Table of Contents |
---|
Author: Former user (Deleted)
Introduction
This page describes the Abiquo integration with OpenID Connect available in Abiquo. This integration allows Abiquo to leverage single sign on authentication and federated authorization features. The integration targets the core spec, but also implements some optional features such as the RP-Initiated-Logout from the optional Session Management spec. Discovery, dynamic registration and other optional features are out of the scope of this integration.
Excerpt | |||||
---|---|---|---|---|---|
|
Basic workflow
Info |
---|
In the OpenID basic workflow, the user interacts with Abiquo (the Application), which is also a client of the OpenID Connect server (the Identity Server) |
The following diagram shows the basic authentication and authorization workflow when using the OpenID Connect integration:
- Users will access the Abiquo portal, and will be redirected to the OpenID Connect server
- Users will enter their credentials to log in to the OpenID Connect server (note that the credentials are never exposed to Abiquo). It will display the consent screen that describes the permissions that Abiquo is requesting and the information it needs to access.
- Upon successful authentication and consent grant, the OpenID Connect server issues the following tokens and redirects the user back to the application:
- ID token - A JWT token containing the information about the user.
- Access token - An OAuth2 token that provides access to the application resources on behalf of the user.
- Refresh token - A token that can be used to refresh the access token when it expires.
- Abiquo will use the access token to request information about the logged user (permissions, etc) and will create the corresponding user in the Abiquo database.
- Users will use the access token to access the Abiquo platform, including the Abiquo API
- At any time, users will be able to perform a call to the Abiquo API to refresh the access token, providing the refresh_token.
- If the global logout is configured, when users log out from the Abiquo platform they will be signed out from the OpenID Connect server.
OpenID Connect authentication mode
When Abiquo is in normal authentication mode, Abiquo authenticates and obtains user authorization from the Abiquo database. In contrast, when the platform is in OpenID Connect mode, Abiquo authenticates and obtains user authorization from the OpenID Connect server. In OpenID mode, Abiquo behaves as follows:
- Abiquo creates an Abiquo OpenID user automatically when the following conditions are met
- The user successfully authenticates through the OpenID Connect server; AND
- Abiquo finds an Abiquo tenant and user role that matches the one specified through the OpenID user data
- Every time the user logs in, Abiquo synchronizes user data with the OpenID Connect server, which may overwrite any changes you make to the Abiquo user account
- A user that has switched enterprises will be returned to their assigned enterprise when they log in
- Abiquo disables login for users with non-OpenID accounts
- This includes the main cloud admin user
- Abiquo disables features associated with normal authentication, e.g. Abiquo two-factor authentication, Abiquo password reset
- The OpenID Connect server should provide this type of feature when authenticating users
OpenID Connect configuration steps
This is an overview of the steps to configure the OpenID Connect Integration
- Configure the cloud admin user with Abiquo in normal auth mode
- Map OpenID users to Abiquo enterprises and roles with Abiquo in normal auth mode
- Register Abiquo as a client application on the OpenID Connect server and obtain OpenID client credentials
- Configure the OpenID Connect server in abiquo.properties
- Register the Abiquo Outbound API as an OAuth application and configure abiquo.properties
- Configure the OpenID Connect logout
- Configure Abiquo UI properties
- Start the Abiquo Server
- Configure API and Outbound API clients to work with an access token
Numberedheadings | ||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||
Configure the cloud admin userConfigure the cloud admin user with Abiquo in normal authentication mode. Remember that Abiquo will disable this user when you enable OpenID Connect authentication mode. Map OpenID Connect users to Abiquo enterprises and rolesIn OpenID Connect authentication mode, when a user successfully authenticates through the OpenID Connect server, Abiquo will receive OpenID user data. Abiquo will try to match the user data to the following in Abiquo:
To enable Abiquo to match the user, you must work in Abiquo to map the Abiquo enterprise and role to the OpenID user data. Work in normal authentication mode as the cloud admin user. If Abiquo cannot find the role and enterprise, it will not create the OpenID user. How Abiquo determines which role to assign to an OpenID userThe OpenID Connect server will return user data, including a list of the external roles/permissions for the user, which is called a role claim. Abiquo will identify the role claim in the OpenID user data using the name you configure with the abiquo.openid.role-claim property. Abiquo will try to find an existing Abiquo role with the same LDAP attribute data as the role claim. Map external roles to Abiquo rolesTo map OpenID roles to an Abiquo role:
Remember that a user's external roles must map to one local role in their enterprise and/or one global role. How Abiquo determines which enterprise an OpenID user should belong toThe OpenID Connect server will return user data, including the tenant that a user should belong to, which is called an enterprise claim. Abiquo can look up this enterprise in Abiquo by enterprise name or by enterprise property. If Abiquo cannot find the enterprise, it will not allow the user to log in. If the user account does not exist, Abiquo will create it in the enterprise. If the user account exists in another enterprise, Abiquo will move it to the one assigned by the OpenID Connect server. Abiquo will obtain the enterprise claim defined by the abiquo.openid.enterprise-claim property. Abiquo will try to match the enterprise claim to the enterprise name if the abiquo.openid.enterprise-property property IS NOT SET in abiquo properties. Otherwise, it will try to match the value of the enterprise claim to the value of the enterprise property specified by the abiquo.openid.enterprise-property property. Map external enterprises to Abiquo enterprisesMap external enterprises to Abiquo enterprises according to the lookup method you configured for your platform. To map an OpenID enterprise to an Abiquo enterprise by enterprise name, just name the enterprise with the value in the enterprise claim. To map an OpenID enterprise to an Abiquo enterprise by enterprise property:
When the authorization server returns the enterprise claim, Abiquo will look for all enterprises with a "domain" property, and find the one with the value that matches the value returned by the OpenID Connect server. In this example, when the OpenID Connect server returns the value "abiquo.com" in the enterprise claim, Abiquo will select this enterprise. Register Abiquo as a client application in the OpenID Connect serverRegister Abiquo as a client application in the OpenID system and obtain the client credentials: client name, client id and client secret. You will need to configure these in abiquo.properties in the next step. Configure Abiquo propertiesTo configure OpenID Connect in abiquo.properties:
If your OpenID Connect provider implements the Discovery extension, you might be able to get the value of the different endpoints by going to the well-known configuration endpoint, as described in the provider configuration section. The following sequence diagram shows how the different endpoints are used from a user and relying party perspective. The diagram depicts the interactions between all parties involved in the OpenID Connect protocol.
Table of Abiquo OpenID Connect PropertiesTo enable the OpenID Connect mode, configure the following properties in Abiquo:
Configure Abiquo Outbound API moduleRegister the Outbound API as an OAuth application (for Outbound API user or admin user) and use the tool to obtain the OAuth access token. Configure credentials in abiquo.properties and remove any old credentials properties In OpenID Connect mode, the normal authentication (using HTTP Basic Authentication) is disabled, so you must configure the Outbound API credentials as OAuth tokens. To do this:
Configure OpenID Connect logoutIf the OpenID Connect server implements the Session Management extension, you can configure the Abiquo platform to issue a logout to the OpenID Connect server when the user logs out from the platform. This is optional because users might not want to be logged out from all services when logging out from Abiquo. To enable the global logout, configure the abiquo.openid.endsession.endpoint property to point to the end session endpoint, as defined by the RP-Initiated Logout spec. Configure OpenID Connect client UI propertiesConfigure the OpenID Connect client UI properties in the client-config-custom.json file.
Configure API and Outbound clientsIn OpenID Connect mode, Abiquo disables Basic Authentication, so in order to authenticate with the API (or against the Outbound API endpoint), you can use an access token. Abiquo still supports authentication using the session cookie or Abiquo OAuth applications as before To obtain an access token:
Once you have the token, you can issue requests to the API by providing the following HTTP header: |
Refreshing access tokens
Access tokens have an expiration, so at a certain point in time they will stop working. When this happens, the user can use the refresh token that was returned during authentication to request a new access token. Refresh tokens also expire, but have a significantly higher expiration (default is one week). Some OpenID Connect providers issue new refresh tokens every time an access token is refreshed, so the refresh mechanism can be used without limit.
To request a new access token using a refresh token, an HTTP request must be issued to the "openid_conect_refresh" Abiquo API endpoint, passing the refresh token as a query parameter:
Code Block |
---|
curl -v "http://<abiquo api host>/api/openid_connect_refresh?refresh_token=<refresh token value>" -H "Accept: application/vnd.abiquo.oidctokens+json" { "scope" : "openid profile email abiquo", "id_token" : "eyAidHlwIjogIkpXVCIsICJraWQiOiAiemhCb2ZiWncraSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJoVmJBZ2t2NGRBalh5bFFQZGNYVFR3IiwgInN1YiI6ICJvcGVuaWQtYWRtaW4iLCAiYXVkaXRUcmFja2luZ0lkIjogIjcxN2I3YWY0LTNmMGQtNGU2NS1iZWJmLWE3MWIzODg4MWE1My05NTcwIiwgImlzcyI6ICJodHRwOi8vb3BlbmFtLmJjbi5hYmlxdW8uY29tOjgwL29wZW5hbS9vYXV0aDIvZGV2ZWxvcGVycyIsICJ0b2tlbk5hbWUiOiAiaWRfdG9rZW4iLCAiZ3JvdXBzIjogWyAiaWQ9YWRtaW5zLG91PWdyb3VwLG89ZGV2ZWxvcGVycyxvdT1zZXJ2aWNlcyxkYz1vcGVuYW0sZGM9Zm9yZ2Vyb2NrLGRjPW9yZyIgXSwgImdpdmVuX25hbWUiOiAiT3BlbklEIiwgImF1ZCI6ICJhYmlxdW8iLCAib3JnLmZvcmdlcm9jay5vcGVuaWRjb25uZWN0Lm9wcyI6ICJhNWExMDNlYS05MmQyLTQxZDgtOGJkYi0xMWNjZTJmMGZlYjMiLCAiYXpwIjogImFiaXF1byIsICJhdXRoX3RpbWUiOiAxNDczOTU5Njk2LCAiZG9tYWluIjogIkFiaXF1byIsICJuYW1lIjogIk9wZW5JRCBBZG1pbiIsICJyZWFsbSI6ICIvZGV2ZWxvcGVycyIsICJleHAiOiAxNDczOTYzMjk2LCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgImlhdCI6IDE0NzM5NTk2OTYsICJmYW1pbHlfbmFtZSI6ICJBZG1pbiIsICJlbWFpbCI6ICJvcGVuaWQtYWRtaW5AYWJpcXVvLmNvbSIgfQ.JL3yUCtn4VnGewANcD2SbqX5RZfxKqNQG_p2vc5UldRIxdr4BNg3u-C219-XA8dfnrLvBL6CmrJoItIy7XDP7qX8DJO7a9pea8QCugXT9NdepdQh-SEPdQ3d-acm4M5_1bALIjvItDW7pWVnqppYUyjVzQY_oX385CccUuYaYh-9Glj-9VPdnr9pZXZFkb07K0ab2iQtfu7sshS6-iZ0mF6unF2pWvsJHfeUSYb1X9yRfehhRgTXltlVno7uNEfPopM6MbISr-Bhb7zxiJ-Zte_peaiZKjrU7QEQFDIj13M6YQ", "refresh_token" : "78ecb72e-fd0e-4825-ae0a-635159c461ff", "token_type" : "Bearer", "links" : [], "expires_in" : 3599, "access_token" : "a381c059-654f-4c03-852b-cf507c5372ec" } |
Note that the refresh token request does not require authentication. This is because it is meant to be used when the access token is expired, so the Abiquo API just passes the refresh token to the authorization server and lets it verify the validity of the token and the identity associated with it.
Troubleshooting
The OpenID login process may return an error message for example due to a delayed login or timeout. To prevent this, for Internet Explorer cookies, in server.xml on Abiquo Tomcat, the <Host> section should contain an <Alias> section with the domain of the web server (where users access the UI). And the default Java session timeout was changed to 30 minutes to ensure user delays during OpenID login will not result in further errors.