How to integrate 3rd party authentication provider into A12 user management for Single Sign-on

Data Services
,
1

Hi,

we are currently discussing with our customer the topic of Single Sign-on for one of our instances of form application. In this concrete case we would need to integrate with a SAML based authentication/identity provider on the customer site which would provide the authentication data for it’s users.

How can we hook into A12 user management to support this usecase?

Cheers,

David

2

@dmueller_inactive: The A12 team is working with a broader scope on the authentication and authorization architecture.
Please see <INTERNAL_LINK>

Goals of this initiative are:

  • Provide a solution that integrates into given 3rd party identity and permission management infrastructure
  • Based on this provide a simple out of the box solution that is good enough for demo installations as well as for customer projects that do not have such services already
  • Improve the integration of authentication and authorization into functional APIs, e.g. for model and document access
  • Ensure long term security of the A12 platform

This includes explicitly SAML, OAuth2 and LDAP for authentication (and other use cases).
But the current planning is:

  • Initial concept and specifications until February
  • First package implemented earliest with 2019.06

If these rough milestones make sense for your project, the we can consider aligning the plans.

Beyond this:

  • CatchMe3 (using Client Frame, team in Da Nang) has hooked the application via LDAP to mgm AD already
  • Timension (using BAP Client and 2018.10, team in Da Nang) plans to do the same
  • To my humble understanding LDAP is a lot simpler than SAML, so I am actually not sure if the LDAP experience helps
  • There are currently discussions, whether mgm SP colleagues in Da Nang could support the A12 auth/auth activities… maybe this could be an option for your project as well - please get in touch with @hamarz-sleek-tor, if this sounds interesting.
3

Thanks for your detailed answer. Looking at your estimation of the availability of an a12 solution and the expect effort for upgrading to the latest A12 version/BAP, I suspect we will need to find a project solution.

So I will probably have a look at the catchme implementation, maybe we can take some ideas from there.

4

Hi @dmueller_inactive. Catchme3 LDAP integration

@Component
public class WebMvcConfig extends WebMvcConfigurerAdapter {
	@SuppressWarnings("unchecked")
	@Autowired
	public WebMvcConfig(WebSecurityManager securityManager) {

		if (securityManager instanceof DefaultWebSecurityManager) {
			CustomActiveDirectoryRealm realm = new CustomActiveDirectoryRealm();
			realm.setUrl("YOUR_LDAP_URL");
			realm.setSearchFilter("(sAMAccountName={0})");
			realm.setSearchBase("DC=mgm-edv,DC=de");
			realm.setSystemUsername("CN=catchmebind,OU=catchme,OU=projects,DC=mgm-edv,DC=de");
			realm.setSystemPassword("YOUR_LDAP_PASSWORD");
			((DefaultWebSecurityManager) securityManager).setRealm(realm);
		}
	}

	public void addResourceHandlers(ResourceHandlerRegistry registry) {
		final CacheControl cc = CacheControl.noStore().mustRevalidate();
		registry.addResourceHandler("/**").setCacheControl(cc).addResourceLocations("classpath:/static/");
		super.addResourceHandlers(registry);
	}

	@Override
	public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
		configurer.enable();
	}
}

Code under CustomActiveDirectoryRealm

@Service
@Log4j
public class CustomActiveDirectoryRealm extends ActiveDirectoryRealm {

	protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException {

		UsernamePasswordToken upToken = (UsernamePasswordToken) token;

		LdapContext systemLdapContext = ldapContextFactory.getSystemLdapContext();
		SearchControls searchControls = new SearchControls();
		searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
		Object[] searchArguments = new Object[]{upToken.getUsername()};

		NamingEnumeration answer = systemLdapContext.search(searchBase, searchFilter, searchArguments, searchControls);

		if (answer.hasMoreElements()) {
			SearchResult searchResult = (SearchResult) answer.next();

			if (log.isDebugEnabled()) {
				log.debug("Retrieving user [" + searchResult.getName() + "]");
			}

			Attributes attributes = searchResult.getAttributes();
			if (attributes != null) {
				Attribute distinguishedNameAttribute = attributes.get("distinguishedName");
				String distinguishedName = distinguishedNameAttribute.get(0).toString();

				LdapContext ldapContext = null;
				try {
					ldapContext = ldapContextFactory.getLdapContext((Object) distinguishedName, String.valueOf(upToken.getPassword()));
				} finally {
					LdapUtils.closeContext(ldapContext);
				}
			} else {
				throw new NamingException("User not found in LDAP server");
			}
		} else {
			throw new NamingException("User not found in LDAP server");
		}

		return buildAuthenticationInfo(upToken.getUsername(), upToken.getPassword());
	}
}
5

Thanks for the code. I’m not sure if I understand it correctly without digging too much into the subject but I have some questions:

  • The WebMvc config looks like you’re completely replacing the security manager, do you still use a12 user management?
  • I see you’re still using username password authentication, in SAML context there is no password anymore but only authentication by 3prd party provider. Would this work too?
6

Hi @dmueller_inactive the work flow authentication within CatchMe3:

  • A technical user will be create separately by another script (directly insert to DB as a document)
  • Authentication is completely ignore password with A12 but use LDAP to verify password.
  • User Management still available to create new user by using A12 user management to create new user.

Regarding question from you:

  • We completely user LDAP for authentication.
  • I would expect something similar for LDAP to use your 3rd party provider to do authentication.