UID/PWD (OIDC)

Sammanfattning av användningsfall

Scenario

In this scenario, we will use Postman as an OIDC Relying Party (RP) and Integrity Web as an OpenID Connect Provider (OP). The guide is designed for a Windows installation but can be adapted for Docker and Linux installations as well. The configuration will use port 8443. Authentication will be performed using a username and password against LDAP.

Prerequisite

There are some prerequisites for this use case. You will need the following:

  • Server platform. Docker, Windows or Linux. In this use case we have used a Windows server with an Active Directory with at least one LDAP account. In this example, we will use one "administrator" account and one user account..

  • The current version of FortifiedID Integrity Web is installed.

  • Basic knowledge about Postman and Postman installed on the local computer, with access to the Integrity server.You will also need the following pre-configured Postman Collection https://download.fortifiedid.se/FID.postman_collection.zip

Note. All configuration and testing are done on the scenario server.

Configuration

Download and modify configuration

  1. To download the ZIP file containing the configuration and all other necessary files for Integrity Web, click USE_CASE_LINK to download the customer folders for the web..

  2. Copy the customer_WEB folder to you \..\fortifiedid\web\ folder. Rename the existing customer folder to customer_ORG and rename customer_Web to customer.

Update the configuration to map to your environment

The downloaded folders contains all needed files. For example, test certificates files are included and configured to work with the example application. However, some data needs to be changed to map your environment. You need to update the LDAP data to map your environment. Since this example was done on a Windows server you might need to update file paths if you run something else. Also the http ports might need to be changed if they are not available in your environment. You will need an account for the LDAP connection. You can use a regular user account for this configuration. In normal cases, an administrator account should be used.

To make it easy the application folder have a file called globals.json that contains the data you need to change. Config.json uses the variables in globals.json.

  1. Open globals.json for \..\fortifiedid\enrollment\customer\config and \..\fortifiedid\web\customer\config folder and update:

    1. LDAP data to map your environment

    2. File paths

    3. HTTP if needed

  2. When updated, start the Integrity Web service.

    1. Wait until Integrity Web service has started before continuing.

Test the use case

OIDC well-known information

  1. Open a browser on the Integrity Web server

  2. Browse to https://localhost:8443/oidc/tenant1/.well-known/openid-configuration

  3. Verify that the well-known page opens

Use Postman to test the OIDC flow

  1. Unzip the file and import the collection to Postman. The collection will be called "FID-OIDC-UseCases" in Postman

  2. Open the Request "OIDC Case 4" in the "FID-OIDC-UseCases" collection

  3. Select the Authorization tab of the request

  4. Click on the "Get New Access Token" button.

  5. Enter your LDAP account username and password.

  6. Copy the content of the ID-token

  7. To verify the content of the ID-token, simply paste it into the "Encoded" section of the https://jwt.io webpage.

Note: Some of the data in the OIDC Claim are hardcoded for demonstration purposes.

Complete config.json file

The config.json for Integrity Web can be found in the included ZIP file associated with this use case.

{
    "globals": "@include:globals.json",
    "modules": [
        {
            "name": "CefEventModule",
            "config": {
            }
        },
		{
            "name": "LdapClient",
            "instances": 1,
            "config": {
                "name": "${globals.ldap.ldap1.name}",
                "connection": {
                    "host": "${globals.ldap.ldap1.connection.host}",
                    "port": "${globals.ldap.ldap1.connection.port}",
                    "bind_dn": "${globals.ldap.ldap1.connection.bind_dn}",
                    "bind_password": "${globals.ldap.ldap1.connection.bind_password}",
                    "use_ssl": "${globals.ldap.ldap1.connection.use_ssl}",
                    "ssl_trust_all": true
                }
            }
        },
        {
            "name": "OIDCModule",
            "enabled": true,
            "config": {
                "providers": [
                    {
                        "http_context": "/oidc",
                        "http_port": "${globals.http.port}",
                        "http_use_ssl": true,
                        "http_keystore_ref": {
                            "type": "${globals.keystore.https.ref.type}",
                            "path": "${globals.keystore.https.ref.path}",
                            "password": "${globals.keystore.https.ref.password}"
                        },
                        "http_keystore_type": "${globals.keystore.https.type}",
                        "http_key_alias": "${globals.keystore.https.http_key_alias}",
                        "http_key_password": "${globals.keystore.https.http_key_password}",
                        "discovery_meta": {
                            "issuer": "${globals.oidc.op1.oidc_op_address}/oidc/tenant1",
                            "authorization_endpoint": "${globals.oidc.op1.oidc_op_address}/test/authn/oidc",
                            "token_endpoint": "${globals.oidc.op1.oidc_op_address}/oidc/tenant1/token-endpoint",
                            "userinfo_endpoint": "${globals.oidc.op1.oidc_op_address}/oidc/tenant1/userinfo-endpoint",
                            "jwks_uri": "${globals.oidc.op1.oidc_op_address}/oidc/tenant1/.well-known/openid-configuration/jwks",
                            "end_session_endpoint": "${globals.oidc.op1.oidc_op_address}/test/authn/oidc/logout",
                            "scopes_supported": [
                                "openid"
                            ],
                            "response_types_supported": [
                                "code"
                            ],
                            "grant_types_supported": [
                                "authorization_code"
                            ],
                            "subject_types_supported": [
                                "public"
                            ],
                            "id_token_signing_alg_values_supported": [
                                "RS256"
                            ],
                            "token_endpoint_auth_methods_supported": [
                                "client_secret_post",
                                "client_secret_basic",
                                "none"
                            ],
                            "claims_supported": [
                                "iss",
                                "ver",
                                "sub",
                                "given_name",
                                "family_name"
                            ],
                            "request_parameter_supported": true
                        },
                        "tenant_op_path": "/tenant1",
                        "keystore": {
                            "path": "${globals.keystore.oidc.path}",
                            "password": "${globals.keystore.oidc.password}",
                            "type": "${globals.keystore.oidc.type}",
                            "alias": "${globals.keystore.oidc.alias}"
                        },
                        "sign_jwt_keystore_password": "${globals.keystore.oidc.password}",
                        "sign_jwt_keystore_alias": "${globals.keystore.oidc.alias}",
                        "rps": [
                            {
                                "client_id": "${globals.oidc.op1.client_id}",
                                "client_secret": "${globals.oidc.op1.client_secret}",
                                "redirect_uri": [
                                    "${globals.oidc.op1.redirect_uri}"
                                ],
                                "post_logout_redirect_uris": [
                                    "${globals.oidc.op1.post_logout_redirect_uris}"
                                ],
                                "pipe_id": "oidc_pre_pipe"
                            }
                        ]
                    }
                ]
            }
        },
        {
            "name": "AuthN",
            "enabled": true,
            "config": {
                "context_path": "/authn",
                "webroot_dir": "web",
                "http_port": "${globals.http.port}",
                "http_use_ssl": true,
                "http_keystore_ref": {
                    "type": "${globals.keystore.https.ref.type}",
                    "path": "${globals.keystore.https.ref.path}",
                    "password": "${globals.keystore.https.ref.password}"
                },
                "http_keystore_type": "${globals.keystore.https.type}",
                "http_key_alias": "${globals.keystore.https.http_key_alias}",
                "http_key_password": "${globals.keystore.https.http_key_password}",
                "authenticators": [
                    {
                        "id": "oidc",
                        "type": "OIDCAuthCodeFlow",
                        "config": {
                            "base_path": "/test/authn",
                            "failure_location": "/authn/failure.html",
                            "simple_logout": true,
                            "required_request_parameters": [
                                "response_type",
                                "client_id",
                                "redirect_uri",
                                "scope"
                            ],
                            "required_authenticators": [
                                "uidpwd"
                            ],
                            "jwt_headers": {
                                "kid": ""
                            },
                            "jwt_claims": {
                                "secret_id": "{{{session.id}}}",
                                "aud": "app",
                                "sub": "{{{item.subject}}}",
                                "nonce": "{{{request.nonce}}}",
                                "test_boolean": true,
                                "family_name": "{{{item.sn}}}",
                                "given_name": "{{{item.givenName}}}",
                                "name": "{{{item.displayName}}}",
                                "amr": "{{{item.amrRef}}}"
                            },
                            "userinfo_claims": {
                                "secret_id": "{{{session.id}}}",
                                "userinfo_claim_test": "static_claim",
                                "email": "[email protected]",
                                "email_verified": true,
                                "subject": "{{{item.subject}}}"
                            },
                            "token_endpoint_ttl": 60000,
                            "userinfo_endpoint_ttl": 60000,
                            "keystore": {
                                "path": "${globals.keystore.oidc.path}",
                                "password": "${globals.keystore.oidc.password}",
                                "type": "${globals.keystore.oidc.type}",
                                "alias": "${globals.keystore.oidc.alias}"
                            },
                            "sign_jwt_keystore_password": "${globals.keystore.oidc.password}",
                            "sign_jwt_keystore_alias": "${globals.keystore.oidc.alias}",
                            "rps": [
                                {
                                    "client_id": "${globals.oidc.op1.client_id}",
                                    "client_secret": "${globals.oidc.op1.client_secret}",
                                    "redirect_uri": [
                                        "${globals.oidc.op1.redirect_uri}"
                                    ],
                                    "post_logout_redirect_uris": [
                                        "${globals.oidc.op1.post_logout_redirect_uris}"
                                    ],
                                    "pipe_id": "oidc_pre_pipe"
                                }
                            ]
                        }
                    },
                    {
                        "id": "uidpwd",
                        "type": "UserNameAndPassword",
                        "config": {
                            "base_path": "/test/authn",
                            "context_path": "/test/authn/uidpwd",
                            "pipe_id": "user_password_pipe",
                            "webroot_dir": "web/authenticator/username_password",
                            "exports": [
                                {
                                    "name": "amrRef",
                                    "value": "pwd"
                                }
                            ]
                        }
                    }
                ]
            }
        },
        {
            "name": "Pipes",
            "config": {
                "pipes": [
                    {
                        "id": "user_password_pipe",
                        "config": {
                            "valves": [
                                {
                                    "name": "LDAPSearch",
                                    "config": {
                                        "destination": "${globals.ldap.ldap1.name}",
                                        "base_dn": "${globals.ldap.ldap1.connection.base_dn}",
                                        "scope": "SUB",
                                        "filter": "sAMAccountName={{{request.identifier}}}",
                                        "attributes": [
                                        ]
                                    }
                                },
                                {
                                    "name": "LDAPBind",
                                    "config": {
                                        "destination": "${globals.ldap.ldap1.name}",
                                        "dn": "{{{item.id}}}",
                                        "password": "{{{request.password}}}"
                                    }
                                }
                            ]
                        }
                    },
                    {
                        "id": "oidc_pre_pipe",
                        "config": {
                            "valves": [
                                {
                                    "name": "LDAPSearch",
                                    "config": {
                                        "destination": "${globals.ldap.ldap1.name}",
                                        "base_dn": "${globals.ldap.ldap1.connection.base_dn}",
                                        "scope": "SUB",
                                        "filter": "sAMAccountName={{{request.username}}}",
                                        "attributes": "givenName,sn,displayname"
                                    }
                                }
                            ]
                        }
                    }
                ]
            }
        }
    ]
}

Last updated