Skip to content

SAAS-960 Document UJO integration #327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

SAAS-960 Document UJO integration #327

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ba157fa
SAAS-960 Document UJO events and configuration APIs
osvso Dec 6, 2023
1abe6e7
SAAS-960 Document UJO integration
osvso Dec 6, 2023
2812960
SAAS-960 Link UJO documentation in ToC
osvso Dec 6, 2023
489963d
SAAS-960 Minor adjustments
czarnecki-piotr Dec 8, 2023
fcc0159
Merge branch 'master' into SAAS-960
czarnecki-piotr Dec 13, 2023
d337aec
Merge branch 'master' into SAAS-960
osvso Dec 20, 2023
cbb2651
Merge remote-tracking branch 'origin/master' into SAAS-960
osvso Apr 4, 2024
8c629d1
Merge branch 'master' into SAAS-960
osvso Jun 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 27 additions & 27 deletions docs/products/access/api-reference/config-api/identity-provider-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Identity Providers

These APIs allow the retrieval of configuration
of [identity-providers](../../topics/general-app-config/identity-providers/identity-providers.md) via a REST
of [identity-providers](../../topics/general-app-config/identity-providers/index.md) via a REST
API.

## Endpoints
Expand Down Expand Up @@ -105,32 +105,32 @@ Supported Identity Provider types: `TULIP`, `OAUTH`, `ID_BROKER`

JSON body parameters:

| Param | Idp type | Required | Description |
|------------------------------|--------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| id | all | yes | Unique identifier for an Identity Provider. |
| name | all | yes | Unique name of an Identity Provider. |
| type | all | yes | Identity Provider type. <br/> Supported types: `TULIP`, `OAUTH`. |
| enabled | all | no | Specify whether an Identity Provider is enabled. <br/> Default value: `true`. |
| default | all | no | Specify whether an Identity Provider is default. <br/> Default value: `false`. |
| issuer_uri | TULIP | yes | Uri of the issuer. This URI will be used to read the OpenID Connect configuration. |
| client_id | TULIP, OAUTH | yes | Client identifier. |
| client_secret | TULIP, OAUTH | depends | Client secret. <br/> Required if client authentication method is `client_secret_basic` or `client_secret_post` |
| client_authentication_method | TULIP, OAUTH | no | Client authentication method. <br/> Supported values: `private_key_jwt`, `client_secret_basic`, `client_secret_post`. <br/> Default value is `private_key_jwt`. |
| scopes | TULIP, OAUTH | no | Space-separated scopes. |
| end_session_enabled | TULIP | no | Specify whether End Session integration is enabled for this Identity Provider. <br/> Default value: `false`. |
| integrations | TULIP | no | List of enabled integrations. <br/> Supported values: `APP_TO_WEB`, `UDH_API`. |
| tulip_api_client_id | TULIP | depends | Client identifier for Tulip API calls. <br/> Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
| tulip_api_client_secret | TULIP | depends | Client secret for Tulip API calls. <br/> Required when `APP_TO_WEB` or `UDH_API` integration is enabled and authentication method is `client_secret_basic` or `client_secret_post`. |
| tulip_api_base_url | TULIP | depends | This should be the base url of the Tulip brand without a trailing slash. UDH and App To Web will use this as a base for their urls. <br/> Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
| tulip_api_access_scope | TULIP | depends | Space-separated scopes for the required Tulip segments e.g. `iwelcome:segment:example`. <br/> Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
| tulip_api_used_auth_methods | TULIP | no | List of Auth Methods for the App to Web integration with Tulip e.g. `["SMS", "another"]`. <br/> Used when `APP_TO_WEB` integration is enabled. |
| authorization_url | OAUTH | yes | Oauth authorization endpoint. |
| token_url | OAUTH | yes | Oauth token endpoint. |
| profile_url | OAUTH | yes | OpenID Connect UserInfo endpoint. |
| user_info_enabled | OAUTH | no | Specify whether CIM's Person API is enabled for this Identity Provider. <br/> Default value: `false`. |
| user_info_endpoint | OAUTH | depends | Identity source URL. The URL of API that provides user's identity. Use `{userId}` placeholder for userId path param. e.g. https://host/api/persons/{userId}/profile <br/> Required when `user_info_enabled` is `true`. |
| user_info_username | OAUTH | depends | Identity source username. <br/> Required when `user_info_enabled` is `true`. |
| user_info_password | OAUTH | depends | Identity source password. <br/> Required when `user_info_enabled` is `true`. |
| Param | Idp type | Required | Description |
|------------------------------|-------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| id | all | yes | Unique identifier for an Identity Provider. |
| name | all | yes | Unique name of an Identity Provider. |
| type | all | yes | Identity Provider type. <br/> Supported types: `TULIP`, `OAUTH`. |
| enabled | all | no | Specify whether an Identity Provider is enabled. <br/> Default value: `true`. |
| default | all | no | Specify whether an Identity Provider is default. <br/> Default value: `false`. |
| issuer_uri | TULIP, UJO | yes | Uri of the issuer. This URI will be used to read the OpenID Connect configuration. |
| client_id | TULIP, OAUTH | yes | Client identifier. |
| client_secret | TULIP, OAUTH | depends | Client secret. <br/> Required if client authentication method is `client_secret_basic` or `client_secret_post` |
| client_authentication_method | TULIP, OAUTH, UJO | depends | Client authentication method. <br/> Supported values: `private_key_jwt`, `client_secret_basic`, `client_secret_post`. <br/> Default value is `private_key_jwt`. |
| scopes | TULIP, OAUTH | no | Space-separated scopes. |
| end_session_enabled | TULIP | no | Specify whether End Session integration is enabled for this Identity Provider. <br/> Default value: `false`. |
| integrations | TULIP, UJO | depends | List of enabled integrations. <br/> Supported values: `APP_TO_WEB`, `UDH_API`. UJO Identity Provider type requires `UDH_API` to be set. |
| tulip_api_client_id | TULIP, UJO | depends | Client identifier for Tulip API calls. <br/> Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
| tulip_api_client_secret | TULIP, UJO | depends | Client secret for Tulip API calls. <br/> Required when `APP_TO_WEB` or `UDH_API` integration is enabled and authentication method is `client_secret_basic` or `client_secret_post`. |
| tulip_api_base_url | TULIP, UJO | depends | This should be the base url of the Tulip brand without a trailing slash. UDH and App To Web will use this as a base for their urls. <br/> Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
| tulip_api_access_scope | TULIP, UJO | depends | Space-separated scopes for the required Tulip segments e.g. `iwelcome:segment:example`. <br/> Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
| tulip_api_used_auth_methods | TULIP | no | List of Auth Methods for the App to Web integration with Tulip e.g. `["SMS", "another"]`. <br/> Used when `APP_TO_WEB` integration is enabled. |
| authorization_url | OAUTH | yes | Oauth authorization endpoint. |
| token_url | OAUTH | yes | Oauth token endpoint. |
| profile_url | OAUTH | yes | OpenID Connect UserInfo endpoint. |
| user_info_enabled | OAUTH | no | Specify whether CIM's Person API is enabled for this Identity Provider. <br/> Default value: `false`. |
| user_info_endpoint | OAUTH | depends | Identity source URL. The URL of API that provides user's identity. Use `{userId}` placeholder for userId path param. e.g. https://host/api/persons/{userId}/profile <br/> Required when `user_info_enabled` is `true`. |
| user_info_username | OAUTH | depends | Identity source username. <br/> Required when `user_info_enabled` is `true`. |
| user_info_password | OAUTH | depends | Identity source password. <br/> Required when `user_info_enabled` is `true`. |

Example `TULIP` type request:

Expand Down
6 changes: 6 additions & 0 deletions docs/products/access/appendix/access-events.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@
| AUTHN REQUEST LOGIN REQUIRED | The client has requested authentication without user interaction, but the user has no session or the identity provider does not support authentication without user interaction. |
| AUTHN REQUEST INTERACTION REQUIRED | The client has requested authentication without user interaction, and has authorized the application, but needs to be redirected elsewhere before authentication can be completed. |
| AUTHN REQUEST CONSENT REQUIRED | The client has requested authentication without user interaction, but the user has to give consent. |
| AUTHN REQUEST INVALID ACR VALUES | The configured identity provider returned acr_value other than requested. |
| TOKEN REQUEST INVALID | The access token request is missing one or more required fields. |
| TOKEN REQUEST INVALID REDIRECT URI | The provided redirect uri in the access token request does not match the configured redirect uri for the specified client. |
| TOKEN REQUEST INVALID GRANT | The access grant used to request an access token was expired or revoked. |
Expand Down Expand Up @@ -219,6 +220,11 @@
| ONEGINI IDP EXTERNAL IDPS FETCH FAILED | OneWelcome Access was unable to fetch the list of external identity providers that are configured in the [Consumer Identity Manager](https://docs-single-tenant.onegini.com/cim/stable/idp) application. |
| TULIP ACCESS TOKEN REQUEST FAILED | Request to Tulips `token` endpoint for API access token failed. |
| TULIP UDH REQUEST FAILED | Failed to get user data from Tulip's User Data Enhancer endpoint. |
| IDP UJO JOURNEY INITIALIZATION FAILED | An unexpected error occurred during User Journey Initialization. |
| IDP UJO INVALID TRANSACTION | Returned transaction identifier mismatches with the local state. |
| IDP UJO INVALID OR INCOMPLETE USER INFORMATION | The returned user id and/or id store type are missing or invalid. |
| IDP UJO FAILED TO FETCH JOURNEY RESULT | An unexpected error occurred while resolving the journey result. |
| IDP UJO FAILED TO USER INFO | An unexpected error occurred while resolving UserInfo. |
| SESSION TERMINATION ALL USER SESSIONS TERMINATED | All user sessions were ended. |
| SESSION TERMINATION USER SESSION TERMINATED | Particular user session was ended. |

Expand Down
Binary file added ...ts/access/topics/general-app-config/identity-providers/img/add-ujo-idp-page.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
7 changes: 7 additions & 0 deletions docs/products/access/topics/general-app-config/identity-providers/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Identity Providers

User management is not present in OneWelcome Access. Instead, Access relies on external identity provider (IdP) integrations to
identify a user. It offers built-in support for various identity providers and also allows for the custom integrations.

* [Identity Providers configuration](identity-providers.md)
* [UJO Identity Provider configuration](ujo-integration.md)
Loading