Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2

...

  • A 3rd party Identity Provider that send user identity information in http headers to HTTP Header Authentication Provider.
  • Time synchronization is required between the UAS and HTTP Header Authentication Provider. If this is not possible for some isolated test case, this can be worked around by setting the UAS server's time slightly ahead of the Authentication Provider, but this is under no circumstances a recommended practice, especially in a production environment.
  • For information about the Network Time Protocol, refer to following URLs.

Required Files

  • httpheaderap-x.x.xxxx.zip – for installation on all platforms
  • The import script used to create LDAP entries when installing UAS

...

Extracting the Distribution Package

Code Block
theme
languagetextRDark
titleListing 1. Extract the zip file
cd /d "C:\Program Files\Ubisecure"unzip httpheaderap-X.X.XXXX.zip

As a result, the following directory structure is created:

Code Block
languagetextthemeRDark
titleListing 2. Directory structure
httpheaderap
├───ldap
├───logs
└───webapp
	└───WEB-INF
		├───classes
		├───lib
		└───uap
			└───metadata

...

Create a SAML identity provider configuration by running the following script containing base URL. Please note that the java command must be found in PATH to run this script.

Code Block
languagetextthemeRDark
titleListing 3. Create SAML configuration
cd /d "C:\Program Files\Ubisecure\httpheaderap"
java -jar webapp\WEB-INF\lib\ubisaml2.jar Generate https://example.com/httpheaderap -o webapp\WEB-INF\uap -y -disable SingleLogoutService

...

By default, the log files are generated to the following directory.

Code Block
languagetext
themeRDark
titleListing 4. Default location of log files in Windows installation
c:\Program Files\Ubisecure\httpheaderap\logs


In Unix installations, the log directory must be configured manually by modifying the log configuration file in the following location.

Code Block
languagetextthemeRDark
titleListing 5. Location of the log configuration
httpheader/webapp/WEB-INF/uap/log4j.properties


In Unix installations, the recommended location of the log files is the following directory.

Code Block
languagetextthemeRDark
titleListing 6. Recommended location of log files in Unix installation
/usr/local/httpheaderap/logs

...

The http header set by 3rd party Identity Provider are set to context parameters in web.xml.

Code Block
languagetext
themeRDark
titleListing 7. Location of the web.xml
httpheader/webapp/WEB-INF/web.xml

...

Additional attributes that will be sent with authentication if present are set to context parameter com.ubisecure.saml2.uap.httpheaderap.attributes in a comma separated list. The name of the attribute sent to UAS is the same as the name of the header. This list is a white list, meaning that no other attributes are sent than those present in this list and if header is not present, it is not sent.

Code Block
languagetextthemeRDark
titleListing 8. Example configuration using header sm_user for subject name and a list of other headers that are sent as attributes.
    <context-param>
        <param-name>com.ubisecure.saml2.uap.httpheaderap.subject</param-name>
        <param-value>sm_user</param-value>
    </context-param>
 
    <context-param>
        <param-name>com.ubisecure.saml2.uap.httpheaderap.attributes</param-name>
        <param-value>sm_realm,sm_universalid,sm_authtype,sm_userdn</param-value>
    </context-param>

...

Export the SAML identity provider metadata by running the following script.

Code Block
theme
languagetextRDark
titleListing 9. Creating SAML metadata file
cd /d "C:\Program Files\Ubisecure\httpheaderap"
java -jar webapp\WEB-INF\lib\ubisaml2.jar Metadata webapp\WEB-INF\uap -idp -f metadata.xml -y

...

The authentication method is added to the Ubisecure Directory by importing LDAP LDIF script files. Replace the dn and cn attributes with the name of the authentication method instance and use the following scripts to import the LDIF to Ubisecure Directory.

Code Block
languagetext
themeRDark
titleListing 10. Windows
cd /d "C:\Program Files\Ubisecure\httpheaderap"
c:\ubisecure\ldap\adam\import.cmd ldap\httpheaderap.ldif


Code Block
languagetextthemeRDark
titleListing 11. Linux
cd /usr/local/httpheaderap
sh /usr/local/ubisecure/ldap/openldap/import.sh ldap/httpheaderap.ldif


Code Block
theme
languagetextRDark
titleListing 12. Sample contents of httpheaderap.ldif
#
# HTTP Header Authentication Provider
# 
dn: cn=httpheaderap.ubilogin.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost
changetype: add
cn: httpheaderap.ubilogin.1
objectClass: top
objectClass: ubiloginAuthMethod
ubiloginAuthMethodType: SAML
ubiloginClassname: ubilogin.method.provider.saml2.AssertionConsumerMethod
ubiloginEnabled: FALSE
ubiloginTitle: httpheaderap.ubilogin.1

...

Use the context parameter from Listing 13 in the HTTP Header Authentication Provider web.xml file and redeploy HTTP Header Authentication Provider to use the test page.

Code Block
languagetextthemeRDark
titleListing 13. Enable test page in httpheaderap/webapp/WEB-INF/web.xml
<context-param>
    <param-name>com.ubisecure.saml2.uap.testpage</param-name>
    <param-value>true</param-value>
</context-param>

Now you can access the HTTP Header Authentication Provider directly using the URL https://example.com/httpheaderap/saml2/SingleSignOnService. If the HTTP headers were set and read correctly you will see the http header contents on your web browser. 

...