OpenID Authentication.
NetworkMaps can now be integrated with your existing Identity and Access Management (IAM) infrastructure. This is done using OpenID Connect. In this model, users and user authentication are no longer managed by NetworkMaps, but by your existing IAM infrastructure.
How it works.
Once OpenID is configured, NetworkMaps will start depending on your IAM server to authenticate your users.
- When a user access NetworkMaps, if the user is not already authenticated, it will redirect him to the IAM infrastructure.
- Users won't be able to change their passwords or data from NetworkMaps user interface.
Configuration.
There is a set of parameters needed for NetworkMaps to be able to talk to your IAM infrastructure using OpenID. For placement of these parameters, please check the config file documentation.
Sample Configuration File.
{
"timers": {
"ldap_grouprefresh": 40
},
"socket": {
"address": "10.0.0.3",
"port": 3000
},
"users":
{
"allowed_domains": ["networkmaps.org"],
"authentication": "openid",
"openid": {
"client_id": "networkmaps",
"auth_server_url": "https://iam.networkmaps.org/auth/realms/networkmaps",
"secret": "a_secret_not_to_be_revealed_here"
}
}
}
Requirements/Limitations.
- NetworkMaps uses the Authorization Code Flow
- As authentication, it can use only the "client_secret_post". The secret is stored in the configuration file on the "secret" key. If this key is not present, it will assume the realm is public and it will not try to authenticate.
- It requires the email and profile scopes (to get email address of users as well as name and family_name).
- IAM should support the following scopes: