Anonymous_User Absent Member.
Absent Member.
516 views

Using X509 subject with identity injection


Dear,

We have an authentication module which performs X509 authentication.
The authentication method does not perform any LDAP lookup. Unregistered
users can access the application. Using the standard identity injection
methods it is possible to put the entire certificate subject in the
headers.

We now want to inject other headers with values that are parsed from
the subject. E.g. if the certificate subject is "o=company,u=steven", we
want a company-header with the company and a name-header with value
"steven".


To do this, we are implementing a Java identity injection module that
should parse the certificate subject and put some parts of it in some
headers.
Starting from the examples in the SDK, I see that identity injection
module can only access the username and password using the
ExternalDataFillerContext object. This object has two methods: getUserDn
and getUserPassword. However, in our setup, both return an empty
string.

Based on the documentation, I do not find where I can get the
certificate subject. Is there a way to make the certificate subject
available for identity injection modules?

kind regards,
Steven Gevers


--
stevengevers
------------------------------------------------------------------------
stevengevers's Profile: http://forums.novell.com/member.php?userid=30337
View this thread: http://forums.novell.com/showthread.php?t=376654

Labels (1)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Using X509 subject with identity injection


Hi. A customer asked me the same thing but at the moment it does not
seem possible. In my case, the customer want to extract the user email
from the certificate's subject.

If you do not identify users, methods getUserDN and getUserPassword
could not return a value.

Alessandro


stevengevers;1809893 Wrote:
> Dear,
>
> We have an authentication module which performs X509 authentication.
> The authentication method does not perform any LDAP lookup. Unregistered
> users can access the application. Using the standard identity injection
> methods it is possible to put the entire certificate subject in the
> headers.
>
> We now want to inject other headers with values that are parsed from
> the subject. E.g. if the certificate subject is "o=company,u=steven", we
> want a company-header with the company and a name-header with value
> "steven".
>
>
> To do this, we are implementing a Java identity injection module that
> should parse the certificate subject and put some parts of it in some
> headers.
> Starting from the examples in the SDK, I see that identity injection
> module can only access the username and password using the
> ExternalDataFillerContext object. This object has two methods: getUserDn
> and getUserPassword. However, in our setup, both return an empty
> string.
>
> Based on the documentation, I do not find where I can get the
> certificate subject. Is there a way to make the certificate subject
> available for identity injection modules?
>
> kind regards,
> Steven Gevers



--
afolli
------------------------------------------------------------------------
afolli's Profile: http://forums.novell.com/member.php?userid=6964
View this thread: http://forums.novell.com/showthread.php?t=376654

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Using X509 subject with identity injection


you can extend the x509 class to read the subject name and write out the
cn and o to the customisation profile. Then you need to use identity
injection to inject the various strings.

Here's some sample code store the x509 data read into a profile that we
can then reference in the attribute set used by SAML. The key routine is
the doAuthenticate() where we take a custid parameter passed into us,
and save it in the customizationstring1 attribute. In your case, he
would then map the attribute set so that customisation string1 is used.

package com.novell.nidp.authentication.local;

import java.util.*;

import com.novell.nidp.*;
import com.novell.nidp.authentication.*;
import com.novell.nidp.authentication.card.*;
import com.novell.nidp.liberty.wsc.*;
import com.novell.nidp.liberty.wsc.impl.*;
import com.novell.nidp.liberty.wsc.modify.*;
import com.novell.nidp.liberty.wsf.idsis.schema.base.*;
import com.novell.nidp.liberty.wsf.model.*;
import com.novell.nidp.servlets.*;

public class STClass extends LocalAuthenticationClass
{
/**
* Constructor for form based authentication
*
* @param props Properties associated with the implementing
class
* @param uStores List of ordered user stores to authenticate
against
*/
public STClass(Properties props, ArrayList uStores)
{
super(props,uStores);
}

/**
* Get the authentication type this class implements
*
* @return returns the authentication type represented by this
class
*/
public String getType()
{
return AuthnConstants.OTHER;
}

/**
* Perform form based authentication. This method gets called on
each response
* during authentication process
*
* @return returns the status of the authentication process which
is
* one of AUTHENTICATED, NOT_AUTHENTICATED, CANCELLED,
HANDLED_REQUEST,
* PWD_EXPIRING, PWD_EXPIRED
*/
protected int doAuthenticate()
{
String customerID = m_Request.getParameter("custid"); // Mike can
use whatever he wants here

if (!m_Session.isAuthenticated() || customerID == null)
return NOT_AUTHENTICATED;

try
{
// Customizable attribute 1 is the one we use to contain customer
data to send,
// but this can change to another if necessary
WSCMOPToken token =

(WSCMOPToken)WSCToken.getToken(WSCMOPToken.OP_CS_CustomizableString1.getTokenUniqueId());

// Build object for new data
WSFModelEntry modelEntry = token.getModelEntry();
IDSISCommonAttributeElement data =
modelEntry.getSchemaClassInstance();
if (data instanceof IDSISLeafAttributeElement)
((IDSISLeafAttributeElement)data).setText(customerID);

WSCMDataToken dataToken = new WSCMDataToken(token, data);
dataToken.setAllowOverride(true);
// WSCResponse response =
WSC.modifyData(m_Session, new
WSCMDataToken[]{dataToken},m_Request.getLocale());
// if (WSCResponse.STATUS_ALL_SUCCESS == response.getStatus())
// {
// return true;
// }
}
catch (Exception ex) {}

// Get url of intersite transfer service for the desired protocol
and identifier
String url =
m_SessionData.appendIDToUrl(NIDPContext.getNIDPContext().getBaseUrl() +
getProperty("Protocol") + "/idpsend?id=" + getProperty("ContractID"));

m_Request.setAttribute("url",url);

// Going to top ensures we are not displaying in any frames

((NIDPServletContext)NIDPContext.getNIDPContext()).goJSP(m_Request,m_Response,"top");
return HANDLED_REQUEST;
}
}


--
ncashell
------------------------------------------------------------------------
ncashell's Profile: http://forums.novell.com/member.php?userid=7281
View this thread: http://forums.novell.com/showthread.php?t=376654

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Using X509 subject with identity injection


Hi ncashell,

Are you sure the code works? It seems the m_Session.isAuthenticated()
is always false because IDP calls the LocalAuthenticationClass first and
only if it returns AUTHENTICATED it will then authentocate the
session...please correct me when I'm wrong, thanks.


ncashell;1826642 Wrote:
> you can extend the x509 class to read the subject name and write out the
> cn and o to the customisation profile. Then you need to use identity
> injection to inject the various strings.
>
> Here's some sample code store the x509 data read into a profile that we
> can then reference in the attribute set used by SAML. The key routine is
> the doAuthenticate() where we take a custid parameter passed into us,
> and save it in the customizationstring1 attribute. In your case, he
> would then map the attribute set so that customisation string1 is used.
>
> package com.novell.nidp.authentication.local;
>
> import java.util.*;
>
> import com.novell.nidp.*;
> import com.novell.nidp.authentication.*;
> import com.novell.nidp.authentication.card.*;
> import com.novell.nidp.liberty.wsc.*;
> import com.novell.nidp.liberty.wsc.impl.*;
> import com.novell.nidp.liberty.wsc.modify.*;
> import com.novell.nidp.liberty.wsf.idsis.schema.base.*;
> import com.novell.nidp.liberty.wsf.model.*;
> import com.novell.nidp.servlets.*;
>
> public class STClass extends LocalAuthenticationClass
> {
> /**
> * Constructor for form based authentication
> *
> * @param props Properties associated with the implementing
> class
> * @param uStores List of ordered user stores to authenticate
> against
> */
> public STClass(Properties props, ArrayList uStores)
> {
> super(props,uStores);
> }
>
> /**
> * Get the authentication type this class implements
> *
> * @return returns the authentication type represented by this
> class
> */
> public String getType()
> {
> return AuthnConstants.OTHER;
> }
>
> /**
> * Perform form based authentication. This method gets called on
> each response
> * during authentication process
> *
> * @return returns the status of the authentication process which
> is
> * one of AUTHENTICATED, NOT_AUTHENTICATED, CANCELLED,
> HANDLED_REQUEST,
> * PWD_EXPIRING, PWD_EXPIRED
> */
> protected int doAuthenticate()
> {
> String customerID = m_Request.getParameter("custid"); // Mike can
> use whatever he wants here
>
> if (!m_Session.isAuthenticated() || customerID == null)
> return NOT_AUTHENTICATED;
>
> try
> {
> // Customizable attribute 1 is the one we use to contain customer
> data to send,
> // but this can change to another if necessary
> WSCMOPToken token =
>
> (WSCMOPToken)WSCToken.getToken(WSCMOPToken.OP_CS_CustomizableString1.getTokenUniqueId());
>
> // Build object for new data
> WSFModelEntry modelEntry = token.getModelEntry();
> IDSISCommonAttributeElement data =
> modelEntry.getSchemaClassInstance();
> if (data instanceof IDSISLeafAttributeElement)
> ((IDSISLeafAttributeElement)data).setText(customerID);
>
> WSCMDataToken dataToken = new WSCMDataToken(token, data);
> dataToken.setAllowOverride(true);
> // WSCResponse response =
> WSC.modifyData(m_Session, new
> WSCMDataToken[]{dataToken},m_Request.getLocale());
> // if (WSCResponse.STATUS_ALL_SUCCESS == response.getStatus())
> // {
> // return true;
> // }
> }
> catch (Exception ex) {}
>
> // Get url of intersite transfer service for the desired protocol
> and identifier
> String url =
> m_SessionData.appendIDToUrl(NIDPContext.getNIDPContext().getBaseUrl() +
> getProperty("Protocol") + "/idpsend?id=" + getProperty("ContractID"));
>
> m_Request.setAttribute("url",url);
>
> // Going to top ensures we are not displaying in any frames
>
> ((NIDPServletContext)NIDPContext.getNIDPContext()).goJSP(m_Request,m_Response,"top");
> return HANDLED_REQUEST;
> }
> }



--
Roger_Sz
------------------------------------------------------------------------
Roger_Sz's Profile: http://forums.novell.com/member.php?userid=61695
View this thread: http://forums.novell.com/showthread.php?t=376654

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Using X509 subject with identity injection


Hi,
this is exactly the same problem for me. Even if I set the principal in
my code I understand that the session is not authenticated until I
return AUTHENTICATED to the IDS. So I can't set any profile because the
Identity is still known to the IDS. I don't think this is the way it
should work...

Bye,
Giovanni


Roger_Sz;1863732 Wrote:
> Hi ncashell,
>
> Are you sure the code works? It seems the m_Session.isAuthenticated()
> is always false because IDP calls the LocalAuthenticationClass first and
> only if it returns AUTHENTICATED it will then authentocate the
> session...please correct me when I'm wrong, thanks.



--
cannata_g
------------------------------------------------------------------------
cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
View this thread: http://forums.novell.com/showthread.php?t=376654

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Using X509 subject with identity injection


Anyone was able to make this work?


--
ncalligaro
------------------------------------------------------------------------
ncalligaro's Profile: http://forums.novell.com/member.php?userid=692
View this thread: http://forums.novell.com/showthread.php?t=376654

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.