...
- A 3rd party Identity Provider that send user identity information in http headers to HTTP Header Authentication Provider.
- Time synchronization is required between the UAS and HTTP Header Authentication Provider. If this is not possible for some isolated test case, this can be worked around by setting the UAS server's time slightly ahead of the Authentication Provider, but this is under no circumstances a recommended practice, especially in a production environment.
- For information about the Network Time Protocol, refer to following URLs.
httpheaderap-x.x.xxxx.zip
– for installation on all platforms- The import script used to create LDAP entries when installing UAS
...
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 1. Extract the zip file |
---|
|
cd /d "C:\Program Files\Ubisecure"unzip httpheaderap-X.X.XXXX.zip |
As a result, the following directory structure is created:
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 2. Directory structure |
---|
|
httpheaderap
├───ldap
├───logs
└───webapp
└───WEB-INF
├───classes
├───lib
└───uap
└───metadata |
...
Create a SAML identity provider configuration by running the following script containing base URL. Please note that the java command must be found in PATH to run this script.
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 3. Create SAML configuration |
---|
|
cd /d "C:\Program Files\Ubisecure\httpheaderap"
java -jar webapp\WEB-INF\lib\ubisaml2.jar Generate https://example.com/httpheaderap -o webapp\WEB-INF\uap -y -disable SingleLogoutService |
...
By default, the log files are generated to the following directory.
Code Block |
---|
language | text |
---|
theme | RDark |
---|
title | Listing 4. Default location of log files in Windows installation |
---|
|
c:\Program Files\Ubisecure\httpheaderap\logs |
In Unix installations, the log directory must be configured manually by modifying the log configuration file in the following location.
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 5. Location of the log configuration |
---|
|
httpheader/webapp/WEB-INF/uap/log4j.properties |
In Unix installations, the recommended location of the log files is the following directory.
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 6. Recommended location of log files in Unix installation |
---|
|
/usr/local/httpheaderap/logs |
...
The http header set by 3rd party Identity Provider are set to context parameters in web.xml.
Code Block |
---|
language | text |
---|
theme | RDark |
---|
title | Listing 7. Location of the web.xml |
---|
|
httpheader/webapp/WEB-INF/web.xml |
...
Additional attributes that will be sent with authentication if present are set to context parameter com.ubisecure.saml2.uap.httpheaderap.attributes in a comma separated list. The name of the attribute sent to UAS is the same as the name of the header. This list is a white list, meaning that no other attributes are sent than those present in this list and if header is not present, it is not sent.
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 8. Example configuration using header sm_user for subject name and a list of other headers that are sent as attributes. |
---|
|
<context-param>
<param-name>com.ubisecure.saml2.uap.httpheaderap.subject</param-name>
<param-value>sm_user</param-value>
</context-param>
<context-param>
<param-name>com.ubisecure.saml2.uap.httpheaderap.attributes</param-name>
<param-value>sm_realm,sm_universalid,sm_authtype,sm_userdn</param-value>
</context-param> |
...
Export the SAML identity provider metadata by running the following script.
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 9. Creating SAML metadata file |
---|
|
cd /d "C:\Program Files\Ubisecure\httpheaderap"
java -jar webapp\WEB-INF\lib\ubisaml2.jar Metadata webapp\WEB-INF\uap -idp -f metadata.xml -y |
...
The authentication method is added to the Ubisecure Directory by importing LDAP LDIF script files. Replace the dn and cn attributes with the name of the authentication method instance and use the following scripts to import the LDIF to Ubisecure Directory.
Code Block |
---|
language | text |
---|
theme | RDark |
---|
title | Listing 10. Windows |
---|
|
cd /d "C:\Program Files\Ubisecure\httpheaderap"
c:\ubisecure\ldap\adam\import.cmd ldap\httpheaderap.ldif |
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 11. Linux |
---|
|
cd /usr/local/httpheaderap
sh /usr/local/ubisecure/ldap/openldap/import.sh ldap/httpheaderap.ldif |
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 12. Sample contents of httpheaderap.ldif |
---|
|
#
# HTTP Header Authentication Provider
#
dn: cn=httpheaderap.ubilogin.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost
changetype: add
cn: httpheaderap.ubilogin.1
objectClass: top
objectClass: ubiloginAuthMethod
ubiloginAuthMethodType: SAML
ubiloginClassname: ubilogin.method.provider.saml2.AssertionConsumerMethod
ubiloginEnabled: FALSE
ubiloginTitle: httpheaderap.ubilogin.1 |
...
Use the context parameter from Listing 13 in the HTTP Header Authentication Provider web.xml file and redeploy HTTP Header Authentication Provider to use the test page.
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 13. Enable test page in httpheaderap/webapp/WEB-INF/web.xml |
---|
|
<context-param>
<param-name>com.ubisecure.saml2.uap.testpage</param-name>
<param-value>true</param-value>
</context-param> |
Now you can access the HTTP Header Authentication Provider directly using the URL https://example.com/httpheaderap/saml2/SingleSignOnService
. If the HTTP headers were set and read correctly you will see the http header contents on your web browser.
...