Commodore
Commodore
1171 views

Auth contract that points to webpage with multiple login options

Jump to solution

Hi,

Customer has multiple external (saml2) IDP providers that they want to add to a singe webpage so that if a user goes to a protected resource that uses that contract they should get redirected to a web page that has different options for autentication

link1 --> External saml idp1

link2--> External saml idp2

link3 --> local idp password and step up

And after authentication users should get redirected back to the page they wanted to go to

So something like the burger menu in nam but with links to contract on same page

Is any body doing something similar and how do you do that? Are you hosting the page in NAM or on external website

 

TIA

Lelle

0 Likes
1 Solution

Accepted Solutions
Vice Admiral
Vice Admiral

Hi!

 

I've played a little and come with following JSP, which works in my lab:

<%
    ContentHandler handler = new ContentHandler(request,response);
    String target = (String) request.getAttribute("target");
    String sid = request.getParameter("sid")!=null ? request.getParameter(NIDPConstants.SID) : (String)request.getAttribute(NIDPConstants.SID);

    String params = "sid=" + sid;
    if ( target != null ) 
        params = params + "&target=" + StringEscapeUtils.escapeHtml(target);

%>
<!DOCTYPE HTML >
<html lang="<%=handler.getLanguageCode()%>">
<head>
    <title><%=handler.getResource(JSPResDesc.TITLE)%></title>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>

<a href="https://idp.something.com/nidp/jsp/main.jsp?id=local-auth1-card-id&<%=params%>">Local authentication 1</a>
</br>
<a href="https://idp.something.com/nidp/jsp/main.jsp?id=local-auth2-card-id&<%=params%>">Local authentication 2</a>
</br>
<a href="https://idp.something.com/nidp/saml2/spsend?id=saml-externalidp-auth1-card-id&<%=params%>">SAML authentication 1</a>
</br>
<a href="https://idp.something.com/nidp/saml2/spsend?id=saml-externalidp-auth2-card-id&<%=params%>">SAML authentication 2</a>
</body>
</html>

 

Then you create "fake" method (e.g. name/password form) and set JSP to this JSP (this one also requires MainJSP), create "fake" contract and set it as authentication contract for your protected resource.

Please note:

  • your "fake" contract needs to have "Satisfiable by a contract of equal or higher level" enabled
  • local authentication contracts (to which you redirect) must have "show card" enabled
  • local authentication contracts (to which you redirect) must have same or higher authentication level as your "fake" contract
  • even though you are calling external IDPs with your fake contract (not SPs), use spsend when constructing URLs

How did I came to those URLs and parameters? By observing what URLs NAM calls when different authentications are called. So nothing from documentation, which also means I cannot tell you why spsend works.

Hope it will help.

 

Kind regards,

Sebastijan

PS: When observing what NAM does, it helps a lot if you put whole NAM in legacy mode 😊

View solution in original post

9 Replies
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

NAM have Idp discovery method where once can select the desired IDP and can remember the choice. Will that help here? Not sure if that will solve all the cases mentioned (not local idp authentication, only federated)

Class Name - IDP Select class

 

 

Commodore
Commodore

Hi,

 

Yeah, I'm aware about that, but that not what they want. They want a clean page with a number of links to different contracts, I figure that mainJSP="some file" should be able to help, then I have to figure what the links should look like

so you go to a protected resource or SamlSP, get redirected to IDP, IDP opens up a web page (much like hamburger meny) with links to different auth contract internal and external, so you can choose to use certificate, external idp or username/password etc.

/Lelle

0 Likes
Commodore
Commodore

You can create a JSP with any content you like. Place the inter-site transfer URLs for IDP initiated login on the page and the user can click the one they like. If you want to have the final target URL of the protected resource to be dynamic then you need to capture the target URL in the JSP and build the proper intersite link to send them there. If you want a single static target then just set that on the IDP config.

Commodore
Commodore

Hi,

Thanks for your reply, I think I understand the how to use the jsp file, even if I'm not super skilled when it comes to webb dev stuff.

I'm trying to get my head around the intersite transfer links, but I'm not sure that I can figure out how to use it.

I have tried to use spsend and target & TARGET, but as I understands that it send me to a specific SP not a  other IDP (where NAM is the SP).

 

 

0 Likes
Commodore
Commodore

There is also an idpsend which sends you to another IDP. See the attached PDF.

Commodore
Commodore

Hi,

I have tried IDPsend with limited success, I have created a link that look like this

https://idp.mysite.com/nidp/saml2/
idpsend?PID=https://local.idp.idpservice.se/samlv2/idp/metadata/0/20&TARGET=https://intranet.mysite.se

That only results in a error

In browser

"The request to provide authentication to a service provider has failed. (300101050-34BB9586299D2E08)"

In catalina.out

Method: SAML2Handler.getCard
Thread: ajp-nio-127.0.0.1-9019-exec-23
The request's authentication card was not found. Either id[null] or PID [https://local.idp.idpservice.se/samlv2/idp/metadata/0/20] of the card is missing or is invalid. </amLogEntry>

Error on session id f2425e38439c800fa7130bb3f6188f9acecab0778a339e1937f38b45ac64b63e, error 300101050-34BB9586299D2E08, The request to provide authentication to a service provider has failed.:The Authentication Card specified is not valid.: </amLogEntry>

I understand that it's not super simple to help with this, but I appreciate all help I can get

/Lelle

0 Likes
Commodore
Commodore

That error means the PID supplied is wrong. Set an interstite transfer ID on your IDP configuration and use "id" instead.

0 Likes
Vice Admiral
Vice Admiral

Hi!

 

I've played a little and come with following JSP, which works in my lab:

<%
    ContentHandler handler = new ContentHandler(request,response);
    String target = (String) request.getAttribute("target");
    String sid = request.getParameter("sid")!=null ? request.getParameter(NIDPConstants.SID) : (String)request.getAttribute(NIDPConstants.SID);

    String params = "sid=" + sid;
    if ( target != null ) 
        params = params + "&target=" + StringEscapeUtils.escapeHtml(target);

%>
<!DOCTYPE HTML >
<html lang="<%=handler.getLanguageCode()%>">
<head>
    <title><%=handler.getResource(JSPResDesc.TITLE)%></title>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>

<a href="https://idp.something.com/nidp/jsp/main.jsp?id=local-auth1-card-id&<%=params%>">Local authentication 1</a>
</br>
<a href="https://idp.something.com/nidp/jsp/main.jsp?id=local-auth2-card-id&<%=params%>">Local authentication 2</a>
</br>
<a href="https://idp.something.com/nidp/saml2/spsend?id=saml-externalidp-auth1-card-id&<%=params%>">SAML authentication 1</a>
</br>
<a href="https://idp.something.com/nidp/saml2/spsend?id=saml-externalidp-auth2-card-id&<%=params%>">SAML authentication 2</a>
</body>
</html>

 

Then you create "fake" method (e.g. name/password form) and set JSP to this JSP (this one also requires MainJSP), create "fake" contract and set it as authentication contract for your protected resource.

Please note:

  • your "fake" contract needs to have "Satisfiable by a contract of equal or higher level" enabled
  • local authentication contracts (to which you redirect) must have "show card" enabled
  • local authentication contracts (to which you redirect) must have same or higher authentication level as your "fake" contract
  • even though you are calling external IDPs with your fake contract (not SPs), use spsend when constructing URLs

How did I came to those URLs and parameters? By observing what URLs NAM calls when different authentications are called. So nothing from documentation, which also means I cannot tell you why spsend works.

Hope it will help.

 

Kind regards,

Sebastijan

PS: When observing what NAM does, it helps a lot if you put whole NAM in legacy mode 😊

View solution in original post

Commodore
Commodore

Hi Sebastijan,

Thanks for your input, that solved it for me.

I had the fake method and contract already but was missing the part that actually made redirection back to the originating web page

 

<%
    ContentHandler handler = new ContentHandler(request,response);
    String target = (String) request.getAttribute("target");
    String sid = request.getParameter("sid")!=null ? request.getParameter(NIDPConstants.SID) : (String)request.getAttribute(NIDPConstants.SID);

    String params = "sid=" + sid;
    if ( target != null ) 
        params = params + "&target=" + StringEscapeUtils.escapeHtml(target);

%>

and

&<%=params%>

in the link for adding the right parameters to the link

The only thing I had to add was

<%@ page language="java" %>
<%@ page pageEncoding="UTF-8" contentType="text/html; charset=UTF-8"%>
<%@ page import="com.novell.nidp.wsfed.protocol.WSFedAuthnRequest"%>
<%@ page import="com.novell.nidp.common.protocol.AuthnRequest"%>
<%@ page import="java.util.*" %>
<%@ page import="com.novell.nidp.*" %>
<%@ page import="com.novell.nidp.common.util.*" %>
<%@ page import="com.novell.nidp.servlets.*" %>
<%@ page import="com.novell.nidp.resource.*" %>
<%@ page import="com.novell.nidp.resource.jsp.*" %>
<%@ page import="com.novell.nidp.ui.*" %>
<%@ page import="org.apache.commons.lang.StringEscapeUtils" %>
<%@ page import="internal.atlaslite.jcce.util.StringUtil" %>
<%@ page import="com.novell.nidp.edirConfig.NIDPEdirConfigUtil"%>
<%@ page import="com.novell.nidp.localconfig.NIDPConfigKeys" %>

to the jsp page oterhwise it wouldent compile

But anyway I owe you one thats for sure

Thanks again

/Lelle

 

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.