Dependency-Track - protect with eID MFA and SSO

Authenticate to Dependency-Track, using Freja as the authentication method.

Scenario

In this use case there is one scenario:

MFA authentication to Dependency-Track. In this scenario you will login using your Freja eID. The integration between Dependency-Track and Integrity Access is based on OpenID Connect (OIDC).

Dependency-Track is an analysis platform to identity and reduce risk in the software supply chain.

This scenario could easily be copied and modified to fulfill:

Using other MFA methods to authenticate to Dependency-Track, such as SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS), eduID, Suomi.fi, FIDO, OTP, Oath.
Perform user authorization lookups before letting the user through to Dependency-Track.

Single-Sign-On (SSO) is enabled by default.

Prerequisite

FortifiedID Integrity Access current version installed
Freja certificate. To be able to communicate with Freja backend.
Dependency-Track administration rights.
Host (DNS) name of the Integrity service (external access)
Outgoing TCP/443 communication. To be able to communicate with Freja backend services.

Configuration

Download and add configuration

Remember that this use case does not describe installation of the products. Products are expected to be installed in advance.

Download ZIP containing configuration for Access
1. Click USE_CASE_LINK to download customer folder for Web.
Add Integrity Access configuration to your environment.
1. Rename the existing customer folder to customer_ORG. Add the customer folder to your \..\fortifiedid\web\ folder.

Update the Dependency-Track configuration

Create group for OpenID Connect

Login to Dependency-Track as an administrator
Select Administration->Access Management
Select OpenID Connect Groups
Create a new group called DTRACK_FORTIFIED_USERS. This group will be propagated from the OpenID Connect Provider.
Map the new group to one or more teams (which controls permissions). Example:

Update OpenID Connect settings

Open the docker-compose.yml file
Add these environment variables to the apiservice container: ALPINE_OIDC_ENABLED: true ALPINE_OIDC_CLIENT_ID: "dependency-tracker" ALPINE_OIDC_ISSUER: "https://<integrity_dns_name>/oidc/fidrealm" ALPINE_OIDC_USERNAME_CLAIM: "preferred_username" ALPINE_OIDC_TEAMS_CLAIM: "groups" ALPINE_OIDC_USER_PROVISIONING: true ALPINE_OIDC_TEAM_SYNCHRONIZATION: true

Change <integrity_dns_name> to the host name of your integrity instance.

Add these environment variables to the frontend container: OIDC_ISSUER: "https://<integrity_dns_name>/oidc/fidrealm" OIDC_CLIENT_ID: "dependency-tracker" OIDC_LOGIN_BUTTON_TEXT: "Logga in med Fortified ID"

Change <integrity_dns_name> to the host name of your integrity instance.

Save and close docker-compose.yml

Update the Integrity configuration to map your environment

The downloaded folders contains all information needed. For example, a test certificate and metadata files are included. However, some data needs to be changed to map your environment. Also the http ports might need to be changed if they are not available in your environment.

Integrity Access

In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.

Open the file customer/config/globals.json. Change according to the instructions below.

base_dir
1. base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
  1. For Windows the value should be: "base_dir": "../customer"
  2. For Docker, the value should be: "base_dir": ".",
```
"base_dir": "../customer"
```
http
Update the http information to map your environment. This is the port that Integrity Web will use to host the SAML IdP service. ! The recommendation is to always use SSL to encrypt the communication to Integrity Web.
```
 "http": {
            "http_port": 443,
            "http_use_ssl": true
        }
        
```
oidc
Update the oidc information to map your environment. oidc_op_address is the integrity host name, including https. rps.redirect_uri should be changed to https and the name of your dependency-track host. Leave the uri unchanged.

  "oidc": {
        "oidc_op_address": "https://<integrity_dns_name>",
        "rps": [
            {
                "client_id": "dependency-tracker",
                "client_secret": "not_applicable",
                "redirect_uri": [
                    "https://<dependencytrack_dns_name>/static/oidc-callback.html"
                ]
            }
        ]
    }

keystore - oidc The keystore used to sign JWT identity- and access tokens. For test environments, you may use the test certificate provided by us, if so you do not need to change anything. For production environments, you should use your own keystore and update the values below to point to that keystore.
```
  "keystore": {
        "oidc": {
            "keystore_path": "${globals.file_paths.base_dir}/config/resources_internal/certificates/fortifiedid.p12",
            "password": "password",
            "alias": "fortifiedidab"
        }
    }
```

Save the globals.json file.

Restart the Integrity web service and verify the start by looking through the server.log file.

Restart dependency-track

Restart the dependency-track containers. docker compose down docker compose up -d

Testing the use case

Browse to https://<dependencytrack_dns_name> and select Logga in med Fortified ID
You should be redirected to the OP (integrity access)
Authenticate with Freja
You should be redirected back to Dependency-Track with an authorization Code.
You should now be logged in to Dependency-Track.

Check server.log file to find errors. Fix accordingly.

PreviousLogout page NextDigitala Nationella Prov (DNP) / Skolfederation

Last updated 2 months ago