Versions Compared

Old Version 12

changes.mady.by.user MS

Saved on

compared with

New Version 13

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: 5.1.2 - 13806 - SameSite cookie flag property

...

Excerpt


Info
titleChanges to the OpenID integration in Abiquo 5.1.2

A new Abiquo configuration property was introduced in Abiquo 5.1.2

  • abiquo.login.samesite


Info
titleChanges to the OpenID integration in Abiquo 4.6

Two new Abiquo configuration properties were introduced in Abiquo 4.6.0

  • abiquo.openid.cookie.maxage

  • abiquo.openid.cookie.refreshtoken.include


Info
titleChanges to the OpenID integration in Abiquo 3.10.7 and 4.0.4

To retrieve the user's phone number from the OpenID system to the corresponding Abiquo user attribute, edit the abiquo.properties file and add "phone" to the value list of the abiquo.openid.client.scopes property. Abiquo does not validate the phone number


...

Numberedheadings
start-numbering-ath2

Configure the cloud admin user

Configure the cloud admin user with Abiquo in normal authentication mode. Remember that Abiquo will disable this user when you enable OpenID Connect authentication mode.

Map OpenID Connect users to Abiquo enterprises and roles

In OpenID Connect authentication mode, when a user successfully authenticates through the OpenID Connect server, Abiquo will receive OpenID user data. Abiquo will try to match the user data to the following in Abiquo:

  • A user role (e.g. cloud admin, tenant admin, cloud user) 
  • An enterprise (cloud tenant) that the user will belong to

To enable Abiquo to match the user, you must work in Abiquo to map the Abiquo enterprise and role to the OpenID user data. Work in normal authentication mode as the cloud admin user. If Abiquo cannot find the role and enterprise, it will not create the OpenID user.

How Abiquo determines which role to assign to an OpenID user

The OpenID Connect server will return user data, including a list of the external roles/permissions for the user, which is called a role claim. Abiquo will identify the role claim in the OpenID user data using the name you configure with the abiquo.openid.role-claim property. Abiquo will try to find an existing Abiquo role with the same LDAP attribute data as the role claim.

Map external roles to Abiquo roles

To map OpenID roles to an Abiquo role:

  1. Create, clone or edit an Abiquo role
  2. In the External Roles field, enter the same list of external roles/permissions as the OpenID user's role claim

Remember that a user's external roles must map to one local role in their enterprise and/or one global role.

How Abiquo determines which enterprise an OpenID user should belong to

The OpenID Connect server will return user data, including the tenant that a user should belong to, which is called an enterprise claim. Abiquo can look up this enterprise in Abiquo by enterprise name or by enterprise property. If Abiquo cannot find the enterprise, it will not allow the user to log in. If the user account does not exist, Abiquo will create it in the enterprise. If the user account exists in another enterprise, Abiquo will move it to the one assigned by the OpenID Connect server.

Abiquo will obtain the enterprise claim defined by the abiquo.openid.enterprise-claim property. Abiquo will try to match the enterprise claim to the enterprise name if the abiquo.openid.enterprise-property property IS NOT SET in abiquo properties. Otherwise, it will try to match the value of the enterprise claim to the value of the enterprise property specified by the abiquo.openid.enterprise-property property.

Map external enterprises to Abiquo enterprises

Map external enterprises to Abiquo enterprises according to the lookup method you configured for your platform.

To map an OpenID enterprise to an Abiquo enterprise by enterprise name, just name the enterprise with the value in the enterprise claim.

To map an OpenID enterprise to an Abiquo enterprise by enterprise property:

  1. Create or edit an Abiquo enterprise
  2. Create an enterprise property with the key configured in the abiquo.openid.enterprise-property in abiquo.properties. For example, for "abiquo.openid.enterprise-property = domain", create an enterprise property called domain. 
  3. Set the value of this property to the value of the enterprise claim for this tenant.

When the authorization server returns the enterprise claim, Abiquo will look for all enterprises with a "domain" property, and find the one with the value that matches the value returned by the OpenID Connect server. In this example, when the OpenID Connect server returns the value "abiquo.com" in the enterprise claim, Abiquo will select this enterprise.

Register Abiquo as a client application in the OpenID Connect server

Register Abiquo as a client application in the OpenID system and obtain the client credentials: client nameclient id and client secret. You will need to configure these in abiquo.properties in the next step.

Configure Abiquo properties

To configure OpenID Connect in abiquo.properties:

  1. Configure OpenID Connect server details (endpoints, claims, etc.)
  2. Configure OpenID client credentials from the previous step of registering Abiquo as a client application
  3. Activate OpenID in abiquo.properties, by setting abiquo.auth.module to openid

If your OpenID Connect provider implements the Discovery extension, you might be able to get the value of the different endpoints by going to the well-known configuration endpoint, as described in the provider configuration section.

The following sequence diagram shows how the different endpoints are used from a user and relying party perspective. The diagram depicts the interactions between all parties involved in the OpenID Connect protocol.

 

Table of Abiquo OpenID Connect Properties

To enable the OpenID Connect mode, configure the following properties in Abiquo:

PropertyDescription
OpenID Connect server configuration
abiquo.auth.moduleThe Abiquo authentication module. Must be: openid
abiquo.openid.cookie.maxageAfter OpenID authentication flow, the API redirect adds a cookie with the access_token and the id_token. The expiry of the OpenID authentication cookie in seconds. A negative value means that the cookie is not stored persistently and will be deleted when the web browser exits. A zero value causes the cookie to be deleted
Default: 30
abiquo.openid.cookie.refreshtoken.includeIf true, the OpenID authentication cookie will also contain the refresh token.
Default: false
abiquo.openid.targetThe URL where the user will be redirected from the Identity Server upon successful authentication. Something like
http://<abiquo ui host>/ui/#/dashboard
abiquo.openid.role-claimThe name of the claim returned by the authorization server that contains the names used to map the user permissions to an Abiquo role
abiquo.openid.enterprise-claimThe name of the claim returned by the authorization server that contains the names used to map the Abiquo enterprise where the user belongs
abiquo.openid.enterprise-property

(Optional) If present, Abiquo will try to find an enterprise that has a property with the name configured in this property, and use its value to match the "enterprise claim" when resolving the user's enterprise. If absent, Abiquo will just look for an enterprise with the name returned in the "enterprise claim".

abiquo.openid.issuerThe OpenID Connect authorization issuer.
abiquo.openid.authorization.endpointThe OpenID Connect authorization endpoint. This endpoint must be accessible from the user's browser
abiquo.openid.token.endpointThe OpenID Connect token endpoint. This endpoint must be accessible from the Abiquo server.
abiquo.openid.userinfo.endpointThe OpenID Connect user info endpoint. This endpoint must be accessible from the Abiquo server.
abiquo.openid.jwks.endpointThe OpenID Connect JWKS endpoint. This endpoint must be accessible from the Abiquo server.
abiquo.openid.endsession.endpoint(Optional) If configured, Abiquo will attempt to perform a global logout performing a request to this endpoint. This is part of the Session Management optional spec. This endpoint must be accessible from the user's browser. 
OpenID Connect client configuration
abiquo.openid.client.nameThe name of the client that has been registered in the OpenID Connect server for the Abiquo platform.
abiquo.openid.client.idThe ID of the client that has been registered in the OpenID Connect server for the Abiquo platform.
abiquo.openid.client.secretThe secret of the client that has been registered in the OpenID Connect server for the Abiquo platform.
abiquo.openid.client.scopes

Comma separated list of scopes to request during authentication. Must have, at least: openid,profile,email. Also supports: phone.

abiquo.openid.client.redirect-urisComma separated list of allowed redirect (callback) URIs used during the authentication flow. Must be: http://<api endpoint>/api/openid_connect_login
abiquo.openid.client.acr-valuesSpace separated values for the acr values to send to OpenID Connect Server when authenticating. They will be validated if 'acr-validation' property is true (default value).
abiquo.openid.client.acr-validationActivates the acr values validation. Default value is true

Configure Abiquo Outbound API module

Register the Outbound API as an OAuth application (for Outbound API user or admin user) and use the tool to obtain the OAuth access token. Configure credentials in abiquo.properties and remove any old credentials properties

In OpenID Connect mode, the normal authentication (using HTTP Basic Authentication) is disabled, so you must configure the Outbound API credentials as OAuth tokens. To do this:

  1. Create a new application for the  "default api outbound user"  as explained in the  "Manage OAuth Applications"  guide, and set all the privileges for that user; OR
    Create the application in the administrator account, and select only the permissions for the  "default api outbound user" 
  2. Get the OAuth access tokens. You can use an unsupported Abiquo tool to obtain the access tokens. Please contact Abiquo Support to obtain the Abiquo tool.
  3. In the abiquo.properties file of the Abiquo Server
    1. Configure the following OAuth properties
      1. abiquo.m.consumerKey
      2. abiquo.m.consumerSecret
      3. abiquo.m.accessToken
      4. abiquo.m.accessTokenSecret
    2. And remove  the following properties
      1. abiquo.m.identity
      2. abiquo.m.credential

Configure OpenID Connect logout

If the OpenID Connect server implements the Session Management extension, you can configure the Abiquo platform to issue a logout to the OpenID Connect server when the user logs out from the platform. This is optional because users might not want to be logged out from all services when logging out from Abiquo.

To enable the global logout, configure the abiquo.openid.endsession.endpoint property to point to the end session endpoint, as defined by the RP-Initiated Logout spec.

Configure OpenID Connect client UI properties

Configure the OpenID Connect client UI properties in the client-config-custom.json file.

PropertyDescription
client.openid.enabled

Deprecated in Abiquo 4.7.1

client.openid.skip.login.viewDeprecated in Abiquo 4.7.1 for UI 5. By default, when in OpenID mode, Abiquo shows an initial screen with a link to the Authentication portal. If this property is set to true, then Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.
client.skip.login.viewBy default, when in OpenID mode, Abiquo shows an initial screen with a link to the Authentication portal. If this property is set to true, then Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.
client.auth.moduleAbiquo login modules to use with options for Basic Auth (default), Open ID, and SAML. See client-config-default.json for examples

Configure API and Outbound clients

In OpenID Connect mode, Abiquo disables Basic Authentication, so in order to authenticate with the API (or against the Outbound API endpoint), you can use an access token.

Abiquo still supports authentication using the session cookie or Abiquo OAuth applications as before

To obtain an access token:

  1. Manually log in to the platform
  2. When you are redirected back to the Abiquo console, you'll find the access token and refresh token in the URI.

Once you have the token, you can issue requests to the API by providing the following HTTP header:


Optional SameSite cookie flag configuration

On the Abiquo Server, optionally set the abiquo.login.samesite property to control the value of the SameSite flag of the login cookie. See Abiquo Configuration Properties#samesite

Refreshing access tokens

Access tokens have an expiration, so at a certain point in time they will stop working. When this happens, the user can use a refresh token if it was returned during authentication to request a new access token. Refresh tokens also expire, but have a significantly higher expiration (default is one week). Some OpenID Connect providers issue new refresh tokens every time an access token is refreshed, so the refresh mechanism can be used without limit.

...