Auth. methods (OIDC)

Scenario

In this use case, users will use a portal to access application in an organisation. Since Portal act as a SAML Service Provider (SP) you can decide on the SAML IdP side how users should authenticate themselves. In this use case we will use FortifiedID Integrity WEB as the SAML IdP (Identity Provider).

The IdP selector will provide one authenticator:

• Username and Password This authenticator is used to show to login using an LDAP account. As LDAP creating this use case we used an Active Directory. For username we use mail attribute on an Active Directory user.

We will use Microsoft Active Directory as user store.

Prerequisite

• FortifiedID Integrity Web current version

• Fortified Portal 2.0 current version

• LDAP directory. Location are the users to authenticate. The example code is configured to use an Active Directory. We are using mail attribute of the Active Directory user. Make sure you have two test users, Anna Anderson and Paul Holmgren, created with following LDAP attribute:

  • Anna Anderson

    • Anna Anderson (displayName)

    • annaa (sAMAccountName)

    • anna.anderson@fortifiedid.se (mail)

    • aws; citrix; office365; servicenow; slack; vmware; zoom (carlicense) Above are the apps that will be used in the use case. We store the values in the multi-value attribute CarLicense. Make sure you type in lower case.

    • Set a password

  • Paul Holmgren

    • paul Holmgren (displayName)

    • paulh (sAMAccountName)

    • paul.holmgren@fortifiedid.se (mail)

    • Google_Workspace; Office365; Zoom (carlicense) Above are the apps that will be used in the use case. We store the values in the multi-value attribute CarLicense.

    • Set a password

• Server platform. Docker, Windows or Linux. In this use case we have used a Windows server with an Active Directory.

Configuration

Download and add configuration

Remember that this use case does not describe installation of the products. Products are expected to be installed in advanced.

1. Download ZIP containing configuration for Web and Portal

   1. Click USE_CASE_LINK to download customer folders for Web and Portal.

   2. Unzip the downloaded file

2. Add Integrity WEB configuration to your environment

   1. Add the customer_WEB folder to you \..\fortifiedid\web\ folder. Rename the existing customer folder to customer_ORG and rename the added one to \customer.

3. Add Portal configuration to your environment.

   1. Add the customer_PORTAL folder to you \..\fortifiedid\portal\ folder. Rename the existing customer folder to customer_ORG and rename the added one to \customer.

Update the configuration to map your environment

The downloaded folders contains all information needed. For example, a test certificate and metadata files are included and configured to work with the example applications. However, some data needs to be changed to map your environment. You need to update the LDAP data to map your environment. Since this example was done on a Windows server you might need to update file paths if you run something else. Also the http ports might need to be changed if they are not available in your environment.

To make it easy both application folders have a file called globals.json that contains the data you need to change. Config.json uses the variables in globals.json.

1. Open globals.json for \..\fortifiedid\portal\customer\config and \..\fortifiedid\web\customer\config folder and update:

   1. LDAP data to map you environment if needed

   2. File paths

   3. HTTP if needed

2. When updated, start Integrity WEB and Portal in order described below.

   1. Start Fortified ID WEB service. Wait until service is started before moving on. Verify server.log file that service running without errors.

   2. Start Fortified ID Portal service Verify server.log file that service running without errors.

Test the use case

Login using mail as UserID and Password

1. Open a browser

2. Browse to http://localhost:8445/portal You should now be redirected to http://localhost:8443/saml/authn/auth01

3. First log in as Paul Holmgren

   1. In UserID, add paul.holmgren@fortifiedid.se and whatever password you configured then click Sign in.

   2. For Paul Holmgren the result should be:
4. Second, log in as Anna Anderson

   1. In UserID, add anna.anderson@fortifiedid.se and whatever password you configured then click Sign in.

   2. For Anna Anderson the result should be:
5. As you can see above the, in this scenario, carLicense attribute will decide what application that are available for the user.

Complete config.json file of Portal

The config.json of Web can be found in the associated zip-file in this use case.

{
	"globals": "@include:globals.json",
	"modules": [{
			"name": "CefEventModule",
			"config": {}
		},
		{
			"name": "HttpClient",
			"config": {
				"name": "default",
                "ssl_trust_all": true,
				"idle_timeout_ms": 5000,
				"connect_timeout_ms": 5000
			}
		},
		{
			"name": "Portal",
			"config": {
                "http_port": "${globals.http.port}",
				"webroot_dir": "resources/web",
				"http_use_ssl": true,
                "http_keystore_ref": {
                    "type": "${globals.keystore.https.ref.type}",
                    "path": "${globals.keystore.https.ref.path}",
                    "password": "${globals.keystore.https.ref.password}"
                },
                "http_keystore_type": "${globals.keystore.https.type}",
                "http_key_alias": "${globals.keystore.https.http_key_alias}",
                "http_key_password": "${globals.keystore.https.http_key_password}",
				"http_context": "/portal",
				"http_auth_redirect_url": "/portal/authn/login",
				"overlay_dirs": [
				"${globals.file_paths.base_dir}/config/resources_external/overlays/1_portal",
				"${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel",
				"${globals.file_paths.base_dir}/config/resources_external/overlays/"
				],				
				"applications": "@include:resources_internal/applications"
			}
		},
		{
			"name": "AuthN",
			"config": {
				"http_port": "${globals.http.port}",
                "http_use_ssl": true,
                "http_keystore_ref": {
                    "type": "${globals.keystore.https.ref.type}",
                    "path": "${globals.keystore.https.ref.path}",
                    "password": "${globals.keystore.https.ref.password}"
                },
                "http_keystore_type": "${globals.keystore.https.type}",
                "http_key_alias": "${globals.keystore.https.http_key_alias}",
                "http_key_password": "${globals.keystore.https.http_key_password}",
				"authenticators": [{
					"id": "sp_portal",
					"type": "SAMLSP",
					"config": {
						"context_path": "/portal/authn/login",
						"success_location": "/portal/",
						"logout_location": "/portal/logged_out",
						"metadata_output_directory": "${globals.file_paths.base_dir}/config/resources_internal/saml_sp_metadata",
						"metadata": {
							"url": "https://localhost:8443/saml/metadata/fortifiedid_web_saml_idp_1"
						},
						"entity_id": "FortifiedID_Portal",
						"metadata_file_path": "${globals.file_paths.base_dir}/config/resources_internal/saml_sp_metadata_template/fortifiedid_portal_saml_sp_template.xml",
						"sign_ref": [{
							"keystore": {
                                        "alias": "${globals.keystore.saml.sign_ref_keystore_alias}",
                                        "key_password": "${globals.keystore.saml.sign_ref_keystore_key_password}",
                                        "password": "${globals.keystore.saml.sign_ref_keystore_password}",
                                        "path": "${globals.keystore.saml.sign_ref_keystore_path}"
                                    }
						}]
					}
				}]
			}
		}
	]
}