Versions Compared

Old Version 20

changes.mady.by.user MS

Saved on

compared with

New Version 21

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This page describes the Abiquo integration with OpenID Connect available in Abiquo.
This integration allows Abiquo to leverage single sign on authentication and federated authorization features.
The integration targets the core spec, but also implements some optional features such as the  RP-Initiated-Logout  from the optional Session Management spec.
Discovery, dynamic registration, and other optional features are out of the scope of this integration.

Excerpt

Info

Changes to the OpenID integration

in

Abiquo 5.1.2

A new Abiquo configuration property was introduced in Abiquo 5.1.2

- Added to abiquo.properties: abiquo.login.samesite

info

Changes to the OpenID integration in Abiquo 4.6

Two new Abiquo configuration properties were introduced in

Abiquo 4.6.0

- Added to abiquo.properties: abiquo.openid.cookie.maxage

and abiquo.openid.cookie.refreshtoken.include

info

Changes to the OpenID integration in

Abiquo 3.10.7 and 4.0.4

- To retrieve the user's phone number from the OpenID system, add

"

phone

"

to the value list of the abiquo.openid.client.scopes property.

Abiquo does not validate the phone number

Basic workflow

Info

In the OpenID basic workflow, the user interacts with Abiquo (the Application), which is also a client of the OpenID Connect server (the Identity Server)

The following diagram shows the basic authentication and authorization workflow when using the OpenID Connect integration.

...

  1. Users will access the Abiquo portal, and will be redirected to the OpenID Connect server

  2. Users will enter their credentials to log in to the OpenID Connect server (note that the credentials are never exposed to Abiquo).
    It will display the consent screen that describes the permissions that Abiquo is requesting and the information it needs to access.

  3. Upon successful authentication and consent grant, the OpenID Connect server issues the following tokens and redirects the user back to the application:

    1. ID token - A JWT token containing the information about the user.

    2. Access token - An OAuth2 token that provides access to the application resources on behalf of the user.

    3. Refresh token - An optional token that can be used to refresh the access token when it expires.

  4. Abiquo will use the access token to request information about the logged user (permissions, etc) and will create the corresponding user in the Abiquo database.

  5. Users will use the access token to access the Abiquo platform, including the Abiquo API

  • At any time, users with the refresh_token will be able to perform a call to the Abiquo API to refresh the access token.

  • If the global logout is configured, when users log out from the Abiquo platform they will be signed out from the OpenID Connect server.

...

This is an overview of the steps to configure the OpenID Connect Integration

  1. Configure the cloud admin user with Abiquo in normal auth mode

  2. Map OpenID users to Abiquo enterprises and roles with Abiquo in normal auth mode

  3. Register Abiquo as a client application on the OpenID Connect server and obtain OpenID client credentials

  4. Configure the OpenID Connect server in abiquo.properties

  5. Register the Abiquo Outbound API as an OAuth application and configure abiquo.properties

  6. Configure the OpenID Connect logout

  7. Configure Abiquo UI properties

  8. Start the Abiquo Server

  9. Configure API and Outbound API clients to work with an access token

Configure the cloud admin user

...

To map OpenID roles to an Abiquo role:

  1. Create, clone or edit an Abiquo role

  2. In the External Roles field, enter the same list of external roles/permissions as the OpenID user's role claim

Remember that a user's external roles must map to one local role in their enterprise and/or one global role.

...

To map an OpenID enterprise to an Abiquo enterprise by enterprise property:

  1. Create or edit an Abiquo enterprise

  2. Create an enterprise property with the key configured in the abiquo.openid.enterprise-property in abiquo.properties.
    For example, for "abiquo.openid.enterprise-property = domain", create an enterprise property called domain. 

  3. Set the value of this property to the value of the enterprise claim for this tenant.

...

When the authorization server returns the enterprise claim, Abiquo will look for all enterprises with a "domain" property.
It will find the one with the value that matches the value returned by the OpenID Connect server.
In this example, when the OpenID Connect server returns the value "abiquo.com" in the enterprise claim, Abiquo will select this enterprise.

...

To configure OpenID Connect in abiquo.properties:

  1. Configure OpenID Connect server details (endpoints, claims, etc.)

  2. Configure OpenID client credentials from the previous step of registering Abiquo as a client application

  3. Activate OpenID in abiquo.properties, by setting abiquo.auth.module to openid

Info

If your OpenID Connect provider implements the Discovery extension, you might be able to get the value of the different endpoints,
by going to the well-known configuration endpoint, as described in the provider configuration section.

The following sequence diagram shows how the different endpoints are used from a user and relying party perspective.
The diagram depicts the interactions between all parties involved in the OpenID Connect protocol.

Image RemovedImage Added

Table of Abiquo OpenID Connect properties

To enable the OpenID Connect mode, configure the following properties in Abiquo:

Property

Description

OpenID Connect server configuration

abiquo.auth.module

The Abiquo authentication module. Must be: openid

abiquo.openid.cookie.maxage

After OpenID authentication flow, the API redirect adds a cookie with the access_token and the id_token.
The expiry of the OpenID authentication cookie in seconds.
A negative value means that the cookie is not stored persistently and will be deleted when the web browser exits.
A zero value causes the cookie to be deleted
Default: 30

abiquo.openid.cookie.refreshtoken.include

If true, the OpenID authentication cookie will also contain the refresh token.
Default: false

abiquo.openid.target

The URL where the user will be redirected from the Identity Server upon successful authentication. Something like
http://<abiquo ui host>/ui/#/dashboard

abiquo.openid.role-claim

The name of the claim returned by the authorization server that contains the names used to map the user permissions to an Abiquo role

abiquo.openid.enterprise-claim

The name of the claim returned by the authorization server that contains the names used to map the Abiquo enterprise where the user belongs

abiquo.openid.enterprise-property

(Optional) If present, Abiquo will try to find an enterprise that has a property with the name configured in this property.
It will use its value to match the "enterprise claim" when resolving the user's enterprise.
If absent, Abiquo will just look for an enterprise with the name returned in the "enterprise claim".

abiquo.openid.issuer

The OpenID Connect authorization issuer.

abiquo.openid.authorization.endpoint

The OpenID Connect authorization endpoint. This endpoint must be accessible from the user's browser

abiquo.openid.token.endpoint

The OpenID Connect token endpoint. This endpoint must be accessible from the Abiquo server.

abiquo.openid.userinfo.endpoint

The OpenID Connect user info endpoint. This endpoint must be accessible from the Abiquo server.

abiquo.openid.jwks.endpoint

The OpenID Connect JWKS endpoint. This endpoint must be accessible from the Abiquo server.

abiquo.openid.endsession.endpoint

(Optional) If configured, Abiquo will attempt to perform a global logout performing a request to this endpoint.
This is part of the Session Management optional spec. This endpoint must be accessible from the user's browser. 

OpenID Connect client configuration

abiquo.openid.client.name

The name of the client that has been registered in the OpenID Connect server for the Abiquo platform.

abiquo.openid.client.id

The ID of the client that has been registered in the OpenID Connect server for the Abiquo platform.

abiquo.openid.client.secret

The secret of the client that has been registered in the OpenID Connect server for the Abiquo platform.

abiquo.openid.client.scopes

Comma separated list of scopes to request during authentication. Must have, at least: openid,profile,email. Also supports: phone.

abiquo.openid.client.redirect-uris

Comma separated list of allowed redirect (callback) URIs used during the authentication flow. Must be: http://<api endpoint>/api/openid_connect_login

abiquo.openid.client.acr-values

Space separated values for the acr values to send to OpenID Connect Server when authenticating.
They will be validated if 'acr-validation' property is true (default value).

abiquo.openid.client.acr-validation

Activates the acr values validation. Default value is true

Configure Abiquo outbound API module

...

In OpenID Connect mode, the normal authentication (using HTTP Basic Authentication) is disabled, so you must configure the Outbound API credentials as OAuth tokens. To do this:

  1. Create a new application for the  "default api outbound user"  as explained in the  "Manage OAuth Applications"  guide, and set all the privileges for that user; OR
    Create the application in the administrator account, and select only the permissions for the  "default api outbound user" 

  2. Get the OAuth access tokens. You can use an unsupported Abiquo tool to obtain the access tokens.
    Please contact Abiquo Support to obtain the Abiquo tool.

  3. In the abiquo.properties file of the Abiquo Server

    1. Configure the following OAuth properties

      1. abiquo.m.consumerKey

      2. abiquo.m.consumerSecret

      3. abiquo.m.accessToken

      4. abiquo.m.accessTokenSecret

    2. And remove  the following properties

      1. abiquo.m.identity

      2. abiquo.m.credential

Configure OpenID Connect logout

...

Configure the OpenID Connect client UI properties in the client-config-custom.json file.

Property

Description

client.openid.enabled

Deprecated in Abiquo 4.7.1

client.openid.skip.login.view

Deprecated in Abiquo 4.7.1 for UI 5. By default, when in OpenID mode, Abiquo shows an initial screen with a link to the Authentication portal.
If this property is set to true, then Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.

client.skip.login.view

By default, when in OpenID mode, Abiquo shows an initial screen with a link to the Authentication portal.
If this property is set to true, then Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.

client.auth.module

Abiquo login modules to use with options for Basic Auth (default), Open ID, and SAML. See client-config-default.json for examples

Configure API and outbound clients

...

To obtain an access token:

  1. Manually log in to the platform

  2. When you are redirected back to the Abiquo console, you'll find the access token and refresh token in the URI.

Once you have the token, you can issue requests to the API by providing the following HTTP header:

...