search

Cantara / Whydah-UserIdentityBackend

The UserIdentityBackend module of the Whydah IAM/SSO
Apache License 2.0
5 stars 1 forks source link
iam ldap sso-solution user-roles useradmin whydah

readme

UserIdentityBackend

GitHub tag (latest SemVer) Build Status GitHub commit activity Project Status: Active – The project has reached a stable, usable state and is being actively developed. Known Vulnerabilities

Stores UserIdentities and their relation to Roles, Applications and Organizations. Requires SecurityTokenService if authorization is turned on.

Architectural Overview

Installation

A=UserIdentityBackend V=SNAPSHOT

if [[ $V == SNAPSHOT ]]; then echo Note: If the artifact version contains "SNAPSHOT" - the artifact latest greates snapshot is downloaded, Irrelevent of version number!!! path="http://mvnrepo.cantara.no/content/repositories/snapshots/net/whydah/identity/$A" version=curl -s "$path/maven-metadata.xml" | grep "<version>" | sed "s/.*<version>\([^<]*\)<\/version>.*/\1/" | tail -n 1 echo "Version $version" build=curl -s "$path/$version/maven-metadata.xml" | grep '<value>' | head -1 | sed "s/.*<value>\([^<]*\)<\/value>.*/\1/" JARFILE="$A-$build.jar" url="$path/$version/$JARFILE" else #A specific Release version path="http://mvnrepo.cantara.no/content/repositories/releases/net/whydah/identity/$A" url=$path/$V/$A-$V.jar JARFILE=$A-$V.jar fi

Download

echo Downloading $url wget -O $JARFILE -q -N $url

Create symlink or replace existing sym link

if [ -h $A.jar ]; then unlink $A.jar fi ln -s $JARFILE $A.jar


* create useridentitybackend.TEST.properties - TODO Decide which mode should be described here...

DEFCON=5

Normal operations

prop.type=DEV ldap.embedded=true ldap.embedded.port=11389 ldap.embedded.directory=target/bootstrapdata/ldap

ldap.primary.url=ldap://localhost:11389/dc=people,dc=whydah,dc=no ldap.primary.admin.principal=uid=admin,ou=system ldap.primary.admin.credentials=secret ldap.primary.uid.attribute=uid ldap.primary.username.attribute=initials ldap.primary.readonly=false

roledb.directory=target/bootstrapdata/hsqldb roledb.jdbc.driver=org.hsqldb.jdbc.JDBCDriver roledb.jdbc.url=jdbc:hsqldb:file:target/bootstrapdata/hsqldb/roles roledb.jdbc.user=sa roledb.jdbc.password=

import.enabled=true import.usersource=testdata/users.csv import.rolemappingsource=testdata/rolemappings.csv import.applicationssource=testdata/applications.csv import.organizationssource=testdata/organizations.csv

useradmin.requiredrolename=WhydahUserAdmin

adduser.defaultrole.name=WhydahDefaultUser adduser.defaultrole.value=true adduser.defaultapplication.name=WhydahTestWebApplication adduser.defaultapplication.id=99 adduser.defaultorganization.name=Whydah

adduser.netiq.defaultrole.name=Employee adduser.netiq.defaultrole.value=$email // Not used placeholder adduser.netiq.defaultapplication.name=ACS adduser.netiq.defaultapplication.id=100 adduser.netiq.defaultorganization.name=ACSOrganization

adduser.facebook.defaultrole.name=FBData adduser.facebook.defaultrole.value=$fbdata // Not used placeholder adduser.facebook.defaultapplication.name=WhydahTestWebApplication adduser.facebook.defaultapplication.id=99 adduser.facebook.defaultorganization.name=Facebook

securitytokenservice=mock ssologinservice=http://localhost:9997/sso/ myuri=http://localhost:9995/uib/ service.port=9995 lucene.directory=target/bootstrapdata/lucene


* create start-service.sh (normal/prod mode)

!/bin/bash

Used by https://github.com/Cantara/Whydah/tree/master/dev-quickstart

If Version is from source, find the artifact

if [ "$Version" = "FROM_SOURCE" ]; then

Find the bult artifact

Version=$(find target/* -name '*.jar' | grep SNAPSHOT | grep -v original | grep -v lib)

else Version=UserIdentityBackend.jar fi

nohup /usr/bin/java $env_vars -jar $Version &

DEV mode

nohup /usr/bin/java $env_vars -DCONSTRETTO_TAGS=DEV -jar $Version &


Typical apache setup
====================

<VirtualHost :80> ServerName myserver.net ServerAlias myserver ProxyRequests Off <Proxy > Order deny,allow Allow from all ProxyPreserveHost on ProxyPass /sso http://localhost:9997/sso ProxyPass /uib http://localhost:9995/uib ProxyPass /tokenservice http://localhost:9998/tokenservice ProxyPass /useradmin http://localhost:9996/useradmin ProxyPass /test http://localhost:9990/test/ 



Notes
======

* Please ensure that you have a large set (10.000-30.000) of available filehandles for UIB in large or high-traffic installations

Developer info
==============

* https://wiki.cantara.no/display/whydah/Architecture+Overview
* https://wiki.cantara.no/display/whydah/Key+Whydah+Data+Structures
* https://wiki.cantara.no/display/whydah/Whydah+Modules

If you are planning on integrating, you might want to run SecurityTokenService in DEV mode. This shortcuts the authentication.
You can manually control the UserTokens for the different test-users you want, by creating a file named t_<username>.token which
consists of the XML representation of the access roles++ you want the spesific user to expose to the integrated application.

## LICENSE

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

<http://www.apache.org/licenses/LICENSE-2.0>

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.