Adding identity providers

Before connecting to an identity provider and importing its users, you need to create domain groups for these users and assign respective roles to these groups.

If you want to use your identity provider for authenticating in the admin panel, add it to the Default domain and assign the System administrator role to its group.

Prerequisites

  • Local domain groups are created, as described in Creating domain groups.
  • The redirection URL (redirect_uri) for the cluster must be https://<url>:8800/api/v2/login/idp/.

To add an identity provider

Admin panel

  1. On the Projects and users screen, click the required domain.
  2. Switch to the Settings > Identity provider screen, and then click Add.
  3. In the Add identity provider window, specify the following parameters:

    1. A custom name of the identity provider that will be shown on the login screen.
    2. The unique issuer ID provided by the OIDC provider. It usually appears as a URN.
    3. The client identifier and secret to access the OIDC provider.
    4. The metadata URL of the OIDC provider's discovery endpoint. The metadata URL is typically the issuer endpoint concatenated with the path /.well-known/openid-configuration. For example, if the issuer ID is https://idp.example.com/adfs/, the metadata URL will be https://idp.example.com/adfs/.well-known/openid-configuration.
    5. Scopes that define what user identity data will be shared by the OIDC provider during authentication.

      The scopes allatclaims and openid are mandatory for Microsoft AD FS providers.

    6. Select Verify SSL if you want the client to validate the server's SSL/TLS certificate when establishing a connection.

    7. Specify the timeout for sending requests to the identity provider, in seconds. The default value is 5.

  4. In the Grant types section, choose between Implicit Flow and Authorization Code Flow:

    • Implicit Flow with Form Post is a simplified version of the Authorization Code Flow. The communication with the OIDC provider API is performed on the client side. Virtuozzo Hybrid Infrastructure only validates the token's signature.

      This grant type is recommended for login-only use cases.

    • With Authorization Code Flow, users obtain an access token to the OIDC provider API and use it to retrieve the user identity data with an extra backend call from Virtuozzo Hybrid Infrastructure.

      Use this grant type if the identity provider does not support Implicit Flow with Form Post.

  5. In the Mapping section, you can either create mapping rules manually or automatically from a mapping file:

  6. Click Add.

Command-line interface

Use the following command:

vinfra domain idp create --domain <domain> --issuer <issuer> --scope <scope>
                         [--response-type <response-type>] [--metadata-url <metadata-url>]
                         [--client-id <client-id>] [--client-secret <client-secret>]
                         [--mapping <path>] [--enable] [--disable] [--request-timeout <seconds>]
                         [--verify-ssl | --dont-verify-ssl] <name>
--domain <domain>
Domain name or ID
--issuer <issuer>
Identity provider issuer
--scope <scope>

Scope that define what user identity data will be shared by the identity provider during authentication.

The scopes allatclaims and openid are mandatory for Microsoft AD FS providers.

--response-type <response-type>

Response type to be used in the authorization flow:

  • code: use the Authorization Code Flow
  • id_token: use the Implicit Flow
--metadata-url <metadata-url>
Metadata URL of the identity provider's discovery endpoint
--client-id <client-id>
Client ID to access the identity provider
--client-secret <client-secret>
Client secret to access the identity provider
--mapping <path>

Path to the mapping configuration file.

A mapping file may look as follows:

# cat mapping.json
[
    {
        "local": [
            {
                "user": {
                    "name": "{0}"
                },
                "group": {
                    "name":"users"
                }
            }
        ],
        "remote": [{"type": "email"}]
    }
]

In this example, all users that have the attribute email will be mapped to the group users within the default domain. For details on creating a mapping file, refer to the OpenStack documentation.

--enable
Enable identity provider
--disable
Disable identity provider
--verify-ssl
Enable identity provider endpoints SSL verification
--dont-verify-ssl
Disable identity provider endpoints SSL verification
--request-timeout <seconds>
Identity provider API request timeout (default: 5)
<name>
Identity provider name

For example, to add an identity provider with the name My ADFS within the mydomain domain, run:

# vinfra domain idp create --domain mydomain --issuer https://idp.example.com/adfs/ \
--scope "allatclaims openid email" --client-id xxx --client-secret xxx --mapping mapping.json "My ADFS"

The added identity provider will appear in the vinfra domain idp list output:

# vinfra domain idp list --domain mydomain
+-------------+---------+-------------------------------+--------------------------+-----------+
| id          | name    | issuer                        | scope                    | domain_id |
+-------------+---------+-------------------------------+--------------------------+-----------+
| df5a54ce<…> | My ADFS | https://idp.example.com/adfs/ | allatclaims openid email | 36f454<…> |
+-------------+---------+-------------------------------+--------------------------+-----------+