Selector filtering
Last updated
Last updated
Depending on the input data that Fortified ID (IdP/OP) receives, you can control which selectors and/or authenticators to be presented to a user. In the picture above the scenario is:
A user comes from the Portal (id=portal) app, the user gets two options to choose from, Employee or Customer.
If the user comes from Password reset (id=pwdreset), he is directly directed to the UID + MFA authenticator.
In this use case
Fortified ID Portal and Fortified ID Password Reset will act as SAML SPs. The input data they present to the SAML IdP to act on is and spEntityID = FortifiedID_Portal and spEntityID = FortifiedID_PWD_Reset The SAML IdP is Fortified ID WEB.
Here are some information about what is core of this use case. The key configuration parts, see config.json at the bottom of this use case, are
Line 154, 160 and 166 Here we use the parameter include_expr to decide if this option should be presented or not. In this case we verifying which service provider the request came from. In our scenario with use exports.spEntityID. What parameters that is available is something you can check when logging a authenticators, see separate use case for that.
Line 143 If only one option is available the you can decide if this option should be presented or if you find that unnecessary. "auto_select": true The value true is by default. If you try false and then try Password Reset you will se that the user will be presented with one option.
This use case assumes that you have good knowledge of the product in question.
Fortified ID WEB installed and configured
LDAP directory. Location are the users to authenticate. The example code is configured using an Active Directory. We are using mail attribute when authenticating the Active Directory user.
Fortified ID Portal installed and configured
Fortified ID Password Reset installed and configured
FakeSMTP. This is used when a user reset its own password. When authenticating to the self service we will use UserID (mail) and a mail delivered one-time password (otp). Download and install FakeSMTP on the same host as the use cases and start the smtp service on port 25. Note. If you have an "real" SMTP server then use that instead.
Note. All configuration and testing is done on the scenario server.
Download and install Fortified ID Web, Fortified ID Portal and Fortified ID Password Reset.
To install Integrity Web and Integrity Portal, see documentation and installation.
Add files and folders from ZIP-file to Fortified ID Web, Fortified ID Portal and Fortified ID Password Reset
Download the USE_CASE.zip.
Replace the customer folders for your installations with the ones from the zip-file. Note. This use case was initially done on a Windows server, if you run Container/Docker or Linux you might have to changes something to work in your environments like file paths e.g..
Open the globals.json in both customer folders and update to match your environment.
Start services
Start Fortified ID WEB
Start Fortified ID Portal
Start Fortified ID Password Reset
Verify Fortified ID WEB is started
Verify Fortified ID Portal is started
Verify Fortified ID Password Reset is started
Open a browser
Browse to https://localhost:8445/portal
This is the address to Fortified ID Portal acting as a SAML SP
You should be redirected to the Fortified ID WEB acting as SAML IdP and see the following:
Note. There are three options available but only two are presented for the users since the third one is only available to SP Password Reset.
Open a browser
Browse to https://localhost:8446/pwdreset
This is the address to Fortified ID Password Reset acting as a SAML SP
You should be redirected to the Fortified ID WEB acting as SAML IdP and see the following:
Note. There are three options available on selector root but only one is matching SP Password Reset. Since it is only one option the user will be passed directly to the authenticator available for that option.
Other configuration and reference files will be found in the ZIP-file you downloaded.
{
"globals": "@include:globals.json",
"modules": [
{
"name": "CefEventModule",
"config": {}
},
{
"name": "HttpClient",
"config": {
"name": "default",
"idle_timeout_ms": 5000,
"connect_timeout_ms": 5000
}
},
{
"name": "LdapClient",
"enabled": true,
"instances": 1,
"config": {
"name": "${globals.ldap.ldap1.name}",
"connection": {
"host": "${globals.ldap.ldap1.connection.host}",
"port": "${globals.ldap.ldap1.connection.port}",
"bind_dn": "${globals.ldap.ldap1.connection.bind_dn}",
"bind_password": "${globals.ldap.ldap1.connection.bind_password}",
"use_ssl": "${globals.ldap.ldap1.connection.use_ssl}",
"ssl_trust_all": "${globals.ldap.ldap1.connection.ssl_trust_all}"
}
}
},
{
"name": "SmtpClient",
"enabled": true,
"config": {
"name": "${globals.smtp.smtp1.name}",
"host": "${globals.smtp.smtp1.host}",
"port": "${globals.smtp.smtp1.port}",
"user_name": "${globals.smtp.smtp1.user_name}",
"password": "${globals.smtp.smtp1.password}",
"auth_methods": "DIGEST-MD5, CRAM-SHA256, LOGIN"
}
},
{
"name": "SAML",
"config": {
"metadata_cache": "${globals.saml.idp1.metadata_cache}",
"http_port": "${globals.http.port}",
"http_use_ssl": true,
"http_keystore_ref": {
"type": "${globals.keystore.https.ref.type}",
"path": "${globals.keystore.https.ref.path}",
"password": "${globals.keystore.https.ref.password}"
},
"http_keystore_type": "${globals.keystore.https.type}",
"http_key_alias": "${globals.keystore.https.http_key_alias}",
"http_key_password": "${globals.keystore.https.http_key_password}",
"enable_http": true,
"metadata_template": [
{
"id": "${globals.saml.idp1.metadata_id}",
"metadata_file_path": "${globals.saml.idp1.metadata_file_path}",
"sign_ref": [
{
"keystore": {
"alias": "${globals.keystore.saml.sign_ref_keystore_alias}",
"key_password": "${globals.keystore.saml.sign_ref_keystore_key_password}",
"password": "${globals.keystore.saml.sign_ref_keystore_password}",
"path": "${globals.keystore.saml.sign_ref_keystore_path}"
}
}
]
}
],
"metadata": [
{
"path": "${globals.file_paths.base_dir}/config/resources_internal/saml/sp_metadata_files/sp_portal.xml"
},
{
"path": "${globals.file_paths.base_dir}/config/resources_internal/saml/sp_metadata_files/sp_pwdreset.xml"
}
]
}
},
{
"name": "AuthN",
"enabled": true,
"config": {
"context_path": "/authn",
"webroot_dir": "web",
"http_port": "${globals.http.port}",
"http_use_ssl": true,
"http_keystore_ref": {
"type": "${globals.keystore.https.ref.type}",
"path": "${globals.keystore.https.ref.path}",
"password": "${globals.keystore.https.ref.password}"
},
"http_keystore_type": "${globals.keystore.https.type}",
"http_key_alias": "${globals.keystore.https.http_key_alias}",
"http_key_password": "${globals.keystore.https.http_key_password}",
"authenticators": [
{
"id": "auth00",
"type": "SAMLIDP",
"config": {
"context_path": "/saml/authn/chain",
"base_path": "/saml/authn",
"expiry": "PT1S",
"force_re_auth": false,
"idp": "${globals.saml.idp1.idp_entityid}",
"chain": [
{
"id": "selector_root",
"required": true
}
],
"assertion_config": [
{
"target_sp": [
"*"
],
"nameid_parameter": "mail",
"auth_context_parameter": "AuthnContextClassRef",
"additional_attribute_parameter": [
"givenName",
"sn",
"mail",
"roles",
"display_name",
"distinguishedName"
],
"pre_assertion_pipe": "Retrieve_data_for_SAML_response_for_all"
}
]
}
},
{
"id": "selector_root",
"type": "Selector",
"config": {
"base_path": "/saml/authn",
"webroot_dir": "web/authenticator/selector",
"auto_select": true,
"overlay_dirs": [
"${globals.file_paths.base_dir}/config/resources_external/overlays/1_selector_root",
"${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"options": [
{
"id": "1",
"target": "validate_username_password",
"label": "ldap_label",
"logo": "assets/svg/microsoft.svg",
"include_expr": "(exports.spEntityID === 'FortifiedID_Portal' || exports.spEntityID === 'FortifiedID_MOBILEID')"
},
{
"id": "2",
"target": "Other authN",
"label": "Other authN",
"include_expr": "(exports.spEntityID === 'FortifiedID_Portal' || exports.spEntityID === 'FortifiedID_MOBILEID')"
},
{
"id": "3",
"target": "password_reset",
"label": "no_ui_auto_password_reset",
"include_expr": "exports.spEntityID === 'FortifiedID_PWD_Reset'"
}
]
}
},
{
"id": "validate_username_password",
"type": "UserNameAndPassword",
"config": {
"base_path": "/saml/authn",
"webroot_dir": "web/authenticator/username_password",
"overlay_dirs": [
"${globals.file_paths.base_dir}/config/resources_external/overlays/2_username_password",
"${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"pipe_id": "Validate_Username_Password",
"exports": [
{
"name": "used_auth",
"value": "username_password_ldap"
},
{
"name": "AuthnContextClassRef",
"value": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
}
]
}
},
{
"id": "password_reset",
"type": "Chain",
"config": {
"require_subject": false,
"base_path": "/saml/authn",
"chain": [
{
"id": "username_validator",
"required": true
},
{
"id": "otp_validator",
"required": true
}
]
}
},
{
"id": "username_validator",
"type": "UserLookup",
"config": {
"base_path": "/saml/authn",
"webroot_dir": "web/authenticator/user_lookup",
"allowed_retries": 0,
"pipe_id": "Validate_Username_and_generate_a_OTP",
"overlay_dirs": [
"${globals.file_paths.base_dir}/config/resources_external/overlays/5_pwdreset_username_validation",
"${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"exports": [
{
"name": "used_auth",
"value": "username_lookup"
}
]
}
},
{
"id": "otp_validator",
"type": "OTPValidator",
"config": {
"base_path": "/saml/authn",
"webroot_dir": "web/authenticator/otp_validation",
"_allowed_otp_retry": 2,
"pipe_id": "Validate_the_OTP",
"overlay_dirs": [
"${globals.file_paths.base_dir}/config/resources_external/overlays/6_pwdreset_token_validation",
"${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"exports": [
{
"name": "AuthnContextClassRef",
"value": "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
}
]
}
}
]
}
},
{
"name": "Pipes",
"config": {
"pipes": [
{
"id": "Validate_Username_Password",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest ***"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports ***"
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "mail={{{request.identifier}}}",
"attributes": [
{
"name": "mail",
"multivalue": false
}
]
}
},
{
"name": "LDAPBind",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"dn": "{{{item.id}}}",
"password": "{{{request.password}}}"
}
},
{
"name": "ExportsPut",
"enabled": true,
"config": {
"name": "username",
"value": "{{{item.mail}}}",
"replace": true
}
},
{
"name": "DumpState",
"config": {
"label": "*** DumpState ***"
}
}
]
}
},
{
"id": "Validate_Username_and_generate_a_OTP",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest ***"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports ***"
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "mail={{{request.identifier}}}",
"attributes": [
{
"name": "mail",
"multivalue": false
}
]
}
},
{
"name": "GenerateOtp",
"enabled": true,
"config": {
"otp_length": 6,
"alpha_numeric": false,
"valid_time": 60,
"dest_parameter": "generated_otp",
"otp_parameter": "generated_otp_value"
}
},
{
"name": "ExportsPut",
"enabled": true,
"config": {
"name": "generated_otp",
"value": "{{{item.generated_otp}}}",
"replace": true
}
},
{
"name": "SmtpSender",
"enabled": true,
"config": {
"smtp_destination": "smtp01",
"username_parameter": "{{{request.identifier}}}",
"subject_parameter": "** Your verification code **",
"message_template": "${globals.file_paths.base_dir}/config/resources_internal/mail_template/mail_template.txt",
"mail_to_parameter": "{{{item.mail}}}",
"mail_from_parameter": "noreply@mycompany.com",
"_mail_cc_parameter": "admin@mycompany.com",
"remove_prefixes": [
"SMTP:",
"sip:"
]
}
},
{
"name": "DumpState",
"config": {
"label": "*** DumpState ***"
}
}
]
}
},
{
"id": "Validate_the_OTP",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest ***"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports ***"
}
},
{
"name": "ValidateOtp",
"enabled": true,
"config": {
"username_parameter": "{{{exports.username}}}",
"otp_parameter": "{{{request.otp}}}",
"src_parameter": "{{{exports.generated_otp}}}"
}
}
]
}
},
{
"id": "Retrieve_data_for_SAML_response_for_all",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest från DumpData Portal****"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports från DumpData Portal****"
}
},
{
"name": "ExportsPut",
"exec_if_expr": "(exports.used_auth == ('username_password_ldap')|| exports.used_auth == ('username_lookup'))",
"enabled": true,
"config": {
"name": "LDAP_search_filter",
"value": "mail={{{request.username}}}",
"replace": true
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "{{{exports.LDAP_search_filter}}}",
"attributes": [
{
"name": "givenName",
"multivalue": false
},
{
"name": "sn",
"multivalue": false
},
{
"name": "sAMAccountName",
"multivalue": false
},
{
"name": "mail",
"multivalue": false
},
{
"name": "displayName",
"multivalue": false
},
{
"name": "distinguishedName",
"multivalue": false
}
]
}
},
{
"name": "ExportsPut",
"enabled": true,
"config": {
"name": "username",
"value": "{{{item.mail}}}",
"replace": true
}
},
{
"name": "ItemPropertyAdd",
"enabled": true,
"config": {
"name": "display_name",
"value": "{{{item.displayName}}}"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports****"
}
},
{
"name": "DumpState",
"config": {
"label": "*** DumpState ***"
}
}
]
}
}
]
}
}
]
}
