How to configure LDAP for wicked portal

[karthiknaga87]

hi Team, We are trying to implement the LDAP setup for our Wicked portal to make the wicked portal login based on the common LDAP setup that we have. kindly help providing us the instructions to implement the same.

let us know if more details required.

Thanks, Karthik N

[DonMartin76]

Currently, there is no LDAP support out of the box, but it's possible to implement with one small additional service deployed alongside wicked, and by leveraging the external auth method type. The idea is described here:

https://github.com/Haufe-Lexware/wicked.haufe.io/blob/master/doc/auth-external.md

In short, the service (which should be deployed in a way such that only wicked.auth can access it) will receive a username and password, which then must be validated against a user store; this can be an LDAP store, where you first look up the user by username (to get the DN), and then bind against the LDAP server again with that DN and the given password.

In case this was successful, return the OIDC profile and wicked will continue from there.

This means that wicked will federate LDAP (or any username/password store) into any OAuth2 flow (implicit, authorization code, resource owner password grant).

LDAP will eventually be implemented directly in wicked as well, but it's not top priority just yet.

Does this help?

[DonMartin76]

Implementing LDAP as an auth method looks pretty reasonable to do though...

[karthiknaga87]

Thanks for the response, its helpful.

Thanks, Karthik N

[DonMartin76]

I take this back; LDAP support is coming in the next version (1.0.0-rc.8). See #126. I would be thankful if you could take this for a test drive as soon as it's implemented and checked in to next. Is that possible?

[DonMartin76]

@karthiknaga87 @kbhuvanamohan Have you had time to check out my proposed changes? I would still go and merge this and release it into rc.8 today.

[karthiknaga87]

@DonMartin76 will be happy to take this up for a quick test. Kindly let us know once its available in next.

Thanks, Karthik N

[DonMartin76]

It's available in next, and was even released to 1.0.0-rc.8.

[karthiknaga87]

@DonMartin76, We had a check on this and was successfully able to configure and use the service over LDAP setup in our local. LDAP configuration worked as expected, Thanks for the update and let me know if more details required.

Thanks Karthik N

[karthiknaga87]

@DonMartin76 on top of the above, we are now exploring the SAML option and looking for the instructions to implement the same, it could be helpful if you can guide us on SAML implementation. Thanks, Karthik N

[karthiknaga87]

@DonMartin76 In case you have any template to capture the test results, i would be happy to fill the same for you. Thanks Karthik N

[DonMartin76]

For SAML configuration, see here: https://github.com/Haufe-Lexware/wicked.haufe.io/blob/master/doc/auth-saml.md

I am closing this for now, is that okay? Thanks for giving the LDAP integration a try.

[karthiknaga87]

@DonMartin76 Thanks for that, yes we are good to get this closed but just have a few more questions on SAML, could be helpful if you can provide your inputs here-

1) Our SAML team needs to know the Application-URL and Application-End-User-URL. Since Auth is handled by https://api.company.com/auth and application is https://developer.company.com

which ones should we use for each

2) What is the Assertion Consumer Service URL?

3) What will be the Entity ID for our portal?

4) What version of SAML is supported?

Thanks, Karthik N

[DonMartin76]

The SP for your SAML team is wicked's Auth Server, which exposes its metadata at

https://api.company.com/auth/<authmethod>/metadata.xml

This metadata XML should contain everything they need, including all the URLs they need. SAML2 is supported. If you have further questions on SAML, please rather file a new help issue.

[kbhuvanamohan]

@miguelpoyatosmora @karthiknaga87 Please help to provide additional information if needed.