...
This page describes the Abiquo integration with OpenID Connect available in Abiquo.
This integration allows Abiquo to leverage lets you use single sign on authentication and federated authorization features.
The integration targets implements the core spec, but also implements as well as some optional features, such as the RP-Initiated-Logout , from the optional Session Management spec.
DiscoveryThe scope of this integration does not include discovery, dynamic registration, and other optional features are out of the scope of this integration.
| Excerpt | ||
|---|---|---|
|
Basic OpenID Connect workflow
| Info |
|---|
In the OpenID basic workflow, the user interacts with Abiquo (the Application), which is also a client of the OpenID Connect server (the Identity Server) |
The following diagram shows the basic authentication and authorization workflow when using you use the OpenID Connect integration.
...
Users will access the Abiquo portal, and will be redirected it redirects them to the OpenID Connect server
Users will enter their credentials to log in to the OpenID Connect server (note that the credentials are never exposed to Abiquo).
It . The OpenID Connect server will display the consent screen that describes the permissions that Abiquo is requesting and the information it needs to access.Upon successful authentication and consent grantThe user credentials are never exposed to Abiquo
When the users are successfully authenticated and grant consent, the OpenID Connect server issues the following tokens and redirects the user back to Abiquo with the applicationfollowing tokens:
ID token - A JWT token containing the information about the user.
Access token - An OAuth2 token that provides access to the application resources on behalf of the user.
Refresh token - An optional token that can be used to refresh the access token when it expires.
Abiquo will use uses the access token to request information about the logged user (permissions, etc) and will create the corresponding user in the Abiquo database.
Users will use the access token to access the Abiquo platform, including the Abiquo API
At any time, users with the refresh _token will be able to perform a call to token can call the Abiquo API to refresh the access token.
If the global logout is configured, when users log out from the Abiquo platform they will be signed out from the OpenID Connect server.
ACR validation
In an OpenID Connect Integration, the authorization request could contain a list of authentication modes that the server should show to the user.
This is a list of acr-values and it's a configuration of the OpenID Connect Server.
So Abiquo could request that using the acr-values system property.
Also, the response tokens could contain the acr-values used by the user to authenticate.
Abiquo can validate that these acr-values are the requested ones if the acr-validation system property enables this and fail the authentication process if they aren't.
OpenID Connect authentication mode
When Abiquo is in normal authentication mode, Abiquo authenticates and obtains user authorization from the Abiquo database.
In contrast, when the platform is in OpenID Connect mode, Abiquo authenticates and obtains user authorization from the OpenID Connect server.
In OpenID mode, Abiquo behaves as follows:
Abiquo creates an Abiquo OpenID user automatically when the following conditions are met
The user successfully authenticates through the OpenID Connect server; AND
Abiquo finds an Abiquo tenant and user role that matches the one specified through the OpenID user data
Every time the user logs in, Abiquo synchronizes user data with the OpenID Connect server, which may overwrite any changes you make to the Abiquo user account
A user that has switched enterprises will be returned to their assigned enterprise when they log in
Abiquo disables login for users with non-OpenID accounts
This includes the main cloud admin user
Abiquo disables features associated with normal authentication, e.g. Abiquo two-factor authentication, Abiquo password reset
The OpenID Connect server should provide this type of feature when authenticating users
OpenID Connect configuration steps
This is an overview of the steps to configure the OpenID Connect Integration
Configure the cloud admin user with Abiquo in normal auth mode
Map OpenID users to Abiquo enterprises and roles with Abiquo in normal auth mode
Register Abiquo as a client application on the OpenID Connect server and obtain OpenID client credentials
Configure the OpenID Connect server in abiquo.properties
Register the Abiquo Outbound API as an OAuth application and configure abiquo.properties
Configure the OpenID Connect logout
Configure Abiquo UI properties
Start the Abiquo Server
Configure API and Outbound API clients to work with an access token
Configure the cloud admin user
Configure the cloud admin user with Abiquo in normal authentication mode.
Remember that Abiquo will disable this user when you enable OpenID Connect authentication mode.
Map OpenID Connect users to Abiquo enterprises and roles
In OpenID Connect authentication mode, when a user successfully authenticates through the OpenID Connect server, Abiquo will receive OpenID user data.
Abiquo will try to match the user data to the following in Abiquo:
A user role (e.g. cloud admin, tenant admin, cloud user)
An enterprise (cloud tenant) that the user will belong to
To enable Abiquo to match the user, you must work in Abiquo to map the Abiquo enterprise and role to the OpenID user data.
Work in normal authentication mode as the cloud admin user. If Abiquo cannot find the role and enterprise, it will not create the OpenID user.
How Abiquo determines which role to assign to an OpenID user
The OpenID Connect server will return user data, including a list of the external roles/permissions for the user, which is called a role claim.
Abiquo will identify the role claim in the OpenID user data using the name you configure with the abiquo.openid.role-claim property.
Abiquo will try to find an existing Abiquo role with the same LDAP attribute data as the role claim.
Map external roles to Abiquo roles
To map OpenID roles to an Abiquo role:
Create, clone or edit an Abiquo role
In the External Roles field, enter the same list of external roles/permissions as the OpenID user's role claim
Remember that a user's external roles must map to one local role in their enterprise and/or one global role.
How Abiquo determines which enterprise an OpenID user should belong to
The OpenID Connect server will return user data, including the tenant that a user should belong to, which is called an enterprise claim.
Abiquo can look up this enterprise in Abiquo by enterprise name or by enterprise property.
If Abiquo cannot find the enterprise, it will not allow the user to log in. If the user account does not exist, Abiquo will create it in the enterprise.
If the user account exists in another enterprise, Abiquo will move it to the one assigned by the OpenID Connect server.
Abiquo will obtain the enterprise claim defined by the abiquo.openid.enterprise-claim property.
Abiquo will try to match the enterprise claim to the enterprise name if the abiquo.openid.enterprise-property property IS NOT SET in abiquo properties.
Otherwise, it will try to match the value of the enterprise claim to the value of the enterprise property specified by the abiquo.openid.enterprise-property property.
Map external enterprises to Abiquo enterprises
Map external enterprises to Abiquo enterprises according to the lookup method you configured for your platform.
To map an OpenID enterprise to an Abiquo enterprise by enterprise name, just name the enterprise with the value in the enterprise claim.
To map an OpenID enterprise to an Abiquo enterprise by enterprise property:
Create or edit an Abiquo enterprise
Create an enterprise property with the key configured in the abiquo.openid.enterprise-property in abiquo.properties.
For example, for "abiquo.openid.enterprise-property = domain", create an enterprise property called domain.Set the value of this property to the value of the enterprise claim for this tenant.
...
When the authorization server returns the enterprise claim, Abiquo will look for all enterprises with a "domain" property.
It will find the one with the value that matches the value returned by the OpenID Connect server.
In this example, when the OpenID Connect server returns the value "abiquo.com" in the enterprise claim, Abiquo will select this enterprise.
Register Abiquo as a client application in the OpenID Connect server
Register Abiquo as a client application in the OpenID system and obtain the client credentials: client name, client id and client secret.
You will need to configure these in abiquo.properties in the next step.
Configure Abiquo properties
To configure OpenID Connect in abiquo.properties:
Configure OpenID Connect server details (endpoints, claims, etc.)
Configure OpenID client credentials from the previous step of registering Abiquo as a client application
Activate OpenID in abiquo.properties, by setting abiquo.auth.module to openid
| Info |
|---|
If your OpenID Connect provider implements the Discovery extension, you might be able to get the value of the different endpoints, |
The following sequence diagram shows how the different endpoints are used from a user and relying party perspective.
The diagram depicts the interactions between all parties involved in the OpenID Connect protocol.
Table of Abiquo OpenID Connect properties
To enable the OpenID Connect mode, configure the following properties in Abiquo:
...
Property
...
Description
...
OpenID Connect server configuration
...
abiquo.auth.module
...
The Abiquo authentication module. Must be: openid
...
abiquo.openid.cookie.maxage
...
After OpenID authentication flow, the API redirect adds a cookie with the access_token and the id_token.
The expiry of the OpenID authentication cookie in seconds.
A negative value means that the cookie is not stored persistently and will be deleted when the web browser exits.
A zero value causes the cookie to be deleted
Default: 30
...
abiquo.openid.cookie.refreshtoken.include
...
If true, the OpenID authentication cookie will also contain the refresh token.
Default: false
...
abiquo.openid.target
...
The URL where the user will be redirected from the Identity Server upon successful authentication. Something like
http://<abiquo ui host>/ui/#/dashboard
...
abiquo.openid.role-claim
...
The name of the claim returned by the authorization server that contains the names used to map the user permissions to an Abiquo role
...
abiquo.openid.enterprise-claim
...
The name of the claim returned by the authorization server that contains the names used to map the Abiquo enterprise where the user belongs
...
abiquo.openid.enterprise-property
...
(Optional) If present, Abiquo will try to find an enterprise that has a property with the name configured in this property.
It will use its value to match the "enterprise claim" when resolving the user's enterprise.
If absent, Abiquo will just look for an enterprise with the name returned in the "enterprise claim".
...
abiquo.openid.issuer
...
The OpenID Connect authorization issuer.
...
abiquo.openid.authorization.endpoint
...
The OpenID Connect authorization endpoint. This endpoint must be accessible from the user's browser
...
abiquo.openid.token.endpoint
...
The OpenID Connect token endpoint. This endpoint must be accessible from the Abiquo server.
...
abiquo.openid.userinfo.endpoint
...
The OpenID Connect user info endpoint. This endpoint must be accessible from the Abiquo server.
...
abiquo.openid.jwks.endpoint
...
The OpenID Connect JWKS endpoint. This endpoint must be accessible from the Abiquo server.
...
abiquo.openid.endsession.endpoint
...
OpenID Connect client configuration
...
abiquo.openid.client.name
...
The name of the client that has been registered in the OpenID Connect server for the Abiquo platform.
...
abiquo.openid.client.id
...
The ID of the client that has been registered in the OpenID Connect server for the Abiquo platform.
...
abiquo.openid.client.secret
...
The secret of the client that has been registered in the OpenID Connect server for the Abiquo platform.
...
abiquo.openid.client.scopes
...
Comma separated list of scopes to request during authentication. Must have, at least: openid,profile,email. Also supports: phone.
...
abiquo.openid.client.redirect-uris
...
Comma separated list of allowed redirect (callback) URIs used during the authentication flow. Must be: http://<api endpoint>/api/openid_connect_login
...
abiquo.openid.client.acr-values
...
Space separated values for the acr values to send to OpenID Connect Server when authenticating.
They will be validated if 'acr-validation' property is true (default value).
...
abiquo.openid.client.acr-validation
...
Activates the acr values validation. Default value is true
Configure Abiquo outbound API module
Register the Outbound API as an OAuth application (for Outbound API user or admin user) and use the tool to obtain the OAuth access token.
Configure credentials in abiquo.properties and remove any old credentials properties
In OpenID Connect mode, the normal authentication (using HTTP Basic Authentication) is disabled, so you must configure the Outbound API credentials as OAuth tokens. To do this:
Create a new application for the "default api outbound user" as explained in the "Manage OAuth Applications" guide, and set all the privileges for that user; OR
Create the application in the administrator account, and select only the permissions for the "default api outbound user"Get the OAuth access tokens. You can use an unsupported Abiquo tool to obtain the access tokens.
Please contact Abiquo Support to obtain the Abiquo tool.In the abiquo.properties file of the Abiquo Server
Configure the following OAuth properties
abiquo.m.consumerKey
abiquo.m.consumerSecret
abiquo.m.accessToken
abiquo.m.accessTokenSecret
And remove the following properties
abiquo.m.identity
abiquo.m.credential
Configure OpenID Connect logout
If the OpenID Connect server implements the Session Management extension, you can configure the Abiquo platform to issue a logout to the OpenID Connect server when the user logs out from the platform.
This is optional because users might not want to be logged out from all services when logging out from Abiquo.
To enable the global logout, configure the abiquo.openid.endsession.endpoint property to point to the end session endpoint, as defined by the RP-Initiated Logout spec.
Configure OpenID Connect client UI properties
Configure the OpenID Connect client UI properties in the client-config-custom.json file.
...
Property
...
Description
...
client.openid.enabled
...
Deprecated in Abiquo 4.7.1
...
client.openid.skip.login.view
...
Deprecated in Abiquo 4.7.1 for UI 5. By default, when in OpenID mode, Abiquo shows an initial screen with a link to the Authentication portal.
If this property is set to true, then Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.
...
client.skip.login.view
...
By default, when in OpenID mode, Abiquo shows an initial screen with a link to the Authentication portal.
If this property is set to true, then Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.
...
client.auth.module
...
Abiquo login modules to use with options for Basic Auth (default), Open ID, and SAML. See client-config-default.json for examples
...
Configure API and outbound clients
...
How Abiquo works in OpenID Connect authentication mode
When Abiquo is in abiquo authentication mode, Abiquo authenticates and obtains user authorization from the Abiquo database.
When Abiquo is in openid authentication mode, Abiquo authenticates and obtains user authorization from the OpenID Connect server.
In openid authentication mode, Abiquo behaves as follows.
Abiquo creates an Abiquo OpenID user automatically, when the following conditions are met:
The user successfully authenticates with the OpenID Connect server; AND
Abiquo finds an Abiquo enterprise and user role that matches the one from the OpenID user data
Every time the user logs in, Abiquo synchronizes user data with the OpenID Connect server.
This can overwrite any changes you make to the Abiquo user account.If a user has switched enterprises, then when they log in, they will be returned to their enterprise from OpenID
Abiquo disables login for users with non-OpenID accounts
This includes the main cloud admin user
Abiquo disables features associated with normal authentication, e.g. Abiquo two-factor authentication, Abiquo password reset
The OpenID Connect server should provide this type of feature when authenticating users
...
Configure OpenID Connect integration for Abiquo
Configure your OpenID connect server. In this example, we will use Keycloak.
1. Create an IDP with OpenID Connect v1.0
This is for a Keycloak server. Create a Realm with an OpenID Connect endpoint.
Access your Keycloak server with admin credentials.
Select the realm you want to use, or create a new one in the top-left drop-down.
In this example some URIs use the master realm - please change it to your realm.Go to Identity Providers → OpenID Connect v1.0
In the Add OpenID Connect provider dialog:
Use the default Redirect URI
Enter an Alias
In Discovery Endpoint enter
http://{$YOUR_KEYCLOAK_SERVER}/realms/master/.well-known/openid-configurationEnter a Client ID
Enter a Client Secret
Select Add
...
2. Create a client to connect to Abiquo
Create a client that will connect to Abiquo.
Go to Clients → Create client
Enter a Client ID
Enter a Name
Select Next
Select Next
For Login settings enter:
In Root URL enter
https://{ABIQUO_SERVER_FQDN}In Home URL enter
https://{ABIQUO_SERVER_FQDN}/ui/#/dashboardIn Valid redirect URIs enter
https://{ABIQUO_SERVER_FQDN}/*In Web origins enter
https://{ABIQUO_SERVER_FQDN}
...
3. Configure user claims
The user claims will configure a user’s enterprise and role in Abiquo.
Go to Realm roles ⇾ Create role and enter a role name that will match an external role in your Abiquo environment.
Go to Groups ⇾ Create group and enter a name that will match an enterprise in your Abiquo environment
Go to Users ⇾ Add user and enter Username, Email, First name and Last name.
Select Join groups and add the group created in step 2.
Select Client scopes → Create client scope:
Enter a Name
In Type select Default
Select Save
Select Mappers tab ⇾ Configure a new mapper
Select Group membership
Enter a Name
Enter a Token claim name (this name will be used later in
abiquo.propertiesto match the enterprise)Disable Full group path and Add to ID token
Select Save
Add a new mapper by configuration in this client scope and select User realm role
Enter a Name
Enter Token claim name (this name will be used later in
abiquo.propertiesto match the role)Disable Add to ID token
Select Save
Select Clients ⇾enter in Client created previously
Select Client scopes tab ⇾ Add client scope
Add the client scope created in step 5 as default
...
4. Configure Abiquo
Configure Abiquo to use the OpenID Connect server.
When you configure Abiquo, it should be in the default authentication abiquo mode
Log in as the cloud admin user, and configure this user
Create or edit an Abiquo enterprise and set the Name to match the value of the enterprise claim in OpenID.
In the Keycloak example above, this was the group name.
If you are able to name the enterprise to match the role claim, see the section on how to map an OpenID enterprise to an Abiquo enterprise by enterprise property.Create, clone or edit an Abiquo role. For the External roles, enter the list of external roles/permissions from the OpenID user's role claim.
A user's external roles must map to one Abiquo role.
In the Keycloak example above, this was the Realm role.
On the Abiquo API server, configure the
abiquo.propertiesfor OpenID ConnectCode Block abiquo.auth.module = openid abiquo.openid.target = https://{ABIQUO_SERVER_FQDN}/ui/#/dashboard abiquo.openid.role-claim = (User Realm Role Token Claim Name) abiquo.openid.enterprise-claim = (Group Membership Token Claim Name) abiquo.openid.issuer = http://{KEYCLOAK_SERVER}/realms/master abiquo.openid.authorization.endpoint = http://{KEYCLOAK_SERVER}/realms/master/protocol/openid-connect/auth abiquo.openid.token.endpoint = http://{KEYCLOAK_SERVER}/realms/master/protocol/openid-connect/token abiquo.openid.userinfo.endpoint = http://{KEYCLOAK_SERVER}/realms/master/protocol/openid-connect/userinfo abiquo.openid.jwks.endpoint = http://{KEYCLOAK_SERVER}/realms/master/protocol/openid-connect/certs abiquo.openid.client.name = (Specified in Create OpenID Connect v1.0 IdP) abiquo.openid.client.id = (Specified in Create OpenID Connect v1.0 IdP) abiquo.openid.client.secret = (Specified in Create OpenID Connect v1.0 IdP) abiquo.openid.client.scopes = openid,profile,email, (client scope name) abiquo.openid.client.redirect-uris = https://{ABIQUO_SERVER_FQDN}/api/openid_connect_login abiquo.openid.client.acr-validation = false
| Tip |
|---|
If your OpenID Connect provider implements the Discovery extension, you might be able to get the value of the different endpoints for the properties from the well-known configuration endpoint, as described in the provider configuration section. |
On the API server (or separate UI server), in the
/var/www/html/ui/configfolder, edit theclient-config-custom.jsonfile and add the following configuration.Code Block { "config.endpoint":"https://{ABIQUO_SERVER_FQDN}/api", "client.skip.login.view": "true", "client.login.modules": [ { "label": "Open ID", "description": "Open ID login", "templateUrl": "modules/login/authenticationmodules/openid/partials/openidloginview.html", "cookieName": "ABQOIDCTOKENS" } ] }
...
5. Configure SameSite cookie flag
On the Abiquo API Server, set the abiquo.login.samesite property to control the value of the SameSite flag of the login cookie. See Abiquo configuration properties and search for .samesite. For our test server, we set
| Code Block |
|---|
abiquo.login.samesite = none |
...
6. Optional OpenID Connect logout
If the OpenID Connect server implements the Session Management extension, you can configure the Abiquo platform to issue a logout to the OpenID Connect server when the user logs out from the platform.
This is optional because users might not want to be logged out from all services when logging out from Abiquo.
To enable the global logout, configure the abiquo.openid.endsession.endpoint property to point to the end session endpoint, as defined by the RP-Initiated Logout spec.
...
7. Optional ACR validation
In an OpenID Connect integration, the authorization request can contain a list of authentication modes that the server should show to the user.
This is a list of acr-values and it's a configuration of the OpenID Connect Server.
So Abiquo could request that using the acr-values system property.
Also, the response tokens could contain the acr-values used by the user to authenticate.
if the acr-validation property is set, Abiquo can validate that the acr-values are the requested ones, and fail the authentication process if they aren't.
...
Configure API clients
In OpenID Connect mode, Abiquo disables basic authentication, so in order to authenticate with the API , you can use an access token.
| Info |
|---|
Abiquo still supports authentication using the session cookie or Abiquo OAuth applications as before |
...
Once you have the token, you can issue requests to the API by providing the following HTTP header:
| Code Block |
|---|
Authorization: Bearer <the access token> |
Optional SameSite cookie flag configuration
On the Abiquo Server, optionally set the abiquo.login.samesite property to control the value of the SameSite flag of the login cookie. See Abiquo Configuration Properties#samesitethe API by providing the following HTTP header:
| Code Block |
|---|
Authorization: Bearer <the access token> |
...
Refreshing access tokens
Access tokens have an expiration, so at a certain point in time they will stop working.
When this happens, the user can use a refresh token if it was returned during authentication to request a new access token.
Refresh tokens also expire, but have a significantly higher expiration (default is one week).
Some OpenID Connect providers issue new refresh tokens every time an access token is refreshed, so the refresh mechanism can be used without limit.
To request a new access token using a refresh token, an HTTP request must be issued to the "openid_conect_refresh" Abiquo API endpoint, passing the refresh token as a query parameter:
| Code Block |
|---|
curl -v "http://<abiquo api host>{ABIQUO_SERVER_FQDN}/api/openid_connect_refresh?refresh_token=<refresh token value>{REFRESH_TOKEN_VALUE}" -H "Accept: application/vnd.abiquo.oidctokens+json" { "scope" : "openid profile email abiquo", "id_token" : "eyAidHlwIjogIkpXVCIsICJraWQiOiAiemhCb2ZiWncraSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJoVmJBZ2t2NGRBalh5bFFQZGNYVFR3IiwgInN1YiI6ICJvcGVuaWQtYWRtaW4iLCAiYXVkaXRUcmFja2luZ0lkIjogIjcxN2I3YWY0LTNmMGQtNGU2NS1iZWJmLWE3MWIzODg4MWE1My05NTcwIiwgImlzcyI6ICJodHRwOi8vb3BlbmFtLmJjbi5hYmlxdW8uY29tOjgwL29wZW5hbS9vYXV0aDIvZGV2ZWxvcGVycyIsICJ0b2tlbk5hbWUiOiAiaWRfdG9rZW4iLCAiZ3JvdXBzIjogWyAiaWQ9YWRtaW5zLG91PWdyb3VwLG89ZGV2ZWxvcGVycyxvdT1zZXJ2aWNlcyxkYz1vcGVuYW0sZGM9Zm9yZ2Vyb2NrLGRjPW9yZyIgXSwgImdpdmVuX25hbWUiOiAiT3BlbklEIiwgImF1ZCI6ICJhYmlxdW8iLCAib3JnLmZvcmdlcm9jay5vcGVuaWRjb25uZWN0Lm9wcyI6ICJhNWExMDNlYS05MmQyLTQxZDgtOGJkYi0xMWNjZTJmMGZlYjMiLCAiYXpwIjogImFiaXF1byIsICJhdXRoX3RpbWUiOiAxNDczOTU5Njk2LCAiZG9tYWluIjogIkFiaXF1byIsICJuYW1lIjogIk9wZW5JRCBBZG1pbiIsICJyZWFsbSI6ICIvZGV2ZWxvcGVycyIsICJleHAiOiAxNDczOTYzMjk2LCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgImlhdCI6IDE0NzM5NTk2OTYsICJmYW1pbHlfbmFtZSI6ICJBZG1pbiIsICJlbWFpbCI6ICJvcGVuaWQtYWRtaW5AYWJpcXVvLmNvbSIgfQ.JL3yUCtn4VnGewANcD2SbqX5RZfxKqNQG_p2vc5UldRIxdr4BNg3u-C219-XA8dfnrLvBL6CmrJoItIy7XDP7qX8DJO7a9pea8QCugXT9NdepdQh-SEPdQ3d-acm4M5_1bALIjvItDW7pWVnqppYUyjVzQY_oX385CccUuYaYh-9Glj-9VPdnr9pZXZFkb07K0ab2iQtfu7sshS6-iZ0mF6unF2pWvsJHfeUSYb1X9yRfehhRgTXltlVno7uNEfPopM6MbISr-Bhb7zxiJ-Zte_peaiZKjrU7QEQFDIj13M6YQ", "refresh_token" : "78ecb72e-fd0e-4825-ae0a-635159c461ff", "token_type" : "Bearer", "links" : [], "expires_in" : 3599, "access_token" : "a381c059-654f-4c03-852b-cf507c5372ec" } |
...
The OpenID login process may return an error message for example due to a delayed login or timeout.
To prevent this, for Internet Explorer cookies, in server.xml on Abiquo Tomcat, the <Host> section should contain an <Alias> section with the domain of the web server (where users access the UI).
And the default Java session timeout was changed to 30 minutes to ensure user delays during OpenID login will not result in further errors.
...