr_values. In the Select acr section of the plugin page, choose the mechanism which you want for authentication.

Note: If the Select acr value is none, users will be sent to pass the OP's default authentication mechanism.