AuthZ control
Last updated
Last updated
In this scenario we will check if a user is allowed to access a resource even though authentication was successful. To do this we use an authenticator process AuthController.
In this use case will will check an LDAP attribute called carLicense for values. If value is correct then the user will get access to application otherwise not.
Here are some information about what is the core of this use case. The key configuration parts, see config.json at the bottom of this use case, are
Line 122-138 We use a chain, first we authenticate the user. Then we verify if the user should have access to the application
Line 139-161 This is the first part of the chain where we authenticate the user. If that fails, no authorization is necessary.
Line 162-179 If authentication was successful, then we move to the second part in the chain. In this case the authenticator AuthController. This authenticator runs a pipe and depending on the result from the pipe, act accordingly on the return data.
Line 237-301 This is the pipe executed from the AuthController authenticator. We will use the valve FlowFail and verify item data to check if the Pipe should fail. If the Pipe fails the AuthController will act on that.
This use case assumes that you have good knowledge of the product in question.
Fortified ID WEB installed and configured
LDAP directory. Location to were the users are authenticated. The example code is configured using an Active Directory. We are using mail attribute when authenticating the Active Directory user.
Create three users in your Active Directory that you can login with. See following example with attribute
Active Directory user 1
displayName: Emma Clarke
sAMAccountName: emmac
mail: emma.clarke@fortifiedid.se (for example)
carLicense: you_can_access (1 value)
Active Directory user 2
displayName: Bobby Clarke
sAMAccountName: bobbyc
mail: bobby.clarke@fortifiedid.se (for example)
carLicense: (no values)
Active Directory user 3
displayName: Sara Clarke
sAMAccountName: sarac
mail: sara.clarke@fortifiedid.se (for example)
carLicense: you_can_access, aws (2 values)
Fortified ID Portal installed and configured
Note. All configuration and testing is done on the scenario server.
Download and install Fortified ID Web and Fortified ID Portal
To install Integrity Web and Integrity Portal, see documentation and installation.
Add files and folders from ZIP-file to Fortified ID Web and Fortified ID Portal.
Download the USE_CASE.zip.
Replace the customer folders for your installations with the ones from the zip-file. Note. This use case was initially done on a Windows server, if you run Container/Docker or Linux you might have to changes something to work in your environments like file paths e.g..
Open the globals.json in both customer folders and update to match your environment.
Start services
Start Fortified ID WEB
Start Fortified ID Portal
Verify Fortified ID WEB is started
Verify Fortified ID Portal is started
You will login as the three different users.
Note. Emma has the right authorization to access the Portal site since she has the value "you_can_access" in carLicense.
Open a browser.
First we will login as Emma Clarke.
Browse to https://localhost:8445/portal
This is the address to Fortified ID Portal acting as a SAML SP
Login as emma.clarke@fortifiedid.se.
She should now be redirected to Portal, the application she intended to access.
This is because she has the value "you_can_access" in carLicense
Logout from Portal
Note. Bobby does not have the right authorization to access the Portal site since he is missing the value "you_can_access" in carLicense. He will be redirected to the site we have configured.
Open a browser.
First we will login as Bobby Clarke.
Browse to https://localhost:8445/portal
This is the address to Fortified ID Portal acting as a SAML SP
Login as bobby.clarke@fortifiedid.se
User should now be redirected to specified url since value is incorrect, and is redirected to the Swedish newspaper dn.se.
This is because he do NOT has the value "you_can_access" in carLicense
Note. Sara has the right authorization to access the site since she has the value in "you_can_access" in carLicense but she also has "aws" as value. In this scenarion a user with value aws should be redirected to, in this case, aws.com. This means that Sara will not be logged in to the Portal site.
Open a browser.
First we will login as Sara Clarke.
Browse to https://localhost:8445/portal
This is the address to Fortified ID Portal acting as a SAML SP
Login as sara.clarke@fortifiedid.se.
She should now be redirected to AWS webpage.
This is because she has the value "you_can_access" but also the value "aws". So she is allowed access but instead of being redirected to Portal we redirect her to aws.com
Other configuration and reference files will be found in the ZIP-file you downloaded.
Click Username & Password (LDAP), you should now see
Click Username & Password (LDAP), you should now see
Click Username & Password (LDAP), you should now see
