Details
-
New Feature
-
Resolution: Fixed
-
None
Description
Extend the small customer administration in the frontend by three fields:
- domain
- address of the OpenID Connect server. If the OpenID Connect server is filled, the domain must also be filled. The domain can also be filled without it. Insofar as the domain is filled, then translate5 can also be reached via it (if additionally configured accordingly in Apache). For this domain, logins then run exclusively via the OpenID Connect server according to the below scheme
- If the OpenID Connect server field is filled, translate5 also offers a checkbox for each translate5 system role in the customer config GUI frontend. Rolls that are checked are then automatically set by the OpenID Connect server to the user during authentication (see below).
Zf configuration for openId server when no customer defined one exist. Use the configured openid server url in the zf config to redirect the logins from there.
Scheme of the authentication through OpenID Connect
- User calls translate5
- If user is already authenticated in translate5, the application loads as usual
- If user is not authenticated yet in translate5:
- User is forwarded to the OpenID Connect server
- If he is already authenticated there, he will be immediately redirected back to translate5 and will be automatically logged in
- If he is not authenticated there, he sees the login page of the OpenID Connect server. After a login there he will be redirected to translate5 and will be logged in.
Automatic creation of users in translate5, that exist in the openID connect server
On the OpenID connect server the translate5 roles must also be created, for which the OpenID Connect server is allowed to grant access to translate5.
In the OpenID connect server each user is assigned to the desired translate5 role.
As soon as a login of a user for translate5 through the OpenID Connect server is successful, the following process chain is processed:
- translate5 checks for this user, if it already exists in translate5.
- If yes
- for each role that the OpenID connect server is allowed to set for users in translate5 it is checked, if this role is defined for the user in the OpenID Connect server and the same roles are set then in translate5
- If the user after these role changes does not have any right in translate5 any more, he is logged out.
- If no
- for each role that the OpenID connect server is allowed to set for users in translate5 it is checked, if this role is defined for the user in the OpenID Connect server
- if yes, the user is created in translate5 and the roles set accordingly. Afterwards he is logged into translate5.
- if no, the user is logged out again from translate5 and no user is created.
Make it configurable, if OpenID Connect redirection is optional
In the openID Connect server configuration enter 2 more fields:
- "Label" for a label that is simply for showing a label
- A checkbox with the following text:
"Do not show login page. Automatically redirect to OpenID Connect server, if no user session in translate5 exists. If checkbox is NOT checked, the user will be shown a linked message 'Login in with XXXXXX' above the login form"
where XXXXXX is replaced by the above label. In this case the redirection only happens, when the user clicks on this link.