...
This page describes the Abiquo integration with OpenID Connect available in Abiquo.
This integration allows Abiquo to leverage single sign on authentication and federated authorization features.
The integration targets the core spec, but also implements some optional features such as the RP-Initiated-Logout from the optional Session Management spec.
Discovery, dynamic registration, and other optional features are out of the scope of this integration.
...
| Info |
|---|
If your OpenID Connect provider implements the Discovery extension, you might be able to get the value of the different endpoints, |
The following sequence diagram shows how the different endpoints are used from a user and relying party perspective.
The diagram depicts the interactions between all parties involved in the OpenID Connect protocol.
Table of Abiquo OpenID Connect properties
...
Property | Description |
|---|---|
OpenID Connect server configuration | |
abiquo.auth.module | The Abiquo authentication module. Must be: openid |
abiquo.openid.cookie.maxage | After OpenID authentication flow, the API redirect adds a cookie with the access_token and the id_token. |
abiquo.openid.cookie.refreshtoken.include | If true, the OpenID authentication cookie will also contain the refresh token. |
abiquo.openid.target | The URL where the user will be redirected from the Identity Server upon successful authentication. Something like |
abiquo.openid.role-claim | The name of the claim returned by the authorization server that contains the names used to map the user permissions to an Abiquo role |
abiquo.openid.enterprise-claim | The name of the claim returned by the authorization server that contains the names used to map the Abiquo enterprise where the user belongs |
abiquo.openid.enterprise-property | (Optional) If present, Abiquo will try to find an enterprise that has a property with the name configured in this property. |
abiquo.openid.issuer | The OpenID Connect authorization issuer. |
abiquo.openid.authorization.endpoint | The OpenID Connect authorization endpoint. This endpoint must be accessible from the user's browser |
abiquo.openid.token.endpoint | The OpenID Connect token endpoint. This endpoint must be accessible from the Abiquo server. |
abiquo.openid.userinfo.endpoint | The OpenID Connect user info endpoint. This endpoint must be accessible from the Abiquo server. |
abiquo.openid.jwks.endpoint | The OpenID Connect JWKS endpoint. This endpoint must be accessible from the Abiquo server. |
abiquo.openid.endsession.endpoint | (Optional) If configured, Abiquo will attempt to perform a global logout performing a request to this endpoint. |
OpenID Connect client configuration | |
abiquo.openid.client.name | The name of the client that has been registered in the OpenID Connect server for the Abiquo platform. |
abiquo.openid.client.id | The ID of the client that has been registered in the OpenID Connect server for the Abiquo platform. |
abiquo.openid.client.secret | The secret of the client that has been registered in the OpenID Connect server for the Abiquo platform. |
abiquo.openid.client.scopes | Comma separated list of scopes to request during authentication. Must have, at least: openid,profile,email. Also supports: phone. |
abiquo.openid.client.redirect-uris | Comma separated list of allowed redirect (callback) URIs used during the authentication flow. Must be: http://<api endpoint>/api/openid_connect_login |
abiquo.openid.client.acr-values | Space separated values for the acr values to send to OpenID Connect Server when authenticating. |
abiquo.openid.client.acr-validation | Activates the acr values validation. Default value is true |
...
If the OpenID Connect server implements the Session Management extension, you can configure the Abiquo platform to issue a logout to the OpenID Connect server when the user logs out from the platform.
This is optional because users might not want to be logged out from all services when logging out from Abiquo.
...