LPS:Java-idp-webauth-login-handler

Z HelpDesk


Webauth Login Handler Installation instructions

WebAuth is an authentication system for web pages and web applications. If we want use Webauth as login service for our IdP realm. We want to use it like RemoteUserLoginHandler. Webauth WAS module (mod_webauth) which handles authentication of user based on cookie token webauth_at sets environment variable REMOTE_USER/WEBAUTH_USER for backend application engine (eg. IdP). But it's SSO, and by default RemoteUser cann't do force authentication by itself. 

        ForceAuthn [Optional]
2042    A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than
2043    rely on a previous security context. If a value is not provided, the default is "false". However, if both
2044    ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the
2045    presenter unless the constraints of IsPassive can be met.

Authentication tokens generated by mod_webauth and mod_webkdc are of certain properties. For normal requests, we find any valid webauth token as sufficient authentication for IdP. In case of ForceAuthn request to IdP, we need login handler to force user to get a token with a specific properties. We consider valid token as:

  • based on knowledge of login/password
  • not older than X minutes
  • not used in IdP before (eg. not to present any previous security context ;)

Requirements

  • IdP must be only application in webauth_at cookie scope (have it's own FQDN)
  • Webauth >= 4.x

Installation and configuration

Download and build the source (replace X.0 with the last stable version, e.g.: "tags/1.0"): 

git clone https://home.zcu.cz/~bodik/java-idp-webauth-login-handler
cd java-idp-webauth-login-handler
mvn package

IdP - Configuration

Copy the .jar file to the installation folder: 

cp target/webauth-login-handler-X.0.jar $IDP_INSTALL_DIR/lib

Configuring the server (tomcat)

In the web-application you have to enable the Webauth login servlet. You do that in $IDP_INSTALL_DIR/src/main/webapp/WEB-INF/web.xml: 

<webapp>
(...)
  <servlet>
    <servlet-name>WebauthAuthServlet</servlet-name>
    <servlet-class>cz.zcu.civ.idp.webauth.WebauthAuthServlet</servlet-class>
    <init-param>
      <param-name>reauthURL</param-name>
      <param-value>https://shib2.zcu.cz/wareauth</param-value>
    </init-param>
    <init-param>
      <param-name>maxTokenAge</param-name>
      <param-value>10</param-value>
    </init-param>
  </servlet>

  <servlet-mapping>
    <servlet-name>WebauthAuthServlet</servlet-name>
    <url-pattern>/Authn/Webauth</url-pattern>
  </servlet-mapping>
(...)
</webapp>

Apache configuration

reauth url must be within the same webauth_at context, as we need to be able to delete it from IdP application/module ... 

# RUSS 2
<Location /wareauth>
  ## WebAuth     
  AuthType WebAuth
  require valid-user
  
  #WA3
  ##  WebAuthForceLogin on
  ##  WebAuthAppTokenLifetime 1m
  
  # WA4
  WebAuthRequireSessionFactor p
  
  RewriteEngine on
  RewriteRule .* https://shib2.zcu.cz/idp/Authn/RemoteUser [R,L]
</Location>

handler.xml configuration

Configure the handler.xml at:

  • new install: $IDP_INSTALL_DIR/src/installer/resources/conf-tmpl/handler.xml
  • reinstall: $IDP_DIR/conf/handler.xml

<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  (...)
  xmlns:webauth="http://support.zcu.cz/java-idp-webauth-login-handler"                                      <<<<<
  (...)
  xsi:schemaLocation="
    urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
    http://support.zcu.cz/java-idp-webauth-login-handler classpath:/schema/webauth-login-handler.xsd        <<<<<
(...)
">
(...)
  <ph:LoginHandler xsi:type="webauth:Webauth">                                                              <<<<<
    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:Webauth</ph:AuthenticationMethod>       <<<<<
  </ph:LoginHandler>                                                                                        <<<<<
(...)
</ph:ProfileHandlerGroup>

Log configuration

The logging for the Handler is configured in the logging.xml file. It can be found at:

  • new install: $IDP_INSTALL_DIR/src/installer/resources/conf-tmpl/logging.xml
  • reinstall: $IDP_DIR/conf/logging.xml
(...)
<logger name="cz.zcu.civ.idp.webauth">
<level value="DEBUG"/>
</logger>
(...)

Deployment

Backup the IdP configuration before re-deploying the application: 

$IDP_INSTALL_DIR/install.sh

Troubleshooting

Citováno z „https://helpdesk.zcu.cz/index.php?title=LPS:Java-idp-webauth-login-handler&oldid=31741