LPS:Java-idp-webauth-login-handler
Webauth Login Handler Installation instructions
WebAuth is an authentication system for web pages and web applications. If we want use Webauth as login service for our IdP realm. We want to use it like RemoteUserLoginHandler. Webauth WAS module (mod_webauth) which handles authentication of user based on cookie token webauth_at sets environment variable REMOTE_USER/WEBAUTH_USER for backend application engine (eg. IdP). But it's SSO, and by default RemoteUser cann't do force authentication by itself.
ForceAuthn [Optional] 2042 A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than 2043 rely on a previous security context. If a value is not provided, the default is "false". However, if both 2044 ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the 2045 presenter unless the constraints of IsPassive can be met.
Authentication tokens generated by mod_webauth and mod_webkdc are of certain properties. For normal requests, we find any valid webauth token as sufficient authentication for IdP. In case of ForceAuthn request to IdP, we need login handler to force user to get a token with a specific properties. We consider valid token as:
- based on knowledge of login/password
- not older than X minutes
- not used in IdP before (eg. not to present any previous security context ;)
Requirements
- IdP must be only application in webauth_at cookie scope (have it's own FQDN)
- Webauth >= 4.x
Installation and configuration
Download and build the source (replace X.0 with the last stable version, e.g.: "tags/1.0"):
git clone https://home.zcu.cz/~bodik/java-idp-webauth-login-handler cd java-idp-webauth-login-handler mvn package
IdP - Configuration
Copy the .jar file to the installation folder:
cp target/webauth-login-handler-X.0.jar $IDP_INSTALL_DIR/lib
Configuring the server (tomcat)
In the web-application you have to enable the Webauth login servlet. You do that in $IDP_INSTALL_DIR/src/main/webapp/WEB-INF/web.xml:
<webapp> (...) <servlet> <servlet-name>WebauthAuthServlet</servlet-name> <servlet-class>cz.zcu.civ.idp.webauth.WebauthAuthServlet</servlet-class> <init-param> <param-name>reauthURL</param-name> <param-value>https://shib2.zcu.cz/wareauth</param-value> </init-param> <init-param> <param-name>maxTokenAge</param-name> <param-value>10</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>WebauthAuthServlet</servlet-name> <url-pattern>/Authn/Webauth</url-pattern> </servlet-mapping> (...) </webapp>
Apache configuration
reauth url must be within the same webauth_at context, as we need to be able to delete it from IdP application/module ...
# RUSS 2 <Location /wareauth> ## WebAuth AuthType WebAuth require valid-user #WA3 ## WebAuthForceLogin on ## WebAuthAppTokenLifetime 1m # WA4 WebAuthRequireSessionFactor p RewriteEngine on RewriteRule .* https://shib2.zcu.cz/idp/Authn/RemoteUser [R,L] </Location>
handler.xml configuration
Configure the handler.xml at:
- new install: $IDP_INSTALL_DIR/src/installer/resources/conf-tmpl/handler.xml
- reinstall: $IDP_DIR/conf/handler.xml
<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" (...) xmlns:webauth="http://support.zcu.cz/java-idp-webauth-login-handler" <<<<< (...) xsi:schemaLocation=" urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd http://support.zcu.cz/java-idp-webauth-login-handler classpath:/schema/webauth-login-handler.xsd <<<<< (...) "> (...) <ph:LoginHandler xsi:type="webauth:Webauth"> <<<<< <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:Webauth</ph:AuthenticationMethod> <<<<< </ph:LoginHandler> <<<<< (...) </ph:ProfileHandlerGroup>
Log configuration
The logging for the Handler is configured in the logging.xml file. It can be found at:
- new install: $IDP_INSTALL_DIR/src/installer/resources/conf-tmpl/logging.xml
- reinstall: $IDP_DIR/conf/logging.xml
(...) <logger name="cz.zcu.civ.idp.webauth"> <level value="DEBUG"/> </logger> (...)
Deployment
Backup the IdP configuration before re-deploying the application:
$IDP_INSTALL_DIR/install.sh
Troubleshooting
- Project page (bugs, features): http://support.zcu.cz/java-idp-webauth-login-handler
- Contact for comments/questions: paja@civ.zcu.cz