Before you start

OpenID Connect Discovery Endpoint

Acronis platform provides a global OpenID Connect discovery endpoint that returns the configuration information according to the OpenID Connect Discovery specification. This discovery endpoint allows CyberApp clients to dynamically retrieve the OpenID Connect configuration, including authorization endpoints, token endpoints, supported scopes, and other metadata required for SSO authentication.

Endpoint URL: https://global.acronis.cloud/.well-known/openid-configuration

This endpoint returns the following configuration data:

{
  "issuer": "https://cloud.acronis.com",
  "authorization_endpoint": "https://global.acronis.cloud/api/idp/v1/authorize",
  "token_endpoint": "https://global.acronis.cloud/api/idp/v1/token",
  "jwks_uri": "https://global.acronis.cloud/api/idp/v1/keys",
  "response_types_supported": [
    "code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "profile",
    "offline_access",
    "phone",
    "address",
    "roles",
    "tenants"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "claims_supported": [
    "aud",
    "email",
    "exp",
    "iat",
    "iss",
    "name",
    "sub"
  ],
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true,
  "end_session_endpoint": "https://global.acronis.cloud/api/idp/v1/logout",
  "userinfo_endpoint": "https://global.acronis.cloud/api/idp/v1/userinfo"
}

SSO Authentication Flow

To authenticate the user with single sign-on, you should:

1. Set up an endpoint that will be used to initiate the SSO login. | The endpoint should accept a query parameter with the tenant ID from which the user attempts to initiate SSO.

2. Set up an endpoint to which the user will be redirected with the SSO login result.

3. Generate a URL to the authorization endpoint and redirect the user to that URL with the following data specified in its query string parameters:

   
   

   You can discover the authorization endpoint URL dynamically by calling the discovery endpoint described in the OpenID Connect Discovery Endpoint section. Use the authorization_endpoint value from the discovery response and specify the following query string parameters:

   • A client ID in the client_id query string parameter.

   • A redirect URL in the redirect_uri query string parameter.

     This must be an endpoint that will process the SSO login result.

   • Specify the following scopes in the scope query string parameter:

     • openid

     • roles to receive access roles that the user has in Acronis.

     • tenants to receive the list of tenants where the user is located in Acronis.

   • A unique random string in the state parameter.

   • [For PKCE] Specify the following parameters:

     • Specify the S256 method in the code_challenge_method query string parameter.

     • Specify the base64-encoded SHA-256-encrypted value in the code_challenge query string parameter. Keep the plain value for token exchange.

Next step: Exchanging code.