LDAP (Username/Password)

Scenario

In this scenario, a web resource, Fortified ID Portal, will use an external SAML IdP for authentication.

The web resource Fortified ID Portal will act as an SAML SP. The external SAML IdP is Fortified ID WEB. On the SAML IdP their will be one authentication method which is username and password. Username and password will be authenticated against an Active Directory.

Prerequisite

This use case assumes that you have good knowledge of the product in question.
Fortified ID WEB installed and configured
LDAP directory. Location are the users to authenticate. The example code is configured using an Active Directory. We are using mail attribute of the Active Directory user.
Fortified ID Portal installed and configured. (you can use any SAML SP connected to Fortified ID WEB SAML IdP of course).

Note. All configuration and testing is done on the scenario server.

Basic configuration of Fortified ID Web and Portal

Install and prepare configuration

Download and install Fortified ID Web and Fortified ID Portal
1. To install Integrity Web and Integrity Portal, see documentation and installation.
Add files and folders from ZIP-file to Fortified ID Web and Fortified ID Portal.
1. Download the USE_CASE.zip.
Replace the customer folders for your installations with the ones from the zip-file. Note. This use case was initially done on a Windows server, if you run Container/Docker or Linux you might have to changes something to work in your environments like file paths e.g..
Open the globals.json in both customer folders and update to match your environment.
Start services
1. Start Fortified ID WEB
2. Start Fortified ID Portal

Test the configuration

Verify services are started

Verify Fortified ID WEB is started
Verify Fortified ID Portal is started

Open a browser
Browse to https://localhost:8445/portal
1. This is the address to Fortified ID Portal acting as a SAML SP
1. Type the username and password of a user in your Active Directory.
  1. Remember that we in config is using mail attribut as username. Verify that you user has a value in mail attribute.

Complete config.json file of Fortified ID WEB

Other configuration and reference files will be found in the ZIP-file you downloaded.

{
    "globals": "@include:globals.json",
    "modules": [
        {
            "name": "CefEventModule",
            "config": {}
        },
        {
            "name": "HttpClient",
            "config": {
                "name": "default",
                "idle_timeout_ms": 5000,
                "connect_timeout_ms": 5000
            }
        },
        {
            "name": "LdapClient",
            "enabled": true,
            "instances": 1,
            "config": {
                "name": "${globals.ldap.ldap1.name}",
                "connection": {
                    "host": "${globals.ldap.ldap1.connection.host}",
                    "port": "${globals.ldap.ldap1.connection.port}",
                    "bind_dn": "${globals.ldap.ldap1.connection.bind_dn}",
                    "bind_password": "${globals.ldap.ldap1.connection.bind_password}",
                    "use_ssl": "${globals.ldap.ldap1.connection.use_ssl}",
                    "ssl_trust_all": "${globals.ldap.ldap1.connection.ssl_trust_all}"
                }
            }
        },
        {
            "name": "SAML",
            "config": {
                "metadata_cache": "${globals.saml.idp1.metadata_cache}",
                "http_port": "${globals.http.port}",
                "enable_http": true,
                "metadata_template": [
                    {
                        "id": "${globals.saml.idp1.metadata_id}",
                        "metadata_file_path": "${globals.saml.idp1.metadata_file_path}",
                        "sign_ref": [
                            {
                                "keystore": {
                                    "alias": "${globals.keystore.saml.sign_ref_keystore_alias}",
                                    "key_password": "${globals.keystore.saml.sign_ref_keystore_key_password}",
                                    "password": "${globals.keystore.saml.sign_ref_keystore_password}",
                                    "path": "${globals.keystore.saml.sign_ref_keystore_path}"
                                }
                            }
                        ]
                    }
                ],
                "metadata": [
                    {
                        "path": "${globals.file_paths.base_dir}/config/resources_internal/saml/sp_metadata_files/sp_portal.xml"
                    }
                ]
            }
        },
        {
            "name": "AuthN",
            "enabled": true,
            "config": {
                "context_path": "/authn",
                "webroot_dir": "web",
                "http_csrf": {
                    "enabled": false
                },
                "authenticators": [
                    {
                        "id": "auth00",
                        "type": "SAMLIDP",
                        "config": {
                            "context_path": "/saml/authn/chain",
                            "base_path": "/saml/authn",
                            "expiry": "PT1S",
                            "force_re_auth": false,
                            "idp": "${globals.saml.idp1.idp_entityid}",
                            "chain": [
                                {
                                    "id": "selector_root",
                                    "required": true
                                }
                            ],
                            "assertion_config": [
                                {
                                    "target_sp": [
                                        "FortifiedID_Portal"
                                    ],
                                    "nameid_parameter": "mail",
                                    "auth_context_parameter": "AuthnContextClassRef",
                                    "additional_attribute_parameter": [
                                        "givenName",
                                        "sn",
                                        "mail",
                                        "roles",
                                        "display_name",
                                        "distinguishedName"
                                    ],
                                    "pre_assertion_pipe": "Retrieve_data_for_SAML_response_for_Portal"
                                }
                            ]
                        }
                    },
                    {
                        "id": "selector_root",
                        "type": "Selector",
                        "config": {
                            "base_path": "/saml/authn",
                            "webroot_dir": "web/authenticator/selector",
                            "auto_select": false,
                            "overlay_dirs": [
                                "${globals.file_paths.base_dir}/config/resources_external/overlays/1_selector_root",
                                "${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel"
                            ],
                            "options": [
                                {
                                    "id": "1",
                                    "target": "uid_pwd_ldap",
                                    "label": "ldap_label",
                                    "logo": "assets/svg/microsoft.svg"
                                }
                            ]
                        }
                    },
                    {
                        "id": "uid_pwd_ldap",
                        "type": "UserNameAndPassword",
                        "config": {
                            "base_path": "/saml/authn",
                            "webroot_dir": "web/authenticator/username_password",
                            "overlay_dirs": [
                                "${globals.file_paths.base_dir}/config/resources_external/overlays/4_main_username_password",
                                "${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel"
                            ],
                            "pipe_id": "Validate_Username_Password",
                            "exports": [
                                {
                                    "name": "used_auth",
                                    "value": "username_password_ldap"
                                },
                                {
                                    "name": "AuthnContextClassRef",
                                    "value": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
                                }
                            ]
                        }
                    }
                ]
            }
        },
        {
            "name": "Pipes",
            "config": {
                "pipes": [
                    {
                        "id": "Validate_Username_Password",
                        "config": {
                            "valves": [
                                {
                                    "name": "DumpRequest",
                                    "config": {
                                        "label": "*** DumpRequest ***"
                                    }
                                },
                                {
                                    "name": "DumpExports",
                                    "config": {
                                        "label": "*** DumpExports ***"
                                    }
                                },
                                {
                                    "name": "LDAPSearch",
                                    "enabled": true,
                                    "config": {
                                        "destination": "${globals.ldap.ldap1.name}",
                                        "base_dn": "${globals.ldap.ldap1.connection.base_dn}",
                                        "scope": "SUB",
                                        "filter": "mail={{{request.identifier}}}",
                                        "attributes": [
                                            {
                                                "name": "mail",
                                                "multivalue": false
                                            }
                                        ]
                                    }
                                },
                                {
                                    "name": "LDAPBind",
                                    "enabled": true,
                                    "config": {
                                        "destination": "${globals.ldap.ldap1.name}",
                                        "dn": "{{{item.id}}}",
                                        "password": "{{{request.password}}}"
                                    }
                                },
                                {
                                    "name": "DumpState",
                                    "config": {
                                        "label": "*** DumpState ***"
                                    }
                                }
                            ]
                        }
                    },
                    {
                        "id": "Retrieve_data_for_SAML_response_for_Portal",
                        "config": {
                            "valves": [
                                {
                                    "name": "DumpRequest",
                                    "config": {
                                        "label": "*** DumpRequest från DumpData Portal****"
                                    }
                                },
                                {
                                    "name": "DumpExports",
                                    "config": {
                                        "label": "*** DumpExports från DumpData Portal****"
                                    }
                                },
                                {
                                    "name": "ExportsPut",
                                    "exec_if_expr": "exports.used_auth == ('username_password_ldap')",
                                    "enabled": true,
                                    "config": {
                                        "name": "LDAP_search_filter",
                                        "value": "mail={{{request.username}}}",
                                        "replace": true
                                    }
                                },
                                {
                                    "name": "LDAPSearch",
                                    "enabled": true,
                                    "config": {
                                        "destination": "${globals.ldap.ldap1.name}",
                                        "base_dn": "${globals.ldap.ldap1.connection.base_dn}",
                                        "scope": "SUB",
                                        "filter": "{{{exports.LDAP_search_filter}}}",
                                        "attributes": [
                                            {
                                                "name": "givenName",
                                                "multivalue": false
                                            },
                                            {
                                                "name": "sn",
                                                "multivalue": false
                                            },
                                            {
                                                "name": "sAMAccountName",
                                                "multivalue": false
                                            },
                                            {
                                                "name": "mail",
                                                "multivalue": false
                                            },
                                            {
                                                "name": "carLicense",
                                                "multivalue": true
                                            },
                                            {
                                                "name": "displayName",
                                                "multivalue": false
                                            },
                                            {
                                                "name": "distinguishedName",
                                                "multivalue": false
                                            }
                                        ]
                                    }
                                },
                                {
                                    "name": "ExportsPut",
                                    "enabled": true,
                                    "config": {
                                        "name": "username",
                                        "value": "{{{item.mail}}}",
                                        "replace": true
                                    }
                                },
                                {
                                    "name": "ItemPropertyAdd",
                                    "enabled": true,
                                    "config": {
                                        "name": "display_name",
                                        "value": "{{{item.displayName}}}"
                                    }
                                },
                                {
                                    "name": "ItemPropertyRename",
                                    "enabled": true,
                                    "config": {
                                        "old_name": "carLicense",
                                        "new_name": "roles"
                                    }
                                },
                                {
                                    "name": "DumpExports",
                                    "config": {
                                        "label": "*** DumpExports****"
                                    }
                                },
                                {
                                    "name": "DumpState",
                                    "config": {
                                        "label": "*** DumpState ***"
                                    }
                                }
                            ]
                        }
                    }
                ]
            }
        }
    ]
}