Skip to content

Janssen Inbound Identity

Jump to bottom
pujavs edited this page Sep 28, 2023 · 3 revisions

Overview

Janssen(Jans) Inbound SAML allow users from enterprise customers to authenticate at their home IDP and access Janssen resources. Jas and Identity Provider's will establish a trust relationship by exchanging their respective metadata.

Sample Flow

sequenceDiagram
autonumber 1
    title Inbound Identity

    Person->Browser: 1.
    Browser->Website: 2. 
    Website<->Jans Auth Server: 3. Discovery
    Jans Auth Server->Browser: 4. Redirect /authz?client_id=... acr_values=inbound_identity&idp=myIDP
    Browser->KC: 5. 
    KC->Browser: 6. SAML Authn Request
    Browser->SAML IDP: 7. 
    SAML IDP->Browser: 8. login page
    Person->Browser: 9. enter creds
    Browser->IDP: 10. 
    IDP->IDP: 11. Validate creds
    IDP->Browser: 12. 
    Browser->KC: 13. SAML Assertion
    KC->Browser: 14. 
    Browser->Jans Auth Server: 15. OpenID Authn Response:  code + state
    Jans Auth Server->KC: 16. /token?code=...
    KC->Jans Auth Server: 17. KC id_token, AT1
    Jans Auth Server->Jans Auth Server: 18. Validate KC id_token;\nAdd user to Jans DB? 
    Jans Auth Server->Browser: 19. 
    Browser->Website: 20. code
    Website->Jans Auth Server: 21. /token?code=...
    Jans Auth Server->Website: 22. id_token, AT2
    Website->Jans Auth Server: 23. /userinfo
    Jans Auth Server->Website: 24. user claims JWT
    Website->Website: 25. Validate JWT\nCreate app session
Loading

Currently supported Protocol

  • SAML v2.0

Components

Janssen Inbound SAML comprises the following components:

  • Jans Server
  • Jans Config Api
  • Janssen Identity Broker

Jans Config Api

Existing saml-plugin plugin will expose new endpoint for creating and managing Identity Provider. Keycloak API will be leveraged to configure the IDP in Keycloak server acting as Identity Broker.

Key attributes of Identity Provider:

Name Type Description
id String Unique ID of the identity provider.
redirectUri String The redirect uri to use when configuring the identity provider.
alias String The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
displayName String Friendly name for Identity Providers.
displayOrder Number Number defining the order of the providers in GUI (for example, on the Login page). The lowest number will be applied first.
enabled Boolean True to enable the identity provided.
identityProviderMapper String Identity provider Mapper
config Map of [String] Identity provider config properties

Note: To add more details - WIP

Config Api Endpoints

  • POST: Create identity provider in the provided realm.
  • GET: Fetches an identify provider.
  • PUT: Updates identity provider details.
  • DELETE: Deletes an identify provider.
Clone this wiki locally