千帆玉符 SSO – QianFan Single Sign-On

Last update: Edit

1 Introduction

The Qianfan SSO module enables your app end-users to sign in with single sign-on (SSO) using an iDaaS account when your app is deployed to the Tencent Cloud. This document explains how to integrate the Qianfan SSO module with your Mendix app.

2 Purchasing and Launching the Service

  1. Open Qianfan Yufu identity management services.

  2. Use the following URL to purchase and launch the service:

    https://cloud.tencent.com/product/cig

    After activation, you’ll receive the following email:

3 Configuring Yufu iDaaS

3.1 Logging in to Yufu iDaaS

  1. Log in to Yufu iDaaS using login address provided by the above-mentioned email, log in to Yufu iDaaS control panel.

  2. Switch to administrator mode (管理员模式).

3.2 User Management

3.2.1 Adding Users

  1. Select 对象管理 -> 部门管理 -> 部门数据 (Object Management -> Department Management -> Department Data).

  2. Click on the correct department and select 本部门人员 (Department Users).

  3. Click 添加人员 -> 创建人员 (Add User -> Create User).

    Or click** 转入人员** (Transfer Users).

  4. Enter the user information and click 确定 (OK).

3.3 Application Management

3.3.1 Adding an App

  1. Click the 添加应用 (Add App) button on the right side.

  2. Select 创键自定义应用 (Create Custom App).

  3. Select OpenID Connect.

  4. Select Web.

  5. Enter the basic information.

  6. Enter the callback URI.

    Since Yufu does not support localhost, please use the following URI during the local testing phase:

    http://127.0.0.1:8080/Qianfan/callback

    After the app gets an the official domain name, update the URI to the following format:

    <App Domain>/Qianfan/callback

  7. Save the Client ID and Client Secret values locally

  8. Save the Well-known interface address locally, and also save the contents shown when you click the link.

3.3.2 Configuring the App

  1. Click 自助申请 (Self-Service Request).

    The configuration is as follows

  2. Click 添加人员 (Add Users).

    If you have already clicked “users” (人员), click on the plus sign (+) to add users.

  3. Enter the user’s name and click 确定 (OK).

3.4 Applying Permissions Management

The permissions in Yufu are equivalent to the roles in Mendix.

3.4.1 API Management

  1. Select 应用 -> API管理 -> 创建 (Apps -> API Management -> Create).

  2. Enter the basic information and click 确定 (OK). And remember the API unique identifier. For example:

  3. Go to the API management interface and click 添加权限 (Add Permissions).

  4. Enter the basic information and click 确定 (OK). If your app has multiple roles, please add them separately. For example:

    Permissions are displayed in the API management interface when successful.

  5. Click 添加应用 (Add Apps).

  6. Select the app created in Section 3.3 and confirm. For example:

  7. Upon completion, check whether the permissions and the trusted SSO application are correct. For example:

3.4.2 Rights Group Management

  1. Select 对象管理 -> 权限组管理 (Object Management -> Rights Group Management).

  2. Click 添加权限组 (Add Permissions Group).

  3. Enter the basic information, set the Permission Group Type to Custom, and click 确定 (OK). For example:

  4. Go to the management interface and click 添加人员 (Add Users).

  5. After selecting the corresponding users, click 确定 (OK) to confirm.

  6. Click 关联权限 (Associate Permissions).

  7. Select the API created in Section 3.4.1.

  8. Select permissions and confirm.

    If you have more than one permission, add each permission group separately and associate them with people and permissions.

    At this point, the Yufu end is configured. You have done the following:

    Create Administrator and User permissions and assign the appropriate permissions to the appropriate people.

4 Mendix Configuration

4.1 Downloading the QianfanSSO Module

  1. Download the QianfanSSO module from the following address.

    https://mendix-cdn-prod-1305133312.cos.ap-shanghai.myqcloud.com/Qianfansso/QianfanSSO.mpk

4.2 Importing the QianfanSSO Module

  1. Open an existing app in Studio Pro. If you do not have one, create a new app first. Right-click the app to select Import module package….

  2. Select the QianfanSSO.mpk file you just downloaded and click Import.

4.3 Configuring the QianfanSSO Module

  1. Open Settings.

  2. Choose the Runtime tab.

  3. Set the After startup microflow to QianfanSSO.QianfanSSO_AfterStartup.

  4. For local testing, you need to set the application’s root URL:

    1. Choose the Configurations tab

    2. Select the Default configuration and click Edit.

    3. Choose the Server tab.

    4. Set the Application Root URL to the following:

      http://127.0.0.1:8080

  5. Expand the QianfanSSO module and the Configuration folder within the module.

  6. Assign the Client ID and the Client Secret values saved in section 3.3.1 to the corresponding constants (ClientID and ClientSecret).

  7. Assign the Well-known URL from section 3.3.1 to the constant OpenIdConnectProvider after removing the segment .well-known/openid-configuration.

    For example: https://xxx.cig.tencentcs.com/sso/tn-a1be8dd15d05/ai-32234954/oidc

  8. In the constant Issuer, assign the issuer from the Well-known URL from section 3.3.1.

    For example: https://xxx.cig.tencentcs.com

  9. In the constant Audience, assign the API unique identifier:

    For example: TEST_Administrator

  10. In the constant “Prefix”, assign the first half of the permission name (including the underscore) from in section 3.5.1. For example, for the permission shown below, Prefix should be set to TestApp_:

4.4 Configure the Login Page

  1. Choose the menu item App > Show App Directory in Explorer.

  2. Go to the theme folder and replace the existing login.html file with the following file, which contains the login page with Qianfan Yufu SSO content.

    https://mendix-cdn-prod-1305133312.cos.ap-shanghai.myqcloud.com/Qianfansso/login.html

  3. Download the Qianfan Yufu logo file yufu.png.

    https://mendix-cdn-prod-1305133312.cos.ap-shanghai.myqcloud.com/Qianfansso/yufu.png

  4. Choose App > Synchronize App Directory in Studio Pro.

4.5 Configure the Logout Page

  1. Add a Button widget to the page.

  2. Double-click the Button widget to open the Edit Action Button dialog box.

  3. Set the On click event to Call a microflow.

  4. Set the Microflow to QianfanSSO.QianfanSSO_Logout.

  5. Set the Caption to logout.

4.6 Role Settings

  1. Open Security and set the Security Level to Production.

    security-set-to-production

  2. Make sure that, in the User roles tab, the role Names are consistent with the part of the permission names after the underscore, as set in section 3.4.1. For example:

  3. Choose the role and click Edit to confirm that the corresponding permissions in QianFanSSO are checked.

4.7 Sign in for Verification

  1. Save the configuration, then click Run Locally. Once the app has started successfully, click View App.

  2. You will see the login screen below in your browser. Click Qianfan IDaaS Account.

  3. In the Yufu login interface, log in using your Yufu account.

    The app jumps back to the app page.

  4. Click logout to sign out and return to the login screen.

4.8 Cloud Verification

  1. Once the local test passes, go to the App deployment page via Environment in the Mendix platform

  1. Click Add Environment.

  1. For Purpose select Production and enter the Subscription Secret you have purchased.

  2. Click Next and select the appropriate plan, then click Create Environment.

  3. Click Create Package and select the version to be built.

  4. Once packages have been built, select the .mda file that should be deployed, and click Deploy.

  5. Save the URL and click Transport.

  6. Select the Constants tab, and assign the new URL to the AppUrl constant.

  7. Finally, click Apply Changes.

    Check that the Status valuse for Loaded Deployment Details and Environment Details are normal.

  8. Go to the Qianfan Yufu Management page and add a callback URI as following: {App Url} + “/qianfan/callback”. For example:

  9. Since the App Url is a temporary URL, please use the Cluster CLB IP in the email you received when you purchased Mendix and update your local hostfile:

    • On Windows:C:\Windows\System32\drivers\etc\hosts

    • On Linux:/etc/hosts

  10. Update the IP for the App Url.

  11. Finally, visit the App Url and click Qianfan IDaaS Account to access the app.