-
Notifications
You must be signed in to change notification settings - Fork 77
Janssen Inbound Identity
pujavs edited this page Sep 28, 2023
·
3 revisions
Janssen(Jans) Inbound SAML allow users from enterprise customers to authenticate at their home IDP and access Janssen resources. Jas and Identity Provider's will establish a trust relationship by exchanging their respective metadata.
sequenceDiagram
autonumber 1
title Inbound Identity
Person->Browser: 1.
Browser->Website: 2.
Website<->Jans Auth Server: 3. Discovery
Jans Auth Server->Browser: 4. Redirect /authz?client_id=... acr_values=inbound_identity&idp=myIDP
Browser->KC: 5.
KC->Browser: 6. SAML Authn Request
Browser->SAML IDP: 7.
SAML IDP->Browser: 8. login page
Person->Browser: 9. enter creds
Browser->IDP: 10.
IDP->IDP: 11. Validate creds
IDP->Browser: 12.
Browser->KC: 13. SAML Assertion
KC->Browser: 14.
Browser->Jans Auth Server: 15. OpenID Authn Response: code + state
Jans Auth Server->KC: 16. /token?code=...
KC->Jans Auth Server: 17. KC id_token, AT1
Jans Auth Server->Jans Auth Server: 18. Validate KC id_token;\nAdd user to Jans DB?
Jans Auth Server->Browser: 19.
Browser->Website: 20. code
Website->Jans Auth Server: 21. /token?code=...
Jans Auth Server->Website: 22. id_token, AT2
Website->Jans Auth Server: 23. /userinfo
Jans Auth Server->Website: 24. user claims JWT
Website->Website: 25. Validate JWT\nCreate app session
- SAML v2.0
Janssen Inbound SAML comprises the following components:
- Jans Server
- Jans Config Api
- Janssen Identity Broker
Existing saml-plugin plugin will expose new endpoint for creating and managing Identity Provider. Keycloak API will be leveraged to configure the IDP in Keycloak server acting as Identity Broker.
Key attributes of Identity Provider:
Name | Type | Description |
---|---|---|
id | String | Unique ID of the identity provider. |
redirectUri | String | The redirect uri to use when configuring the identity provider. |
alias | String | The alias uniquely identifies an identity provider and it is also used to build the redirect uri. |
displayName | String | Friendly name for Identity Providers. |
displayOrder | Number | Number defining the order of the providers in GUI (for example, on the Login page). The lowest number will be applied first. |
enabled | Boolean | True to enable the identity provided. |
identityProviderMapper | String | Identity provider Mapper |
config | Map of [String] | Identity provider config properties |
Note: To add more details - WIP
- POST: Create identity provider in the provided realm.
- GET: Fetches an identify provider.
- PUT: Updates identity provider details.
- DELETE: Deletes an identify provider.