02 - Directory, Basic Authn, SSO Agent
This example shows how to configure a directory identity source and a basic authentication in our identity provider. The test application (service provider) are two Java web application running on Tomcat, we have our IAM.tf SSO Agent running as a server component providing SSO capabilities.
We use docker compose to initialize and run all the components
You can view the example in GitHub
Running the example
You can start all the necessary components by running the following command:
docker-compose up
You will see the logs from all containers starting. After a few seconds, you can access both test application at:
You can use the following credentials to login: user1 / user1pwd
Tips
This is the same base-code application deployed twice, so the UI will be the same for both
Terraform Configuration
Identity Provider
This configuration represents our identity provider. We use the authn_ldap_bind authentication mechanism, which means that the identity provider will perform an LDAP bind with the credentials entered by the user. If succeeds, the user is considered authenticated. This is useful to avoid accessing passwords directly from the LDAP server. Properties used by the authn_ldap_bind element are similar to those used by the iamtf_idsource_ldap identity source element.
resource "iamtf_idp" "idp-1" {
ida = iamtf_identity_appliance.myiam-02.name
name = "idp-1"
keystore {
resource = filebase64("./saml.p12")
password = "changeme"
}
authn_bind_ldap {
priority = 0
provider_url = "ldap://openldap:1389"
username = "cn=admin,dc=devsso1,dc=atricore,dc=com"
password = "secret"
authentication = "simple"
password_policy = "none"
perform_dn_search = false
// Users
users_ctx_dn = "ou=users,dc=devsso1,dc=atricore,dc=com"
userid_attr = "uid"
saml_authn_ctx = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
referrals = "follow"
operational_attrs = true
}
id_sources = [iamtf_idsource_ldap.sso-users.name]
}
Identity Source
This identity source represents our directory server. It could be Active Directory. Since the directory used to retrieve user information and the directory used for authentication may be deferent, some properties are the same used in the previous authentication element.
resource "iamtf_idsource_ldap" "sso-users" {
ida = iamtf_identity_appliance.myiam-02.name
name = "sso-users"
provider_url = "ldap://openldap:1389"
username = "cn=admin,dc=devsso1,dc=atricore,dc=com"
password = "secret"
// Groups
groups_ctx_dn = "ou=groups,dc=devsso1,dc=atricore,dc=com"
groupid_attr = "cn"
groupmember_attr = "member"
// Users
users_ctx_dn = "ou=users,dc=devsso1,dc=atricore,dc=com"
userid_attr = "uid"
// User attributes
user_attributes {
attribute = "cn"
claim = "first_name"
}
user_attributes {
attribute = "sn"
claim = "last_name"
}
// User attributes
user_attributes {
attribute = "mail"
claim = "email"
}
}
Directory Configuration
This is the LDIF file used to initialize the directory, it includes sample users and groups.
version: 1
dn: dc=devsso1,dc=atricore,dc=com
objectClass: organization
objectClass: dcObject
dc: devsso1
o: sso
dn: ou=users,dc=devsso1,dc=atricore,dc=com
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=devsso1,dc=atricore,dc=com
objectClass: organizationalUnit
ou: groups
dn: uid=user1,ou=users,dc=devsso1,dc=atricore,dc=com
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
cn: User1
gidNumber: 1000
homeDirectory: /home/user1
sn: Bar1
uid: user1
uidNumber: 1000
userPassword: user1pwd
mail: user1@atricore.com
dn: uid=user2,ou=users,dc=devsso1,dc=atricore,dc=com
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
cn: User2
gidNumber: 1001
homeDirectory: /home/user2
sn: Bar2
uid: user2
uidNumber: 1001
userPassword: user2pwd
mail: user2@atricore.com
dn: cn=role1,ou=groups,dc=devsso1,dc=atricore,dc=com
objectClass: groupOfNames
cn: role1
member: uid=user1,ou=users,dc=devsso1,dc=atricore,dc=com
member: uid=user2,ou=users,dc=devsso1,dc=atricore,dc=com
dn: cn=role2,ou=groups,dc=devsso1,dc=atricore,dc=com
objectClass: groupOfNames
cn: role2
member: uid=user1,ou=users,dc=devsso1,dc=atricore,dc=com