WSAuthClass for NetIQ Access Manager v1.0

WSAuthClass for NetIQ Access Manager v1.0

Overview



This authentication class for NetIQ Access Manager (NAM) allows for using a remote web-service for authentication, and/or to use a remote web-service to return attribute data to NAM for use in identity injection, form fill or SAML federation.

The purpose of this authentication class is that by writing a simple web service, an administrator can easily add any source for NAM authentication/attribute retrieval, such as a database or a proprietary homegrown system. The administrator does not need to understand or write to NAM's Java SDK.

Authentication via LDAP + Read attributes via WebService (WsProvidesAuth=false)




  1. Authentication via LDAP. In this mode, this class will perform standard LDAP authentication process. LDAP query and JSP customization parameters will work as normal.

  2. Before authentication completes, this class will make an HTTP POST call to customer defined web-service url.

    • The request will include a JSON document containing the LDAP userDN and all user input parameters and http headers, as well as any configured user attributes from LDAP so the web service can identify and authenticate the user (example below).

  3. The customer defined web-service must return a JSON formatted document that includes attribute:value pairs, and these values will be available to NAM policies as if they were read as LDAP attributes for use with form fill, identity injection and SAML federation, etc.



Authentication via WebService (no LDAP) (WsProvidesAuth=true)




  1. Authentication via web-service. At user authentication time, this class will make an HTTP POST call to customer defined web-service.

    • The request will include a JSON document containing all user input parameters and http headers so the web service can identify and authenticate the user (example below).

  2. The web service must return a JSON document that includes:

    • A userDN value. This value can be any value the web service can guarantee to be unique for a specific user, it does not need to be a valid DN in any configured LDAP repository.

    • attribute:value pairs, and these values will be available to NAM policies as if they were read as LDAP attributes for use with form fill, identity injection and SAML federation, etc.

  3. No LDAP calls are made, in fact the an LDAP directory is not required. The NAM administration GUI requires that a LDAP directory be set, so any "dummy" directory can be defined (such as the admin console's own built-in directory, but it will not be contacted when this authentication class is configured with WsProvidesAuth=true.



Installations




  1. Copy the WSAuthClass.jar file to all IDP server's in the nidp/WEB-INF/lib directory. The actual location will vary depending on OS and NAM version. Searching for "nidp.jar" should reveal the correct location.

  2. Copy the additional *.jar files in the lib directory to the same place you copied WSAuthClass.jar

  3. Create a new class in the NAM admin console. IDP Cluster -> Edit -> Local -> Classes -> New.

    1. set the DisplayName to "WSAuthCookieClass"

    2. set the Java class to "Other"

    3. set the Java class path to "com.novell.jrivard.nam.wsAuth.WSAuthClass"


  4. Create a method and contract utilizing the new class as appropriate.



Class Properties




WsProvidesAuth | Indicates if the remote service provides authentication. Default is false. (see above).
|
WsURL | This required property must contain the URL of the remote service.
|
WsTimeoutMs | Timeout (in milliseconds) of the HTTP request. Default is 30000 (30 seconds).
|
WsPromiscuousSSL | If true, do not validate the remote HTTPS web-service's certificate. Useful during setup/testing, but
| should never be set to true on a production system.
|
WsFailAuthOnError | If true, consider an authentication when the web-service is unreachable or returns an error. Default
| is true. Only applies when WsProvidesAuth=false.
|
WsSendAttributes | A comma separated list of attributes to send to the remote service. Only applies when
| WsProvidesAuth=false.
|
WsRequestKey | An optional string that will be sent as part of the request, to be used as verification by the web-
| service that the request is coming from this auth class.
|
WsResponseKey | An optional string that the auth class will verify is present in a response from the web-service.


Request Example




POST /example/serviceUrl HTTP/1.1
Content-Type: application/json; charset=utf-8
Content-Length: <length>
Accepts: application/json;

{
"userDN":"cn=example,o=org", /* sent only when WsProvidesAuth=false */
"key":"magicKey123", /* sent only when WsRequestKey has a value */
"attributes":{ /* sent only when WsProvidesAuth=false */
"givenName":"Jason",
"sn":"Rivard"
},
"parameters":{
"sid":"1",
"Ecom_User_ID":"jason",
"target":"https://application.example.org/",
"option":"credential",
"Ecom_Password":"password"
},
"headers":{
"content-type":"application/x-www-form-urlencoded",
"cookie":"JSESSIONID\u003d0EFB077955837D4D4D0B07C59E8C10F3; ZNPCQ003-33333300\u003d3b128ab9",
"connection":"keep-alive",
"accept-language":"en-US,en;q\u003d0.5",
"host":"login.mynam.org",
"content-length":"99",
"accept":"text/html,application/xhtml+xml,application/xml;q\u003d0.9,*/*;q\u003d0.8",
"Via":"1.1 login.mynam.org (Access Gateway-ag-C1CB3958E1140CA3-1184)",
"user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
"referer":"https://login.mynam.org/nidp/idff/sso?sid\u003d1",
"accept-encoding":"gzip"
}
}



Response Example




HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: <length>

{
"userDN":"cn=example,o=org", /* required when WsProvidesAuth=true */
"key":"magicKey456", /* sent and verified only when WsResponseKey has a value */
"attributes":{
"givenName":"George",
"sn":"Washington",
"workforceID":"000000001"
},
}


Labels (2)
Tags (1)
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
I wonder if you can share the jar file.
The download link is fixed now.

Thanks!
Top Contributors
Version history
Revision #:
5 of 5
Last update:
‎2020-01-31 22:11
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.