Overview

Authentication via LDAP Read attributes via WebService (WsProvidesAuth=false)

1. Authentication via LDAP. In this mode, this class will perform standard LDAP authentication process. LDAP query and JSP customization parameters will work as normal.

• Before authentication completes, this class will make an HTTP POST call to customer defined web-service url.
  
  
  
  • The request will include a JSON document containing the LDAP userDN and all user input parameters and http headers, as well as any configured user attributes from LDAP so the web service can identify and authenticate the user (example below).
  
  
• The customer defined web-service must return a JSON formatted document that includes attribute:value pairs, and these values will be available to NAM policies as if they were read as LDAP attributes for use with form fill, identity injection and SAML federation, etc.

Authentication via WebService (no LDAP) (WsProvidesAuth=true)

1. Authentication via web-service. At user authentication time, this class will make an HTTP POST call to customer defined web-service.
   
   
   
   • The request will include a JSON document containing all user input parameters and http headers so the web service can identify and authenticate the user (example below).
   
   
2. The web service must return a JSON document that includes:
   
   
   
3. A userDN value. This value can be any value the web service can guarantee to be unique for a specific user, it does not need to be a valid DN in any configured LDAP repository.

• attribute:value pairs, and these values will be available to NAM policies as if they were read as LDAP attributes for use with form fill, identity injection and SAML federation, etc.

• No LDAP calls are made, in fact the an LDAP directory is not required. The NAM administration GUI requires that a LDAP directory be set, so any "dummy" directory can be defined (such as the admin console's own built-in directory, but it will not be contacted when this authentication class is configured with WsProvidesAuth=true.

Installations

1. Copy the WSAuthClass.jar file to all IDP server's in the nidp/WEB-INF/lib directory. The actual location will vary depending on OS and NAM version. Searching for "nidp.jar" should reveal the correct location.

• Copy the additional *.jar files in the lib directory to the same place you copied WSAuthClass.jar

• Create a new class in the NAM admin console. IDP Cluster -> Edit -> Local -> Classes -> New.
  
  
  
  1. set the DisplayName to "WSAuthCookieClass"
  
  
• set the Java class to "Other"

• set the Java class path to "com.novell.jrivard.nam.wsAuth.WSAuthClass"

• Create a method and contract utilizing the new class as appropriate.

Class Properties

   WsProvidesAuth | Indicates if the remote service provides authentication.  Default is false. (see above).
                  |
            WsURL | This required property must contain the URL of the remote service.
                  |
      WsTimeoutMs | Timeout (in milliseconds) of the HTTP request.  Default is 30000 (30 seconds).
                  |
 WsPromiscuousSSL | If true, do not validate the remote HTTPS web-service's certificate.  Useful during setup/testing, but
                  | should never be set to true on a production system.
                  |
WsFailAuthOnError | If true, consider an authentication when the web-service is unreachable or returns an error.  Default
                  | is true.  Only applies when WsProvidesAuth=false.
                  |
 WsSendAttributes | A comma separated list of attributes to send to the remote service.  Only applies when
                  | WsProvidesAuth=false.
                  |
     WsRequestKey | An optional string that will be sent as part of the request, to be used as verification by the web-
                  | service that the request is coming from this auth class.
                  |
    WsResponseKey | An optional string that the auth class will verify is present in a response from the web-service.

Request Example

POST /example/serviceUrl HTTP/1.1
Content-Type: application/json; charset=utf-8
Content-Length: <length>
Accepts: application/json;

{
    "userDN":"cn=example,o=org",  /* sent only when WsProvidesAuth=false */
    "key":"magicKey123",          /* sent only when WsRequestKey has a value */
    "attributes":{                /* sent only when WsProvidesAuth=false */
         "givenName":"Jason",
         "sn":"Rivard"
    },
    "parameters":{
         "sid":"1",
         "Ecom_User_ID":"jason",
         "target":"https://application.example.org/",
         "option":"credential",
         "Ecom_Password":"password"
    },
    "headers":{
        "content-type":"application/x-www-form-urlencoded",
        "cookie":"JSESSIONID\u003d0EFB077955837D4D4D0B07C59E8C10F3; ZNPCQ003-33333300\u003d3b128ab9",
        "connection":"keep-alive",
        "accept-language":"en-US,en;q\u003d0.5",
        "host":"login.mynam.org",
        "content-length":"99",
        "accept":"text/html,application/xhtml xml,application/xml;q\u003d0.9,*/*;q\u003d0.8",
        "Via":"1.1 login.mynam.org (Access Gateway-ag-C1CB3958E1140CA3-1184)",
        "user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
        "referer":"https://login.mynam.org/nidp/idff/sso?sid\u003d1",
        "accept-encoding":"gzip"
    }
}

Response Example

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: <length>

{
    "userDN":"cn=example,o=org",    /* required when WsProvidesAuth=true */
    "key":"magicKey456",            /* sent and verified only when WsResponseKey has a value */
    "attributes":{
         "givenName":"George",
         "sn":"Washington",
         "workforceID":"000000001"
    },
}