Add Users and Service Providers

Follow

Create User Attributes

Open the IDHub Administration Portal:

https://your-tb-ip-address/idhub/admin

Login with Administrator and the password you chose earlier.

In the Menu under Configuration click on User Attributes.

Click the  Add New User Attribute button.

  • Select common in the 'Category' field.
  • Enter firstname in the Name field. (this field is only used internally an cannot contain spaces)
  • Enter First Name in the Display Name field.
  • Enter The user's first name in the Description field.
  • Select TEXT in the Data Format field.
  • Select the Single Value selection box.
  • Then click Save & Close.

Click the Add New User Attribute button again.

  • Select common in the 'Category' field.
  • Enter middlenames in the Name field. (This field is only used internally and cannot contain spaces.)
  • Enter Middle Names in the Display Name field.
  • Enter The user's middle name(s) in the Description field.
  • Select TEXT in the Data Format field.
  • Make sure that the Single Value selection box is not selected.
  • Then click Save & Close.

Click the Add New  User Attribute button again.

  • Select common in the 'Category' field.
  • Enter lastname in the Name field. (This field is only used internally and cannot contain spaces.)
  • Enter Last Name in the Display Name field.
  • Enter The user's last name in the Description field.
  • Select TEXT in the Data Format field.
  • Select the Single Value selection box.
  • Then click Save & Close.

Click the Add New  User Attribute button again.

  • Select common in the 'Category' field.
  • Enter facebook in the Name field. (This field is only used internally and cannot contain spaces.)
  • Enter Facebook ID in the Display Name field.
  • Enter Link ID for Facebook in the Description field.
  • Select TEXT in the Data Format field.
  • Select the Single Value selection box.
  • Then click Save & Close.

Click the Add New  User Attribute button again.

  • Select common in the 'Category' field.
  • Enter department in the Name field. (This field is only used internally and cannot contain spaces.)
  • Enter Department in the Display Name field.
  • Enter The user's departments in the Description field.
  • Select ENUMERATION in the Data Format field.
  • Select the Read Only selection box.
  • Under Enumeration values
    • Enter development and click the Add Value button (+ sign).
    • Enter sales and click the Add Value button again.
    • Enter support and click the Add Value button again.
  • Then click Save & Close.

Create User

In the Menu under Administration click on Users.

  • Click on Edit column headers (button on the right of the column headers).
  • Check the User password loginid, Email, First Name, Last Name and Middle Name(s) boxes.

Click on the Add New User button.

  • Under idp fill in coopers in the User password loginid field.
  • Under common>Department select development and sales, select 'Save and Close'.
  • Click on the Provision Identity Provider(s) to user button (lock icon).
    • Click on the Link the IDP to the user button (chain icon).
    • Now we can actually set the password; click on the Set the password for the IDP button (key icon).
      • Fill in the password and click OK.
    • Then click on Close.

Use The Self Service

Logout of IDHub Portal and go to:

https://your-tb-ip-address/idhub/selfservice

Login with uid coopers and your chosen password.

  • Click on  the Sign In button.
  • Fill in Sheldon  as First Name.
  • Fill in Cooper as Last Name.
  • Fill in Lee and Robert as Middle Names and click Save.

Then logout of the Self Service application and go to: 

https://your-tb-ip-address/idhub/admin

Login as Administrator.

In the Menu under Administration click on Users. Now you will see the updated user info.

Add Extra Users

Click on the Add New User button.

  • Under idp fill in hofstadterl in the User password loginid field , click Save and Close.
  • Under common fill in:
Parameter Value
First Name Leonard
Middle Names Leakey
Last Name Hofstadter


  • Under Department select development.
  • Click on the Provision Identity Provider(s) to user button.
    • Click on the Link the IDP to the user button.
    • Now we can actually set the password; click on the Set the password for the IDP button.
      • Fill in the password and click OK.
    • Then click on Close.

Click on the Add New User button.

  • Under idp fill in wolowitzh in the User password loginid field , click Save and Close.
  • Under common fill in:
Parameter Value
First Name Howard
Middle Names
Last Name Wolowitz


  • Under Department select support.
  • Click on the Provision Identity Provider(s) to user button.
    • Click on the Link the IDP to the user button.
    • Now we can actually set the password; click on the Set the password for the IDP button.
      • Fill in the password and click OK.
    • Then click on Close.

Click on the Add New User button.

  • Under idp fill in penny in the User password loginid field , click Save and Close.
  • Under common fill in:
Parameter Value
First Name Penny
Middle Names
Last Name


  • Under Department do not select anything.
  • Click on the Provision Identity Provider(s) to user button.
    • Click on the Link the IDP to the user button.
    • Now we can actually set the password; click on the Set the password for the IDP button.
      • Fill in the password and click OK.
    • Then click on Close.

Create a Custom Authentication Scheme

In the Menu under Configuration click on Authentication.

  • Click the Add New Scheme button.
  • Enter Custom Authentication Scheme in the Display Name field.
  • Select Authentication Level in the Type field.
  • In the Authentication Methods list click the Add To Scheme button (right arrow icon) under the IDHub Default Method.
  • Then click Save & Close.

We have now created a custom authentication scheme containing only  the IDHub default method (uid/pwd). Later we will add some other  methods.

Configure a Service Provider (SP)

Here we will create an SP. If you have a real one you can use that, but  for the purpose of this Quick Start guide we will create a dummy SP on  IDHub itself. We will install a JSP page which shows the HTTP headers  and use it as an HTTP header-based SP (which typically uses information  in the HTTP header for authentication, authorization and session  management).

Configure the HTTP-Based SP in the Gateway

This will make sure the Gateway forwards the requests to a certain backend (dummy in our case).

Connect via ssh to the TrustBuilder host as user trustbuilder and edit the file

/opt/trustbuilder/gateway/instances/default/locations/root/00_idhub.conf

Add the following to the end of the file.

location /backend {
    access_by_lua_block {
        local header_map = {
            x_hdr_subject = "credential.attributes['idp|up_subject']",
            x_hdr_firstname = "credential.attributes['common|firstname']",
            x_hdr_middlenames = "credential.attributes['common|middlenames']",
            x_hdr_lastname = "credential.attributes['common|lastname']",
            x_hdr_department = "credential.attributes['common|department']",
        }
        require("trustbuilder-gateway.protect").web_app(header_map)
    }
    proxy_pass http://orchestrator_backend/backend;
 }

 

This will make sure that the /backend URL on the Gateway is forwarded to  the IDHub Tomcat instance which can handle JSP pages. The access_by_lua_block part makes sure that authorization is required  (hence triggering authentication) and that the listed user attributes  will be transmitted as HTTP headers.

Create the JSP in the IDHub Tomcat Instance

Note this part is for educational purposes and should never be done in a production environment.

As the user tomcat-core create a new directory /backend under /opt/trustbuilder/tomcat-core/webapps:sudo -u tomcat-core mkdir /opt/trustbuilder/tomcat-core/webapps/backend 

Then create a file  index.jsp with the following content.

<%@ page import="java.util.*" %>
<html>
<head>
<title><%= application.getServerInfo() %></title>
</head>
<body>
<h1>HTTP Request Headers Received</h1>
<table border="1" cellpadding="3" cellspacing="3">
<%
   Enumeration headerNames = request.getHeaderNames();
   while(headerNames.hasMoreElements()) {
      String paramName = (String)headerNames.nextElement();
      Enumeration paramValues = request.getHeaders(paramName);
      while(paramValues.hasMoreElements()){
        out.print("<tr><td>" + paramName + "</td>\n");
        String paramValue = (String)paramValues.nextElement();
        out.println("<td> " + paramValue + "</td></tr>\n");
      }
   }
 %>
</table>
</body>
</html>
<%!
private String normalize(String value)
 {
 StringBuffer sb = new StringBuffer();
for (int i = 0; i < value.length(); i++) {
 char c = value.charAt(i);
 sb.append(c);
if (c == ';')
 sb.append("<br>");
 }
 return sb.toString();
 }
 %>

 

Then create the following copies of the file:

sudo -u tomcat-core cp index.jsp sales.jspsudo -u tomcat-core cp index.jsp development.jsp

Now we need to restart the gateway to pick up these change:

sudo systemctl restart tb-gw-default

Configure the SP in the IDHub

This will let IDHub know that there is a service provider configured on the Gateway.

In the Menu under Configuration click on Service Providers. Click on the Add New SP button.

  • Enter HTTP header based SP in the Display Name field.
  • Enter /backend in the URL field.
  • Enter /backend in the Description field. 
  • Select Proxy Locations as  Type. Extra fields will now appear below the Type option.
  • Enter /backend in the Location field.

Then click on Save & Close. The new service provider should now appear in the list.

Click the Edit authorizations button (shield icon) on the right of your new SP.

  • Select Custom Authentication Scheme.
  • Then click on Save.

Click the  Edit identity button (human icon) on the right of your new SP.

  • Under Subject Configuration select User password loginid.
  • Then click Save & Close.

To test the access tot the SP log out of the IDHub portal and go to:

https://your-tb-ip-address/backend/

When you log in with user penny you should see something like this:

Add an Authentication Rule

Now log back in to the IDHub portal and in the Menu click Service Providers.

Then for the HTTP header based SP click the Edit authorizations button.

  • In the Sub Menu click Authentication Rule.
  • Click the Add New Statement button.
  • Click the Add Simple Condition button.
    • In the left dropdown box select the department attribute.
    • In the right dropdown box select MultiValue>Includes Any.
    • Select all of the enumerated values (development, sales and support).
    • In the then dropdown box at the bottom select allow.
    • Then click Save.

To test the access tot the SP log out of the IDHub portal and go to

https://your-tb-ip-address/backend/

You will now be presented with a login page. Select the Username & Password method and log in with the user penny. You will not get access as Penny does not have a value assigned to the  Department attribute.

Try again with the user coopers and you should see something like this:


Note that multi valued attributes are sent as multiple HTTP headers with the same name.

Now try to access the different JSP files we created.

https://your-tb-ip-address/backend/sales.jsp https://your-tb-ip-address/backend/development.jsp

You should have access.

Also try to login with users hofstadterl and wolowitzh. They all should have access.

Add an Application Rule

Now log back in to the IDHub portal and in the Menu click Service Providers.

Then for the HTTP header based SP click the Edit authorizations button.

In the Sub Menu click Application Rule.

Then click the Add New URI Resource button.

  • Enter /development.jsp in the URI field.
  • Select the GET method.
  • Click the Add New Statement button.
  • Click the Add Simple Condition button.
  • In the left dropdown box select the department attribute.
  • In the right dropdown box select MultiValue>Includes.
  • Select development in the enumerated list.
  • In the then dropdown box at the bottom select allow.
  • Then click Save And Close.

Then click the Add New URI Resource button.

  • Enter /sales.jsp in the URI field.
  • Select the GET method.
  • In the left dropdown box select the department attribute.
  • In the right dropdown box select MultiValue>Includes.
  • Select sales in the enumerated list.
  • In the then dropdown box at the bottom select allow.
  • Then click Save And Close.

Now try to access the different JSP files with the three different users.

https://your-tb-ip-address/backend/
https://your-tb-ip-address/backend/sales.jsp
https://your-tb-ip-address/backend/development.jsp



Have more questions? Submit a request

Comments