Versions Compared

Old Version 18

changes.mady.by.user MS

Saved on

compared with

New Version 19

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following diagram shows the basic authentication and authorization workflow when using the OpenID Connect integration:.

...

  1. Users will access the Abiquo portal, and will be redirected to the OpenID Connect server

  2. Users will enter their credentials to log in to the OpenID Connect server (note that the credentials are never exposed to Abiquo).
    It will display the consent screen that describes the permissions that Abiquo is requesting and the information it needs to access.

  3. Upon successful authentication and consent grant, the OpenID Connect server issues the following tokens and redirects the user back to the application:

    1. ID token - A JWT token containing the information about the user.

    2. Access token - An OAuth2 token that provides access to the application resources on behalf of the user.

    3. Refresh token - An optional token that can be used to refresh the access token when it expires.

  4. Abiquo will use the access token to request information about the logged user (permissions, etc) and will create the corresponding user in the Abiquo database.

  5. Users will use the access token to access the Abiquo platform, including the Abiquo API

...

  1. Create, clone or edit an Abiquo role

  2. In the External Roles field, enter the same list of external roles/permissions as the OpenID user's role claim

Image Modified

Remember that a user's external roles must map to one local role in their enterprise and/or one global role.

...

The following sequence diagram shows how the different endpoints are used from a user and relying party perspective.
The diagram depicts the interactions between all parties involved in the OpenID Connect protocol.

...

Image Added

Table of Abiquo OpenID Connect properties

...

Property

Description

OpenID Connect server configuration

abiquo.auth.module

The Abiquo authentication module. Must be: openid

abiquo.openid.cookie.maxage

After OpenID authentication flow, the API redirect adds a cookie with the access_token and the id_token.
The expiry of the OpenID authentication cookie in seconds.
A negative value means that the cookie is not stored persistently and will be deleted when the web browser exits.
A zero value causes the cookie to be deleted
Default: 30

abiquo.openid.cookie.refreshtoken.include

If true, the OpenID authentication cookie will also contain the refresh token.
Default: false

abiquo.openid.target

The URL where the user will be redirected from the Identity Server upon successful authentication. Something like
http://<abiquo ui host>/ui/#/dashboard

abiquo.openid.role-claim

The name of the claim returned by the authorization server that contains the names used to map the user permissions to an Abiquo role

abiquo.openid.enterprise-claim

The name of the claim returned by the authorization server that contains the names used to map the Abiquo enterprise where the user belongs

abiquo.openid.enterprise-property

(Optional) If present, Abiquo will try to find an enterprise that has a property with the name configured in this property.
It will use its value to match the "enterprise claim" when resolving the user's enterprise.
If absent, Abiquo will just look for an enterprise with the name returned in the "enterprise claim".

abiquo.openid.issuer

The OpenID Connect authorization issuer.

abiquo.openid.authorization.endpoint

The OpenID Connect authorization endpoint. This endpoint must be accessible from the user's browser

abiquo.openid.token.endpoint

The OpenID Connect token endpoint. This endpoint must be accessible from the Abiquo server.

abiquo.openid.userinfo.endpoint

The OpenID Connect user info endpoint. This endpoint must be accessible from the Abiquo server.

abiquo.openid.jwks.endpoint

The OpenID Connect JWKS endpoint. This endpoint must be accessible from the Abiquo server.

abiquo.openid.endsession.endpoint

(Optional) If configured, Abiquo will attempt to perform a global logout performing a request to this endpoint.
This is part of the Session Management optional spec. This endpoint must be accessible from the user's browser. 

OpenID Connect client configuration

abiquo.openid.client.name

The name of the client that has been registered in the OpenID Connect server for the Abiquo platform.

abiquo.openid.client.id

The ID of the client that has been registered in the OpenID Connect server for the Abiquo platform.

abiquo.openid.client.secret

The secret of the client that has been registered in the OpenID Connect server for the Abiquo platform.

abiquo.openid.client.scopes

Comma separated list of scopes to request during authentication. Must have, at least: openid,profile,email. Also supports: phone.

abiquo.openid.client.redirect-uris

Comma separated list of allowed redirect (callback) URIs used during the authentication flow. Must be: http://<api endpoint>/api/openid_connect_login

abiquo.openid.client.acr-values

Space separated values for the acr values to send to OpenID Connect Server when authenticating.
They will be validated if 'acr-validation' property is true (default value).

abiquo.openid.client.acr-validation

Activates the acr values validation. Default value is true

...