import { Component } from '../../lib/vues6/vues6.js' import { resource_service } from '../service/Resource.service.js' import { location_service } from '../service/Location.service.js' import { session } from '../service/Session.service.js' const template = `
This wizard will walk you through setting up a new application to integrate with {{ app_name }}. This will allow you to grant {{ app_name }} users access to this application.
{{ app_name }} supports 3 different authentication schemas. The application you are setting up will need to support one of the following:
If the application supports any of these, it can be integrated with {{ app_name }} to provide single-sign-on. All of these methods support {{ app_name }}'s IAM policy, but OAuth2 and SAML2.0 are preferred, because they support a web-based login flow. To get started, enter the application name and identifier:
An app's identifier is how it is referenced in IAM configurations. This should preferrably be all lowercase, alphanumeric with underscores.We're going to create an OAuth2 client for {{ name }}. This client will have the credentials that {{ name }} will use to authenticate users against {{ app_name }}'s API.
By default, the OAuth2 client will be able to fetch information about individual users and groups. You can adjust this in the future by navigating to the OAuth2 Clients page.
Please provide the OAuth2 callback URL. This is where {{ app_name }} will redirect users after they have been authenticated.
{{ app_name }} only supports the authorization_code
grant type.
We're going to register {{ name }} as a SAML2.0 service provider. This will allow it to interface with {{ app_name }}.
To do this, you need to provide {{ name }}'s entity ID, assertion consumer service URL, and single-logout URL (if supported).
Entity ID:Success! {{ name }} was added to {{ app_name }}'s records, and a SAML2.0 service provider was created.
The next step is to configure {{ name }} to redirect users to {{ app_name }} to log on. Here's some information on getting it set up:
{{ app_name }} is the SAML2.0 identity provider in this case. To set it up, you'll need the following info:
{{ make_url('/saml/metadata.xml') }}
{{ make_url('/saml/sso') }}
{{ make_url('/saml/logout') }}
We're going to register {{ name }} as an LDAP auth client. To do this, you'll need to specify an LDAP username and password that {{ name }} will use to authenticate users.
Username:Success! {{ name }} was added to {{ app_name }}'s records, and an LDAP client was created.
The next step is to configure {{ name }} to use {{ app_name }} to log on. Here's some information on getting it set up:
If {{ name }} requires a bind user to query the LDAP server against, you can use these credentials:
{{ host }}
{{ ldap_config.login_field }}={{ ldap_username }},{{ ldap_config.authentication_base }},{{ ldap_config.base_dc }}
{{ ldap_config.authentication_base }},{{ ldap_config.base_dc }}
{{ ldap_config.group_base }},{{ ldap_config.base_dc }}
(&(objectClass=inetOrgPerson)(iamTarget={{ app.id }})({{ ldap_config.login_field }}=username_substituted_here))
Groups are made available in a manner compatible with OpenLDAP's memberOf overlay.
That means that groups are objectClass: groupOfNames
and can be found in the memberOf
attribute of the user object.
Groups have the form cn=group_name,{{ ldap_config.group_base }},{{ ldap_config.base_dc }}
.
{{ app_name }}'s built-in LDAP server provides the minimum-viable level of functionality required to authenticate users. That means it sometimes lacks features that more sophisticated LDAP clients expect.
Here are a few settings to tweak:
gecos
(this is the full name of the user)mail
{{ ldap_config.login_field }}
cn
Success! {{ name }} was added to {{ app_name }}'s records, and an OAuth2 client was created.
The next step is to configure {{ name }} to redirect users to {{ app_name }} to log on. Here's some information on getting it set up:
First, redirect the user to {{ app_name }}. Configure {{ name }} to use this URL:
{{ make_url('/auth/service/oauth2/authorize') }}?client_id={{ oauth_client.uuid }}&redirect_uri={{ oauth_client.redirect_url }}
Once the user authenticates successfully, {{ app_name }} will redirect them back to {{ name }}.
Once the user is redirected back, {{ name }} will be given an authorization code which can be redeemed for a bearer token.
To redeem this code, {{ name }} should make a POST request to:
{{ make_url('/auth/service/oauth2/redeem') }}
It should have the following body fields:
code
- the authorization code that was returnedclient_id
- {{ oauth_client.uuid }}
client_secret
- {{ oauth_client.secret }}
grant_type
- authorization_code
This will return an access_token
that can be used to fetch user information from the {{ app_name }} API.
Once the auth code has been redeemed for a bearer token, that token can be used to make requests to the {{ app_name }} API.
Primarily, it can be used to fetch user information by making a GET request to the following URL:
{{ make_url('/api/v1/auth/users/me') }}
and including the bearer token in the headers like so: Authorization: Bearer AbCdEf124
To test out the API integration, you can generate API tokens for {{ name }}. You can do that by clicking on the User Menu > API Tokens.