Last modified by jhurst on 2020/07/21 11:35
Show last authors
1 {{ddtoc/}}
2
3 ----
4
5 (% class="wikigeneratedid" %)
6 This document describes how to set up an OpenID Connect authentication valve for DigDash.
7
8 = Prerequisites =
9
10 * The acronyms used below are listed in the glossary at the end of this document.
11 * Have configured the DigDash server with an SSL/TLS (HTTPS) connector (this authentication method requires secure exchanges).
12 * Have the **<Install DD>/add-ons/valve_openidconnect** folder containing all the files needed to set up the OpenID Connect authentication valve in the DigDash Tomcat server. The placement of these files is described in this document.
13 ** The apache-tomcat folder: transposed to **/etc/tomcat9/** under Linux and **C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf **under Windows
14 *** The lib sub-folder: libraries and logs configuration file to be placed in :
15 **** under Linux: **/usr/share/tomcat9/lib/**
16 **** under Windows : **C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib**
17 *** The webapps sub-folder : the DigDash entry point (endpoint) in a .war to be placed in:
18 **** under Linux: **/home/digdash/webapps/default**
19 **** under Windows: **E:/digdash/webapps/default**
20 * The following operations must be carried out with the DigDash server **stopped**.
21 * The user to be authenticated must exist both at the PO and in the DigDash LDAP.
22
23 (% class="box warningmessage" %)
24 (((
25 It is advisable to have at least one user with the right to add DigDash users to the DigDash LDAP before installing the OpenID Connect valve, in order to avoid SSO authentication failures on the first connections due to the absence of such a user in the LDAP.
26 )))
27
28 = Configuring the DigDash server =
29
30 == Copy the libraries ==
31
32 Copy the libraries and the log configuration file from the **<install DD>/add-ons/valve_openidconnect/apache-tomcat/lib** folder to the :
33
34 (% class="box" %)
35 (((
36 * under Linux: **/usr/share/tomcat9/lib/**
37 * under Windows : **C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib**
38 )))
39
40 Files to copy :
41
42 |oidc-valve.jar|log4j-api-2.19.0.jar
43 |slf4j-api-2.0.6.jar|log4j-1.2-api-2.19.0.jar
44 |log4j-slf4j-impl-2.19.0.jar|log4j2.properties
45 |log4j-core-2.19.0.jar|
46
47 == Adding the OpenID Connect authentication valve ==
48
49 Activate the OpenID Connect authentication valve in the **server.xml** file located in the :
50
51 (% class="box" %)
52 (((
53 * on Linux: **/etc/tomcat9/**
54 * under Windows : **C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf**
55 )))
56
57 To do this, look for the **<Host ...>** element in the file, uncomment or add the **<Valve ...>** element below:
58
59 (((
60 {{code cssClass="notranslate" language="xml"}}
61 <Valve
62 className="org.bsworks.catalina.authenticator.oidc.OpenIDConnectSSOValve"
63 allowAddr="localhost,127.0.0.*,0:0:0:0:0:0:0:1"
64 fallbackAuth="ldap"
65 sharedPasswd="secret"
66 redirect_url="https://localhost:8443/digdash_oidc_endpoint/oidcendpoint"
67 providers="[
68 {
69 name: OpenID Provider name,
70 issuer: issuer,
71 clientId: clientId,
72 clientSecret: clientSecret
73 }
74 ]"
75 usernameClaim="email"
76 additionalScopes="email"
77 cookieTimeOut="-1"
78 ></Valve>
79 {{/code}}
80
81 The value of the className attribute is invariant.
82 The values of the allowAddr, sharedPasswd, redirect_url, providers, usernameClaim, additionalScopes attributes are variable depending on the installation.
83
84 (% class="box infomessage" %)
85 (((
86 💡 The **cookieTimeOut** attribute is optional and can take on different values as described below.
87 However, it is recommended that //cookieTimeOut="-1"// be used //.//
88 )))
89 )))
90
91 |(% style="width:216px" %)**Attributes**|(% style="width:1204px" %)**Description**
92 |(% style="color:#c0392b; width:216px" %)className //(required// )|(% style="width:1204px" %)Name of the Java class implementing the org.apache.catalina.Valve interface, to be used as Valve here. This attribute is mandatory, as it is used to select the Valve to be used. There are several implementations provided by Tomcat.
93 |(% style="color:#27ae60; width:216px" %)(% style="color:#000000" %)allowAddr //(required// )|(% style="width:1204px" %)IP address of the server.
94 |(% style="color:#27ae60; width:216px" %)(% style="color:#000000" %)fallbackAuth //(required)//|(% style="width:1204px" %)The fallback authentication method.
95 |(% style="width:216px" %)sharedPasswd //(required// )|(% style="width:1204px" %)The password shared and verified during authentication (see point II.5).
96 |(% style="width:216px" %)redirect_url //(required// )|(% style="width:1204px" %)(((
97 This is the application path to which users will be redirected after authenticating with the OP. For DigDash, the URL will be {{{https://<DigDash address>:<port>/digdash_oidc_endpoint/oidcendpoint}}}
98
99 {{{or}}}
100 The value can be{{{"/digdash_oidc_endpoint/oidcendpoint}}}"; in this case, the DigDash address will be calculated according to the current address.
101 )))
102 |(% style="width:216px" %)cookieTimeOut //(optional// )|(% style="width:1204px" %)(((
103 Optional, this is the time (in seconds) after which the SSO cookie will expire. Defaults to 1800 seconds (30 minutes).
104 Otherwise, the cookie will expire after the specified number of seconds.
105
106 A negative value means that the cookie will expire when the browser is closed.
107 A value of 0 means that the cookie will be deleted directly (not recommended).
108
109 Example: cookieTimeOut="3600" (1 hour)
110 )))
111 |(% style="width:216px" %)print_debug //(optional// )|(% style="width:1204px" %)Optional, set to false by default, otherwise add print_debug="true" for more verbose traces.
112 |(% style="width:216px" %)providers //(required// )|(% style="width:1204px" %)(((
113 JSON object array value. Each element corresponds to an OpenID Provider used by the application.
114
115 The syntax differs from the standard JSON format in that double quotes are not used for the names of properties and their values (to make the format more XML-like). A value can be surrounded by single quotes if it contains separators such as commas, braces or spaces. Each object representing a PO has the following properties:
116
117 - **issuer **//(mandatory) //: This is a unique URL to identify the PO.
118
119 - **name** //(optional) //: A name associated with the PO; otherwise the issuer by default.
120
121 (((
122 - **clientId **//(required): //The client ID associated with the application at the PO.
123
124 - **clientSecret **//(optional) //: The Secret client. Note that most POs require a Secret client, particularly for calls to the PO's entry points. However, some OPs support public clients, hence the absence of a Secret client.
125
126 - **usernameClaim **//(optional): //The user Identifier attribute requested by the RP and returned by the PO to identify the authenticating user.
127
128 - **additionalScopes **//(optional) //: Additional scopes to the 'openid' scope separated by spaces.
129 )))
130 )))
131 |(% style="width:216px" %)usernameClaim //(optional// )|(% style="width:1204px" %)The default user identifier used by all OPs that do not specify one in the OP's own properties.
132 |(% style="width:216px" %)additionalScopes//(optional// )|(% style="width:1204px" %)The default additional scopes used by all OPs that do not specify one in the OP's own properties.
133 |(% style="width:216px" %)httpConnectTimeout //(optional// )|(% style="width:1204px" %)Timeout in milliseconds for establishing the connection to the OP. 5000 ms (5 seconds) by default.
134 |(% style="width:216px" %)ldapForPaths //(optional// )|(% style="width:1204px" %)These are the regular expressions of the URLs whose resources are authorised to pass the valve, thereby switching to LDAP authentication mode. Example: "https:~/~/localhost:8443/digdash_dashboard/.*"
135 |excludedPaths// (optional)//|These are the regular expressions of the paths whose resources are authorised to pass the valve, thus switching to LDAP authentication mode. Example: "/.*"
136
137 == Add the .war corresponding to the Relying Party entry point ==
138
139 Add the **digdash_oidc_endpoint.war** archive from the **<install DD>/add-ons/valve_openidconnect/apache-tomcat/webapps** folder to the :
140
141 (% class="box" %)
142 (((
143 * under Linux: **/home/digdash/webapps/default**
144 * under Windows: **E:/digdash/webapps/default**
145 )))
146
147 (% class="box infomessage" %)
148 (((
149 This is the endpoint of the RP accessed by the OP.
150 )))
151
152 == Adding security constraints ==
153
154 Uncomment or add the security constraints to the **web.xml** file located in the :
155
156 (% class="box" %)
157 (((
158 * under Linux: **/etc/tomcat9/**
159 * under Windows: **C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf**
160 )))
161
162 {{code language="xml" cssClass="notranslate"}}
163 <web-app ...>
164 ...
165 <security-role>
166 <role-name>CUSTOM</role-name>
167 </security-role>
168
169 <security-constraint>
170 <display-name>CUSTOM Security Constraint</display-name>
171 <web-resource-collection>
172 <web-resource-name>Protected Area</web-resource-name>
173 <url-pattern>/*</url-pattern>
174 </web-resource-collection>
175
176 <auth-constraint>
177 <role-name>CUSTOM</role-name>
178 </auth-constraint>
179 </security-constraint>
180
181 <security-constraint>
182 <web-resource-collection>
183 <web-resource-name>Non-Protected Area</web-resource-name>
184 <url-pattern>/vjdbc</url-pattern>
185 </web-resource-collection>
186 </security-constraint>
187 ...
188 </web-app>
189 {{/code}}
190
191 (((
192
193
194 )))
195
196 = Application configuration =
197
198 To do this, modify the **digdash.properties** file in **<install DD> **or** /etc/digdash** (under Linux) or in the folder you have configured.
199
200
201 == Server configuration (ddenterprise.war) ==
202
203 In the **digdash.properties** file:
204
205 In the //ddenterpriseapi.war// box, find and uncomment the following lines with the values shown:
206
207 {{code language="properties" cssClass="notranslate"}}
208 ddenterpriseapi.authMethod=External
209 {{/code}}
210
211
212 == Dashboard configuration (digdash_dashboard.war) ==
213
214 In the **digdash.properties** file :
215
216 In the //digdash_dashbord.war// box, find and uncomment the following lines with the values shown:
217
218 {{code language="properties" cssClass="notranslate"}}
219 digdash_dashboard.SERVERURL=http://localhost:8080
220 digdash_dashboard.DOMAIN=ddenterpriseapi
221 digdash_dashboard.FORCEDOMAIN=true
222 digdash_dashboard.FORCESERVERURL=true
223 digdash_dashboard.sharedPasswd=<la valeur de l'attribut sharedPasswd dans l'élément Valve>
224 {{/code}}
225
226 (% class="box infomessage" %)
227 (((
228 The example value for the //digdash_dashboard.SERVERURL// parameter will almost always refer to localhost, when the dashboard and the server are placed in the same Tomcat server, which represents almost 99.9% of usage. Naturally, you will need to refer to the address of the external server if these two elements are located on different servers.
229 )))
230
231
232 == Studio configuration (studio.war) ==
233
234 In the **digdash.properties** file :
235
236 In the //studio.war// box, find and uncomment the following lines with the values shown:
237
238 {{code cssClass="notranslate" language="properties"}}
239 studio.SERVERURL=http://localhost:8080
240 studio.DOMAIN=ddenterpriseapi
241 studio.FORCEDOMAIN=true
242 studio.FORCESERVERURL=true
243 studio.PUBLICSERVERURL=<votre adresse URL publique en HTTPS>
244 studio.sharedPasswd=<la valeur de l'attribut sharedPasswd dans l'élément Valve>
245 {{/code}}
246
247 (% class="box infomessage" %)
248 (((
249 The parameter //studio.PUBLICSERVERURL// is optional when installing an SSO.
250
251 The example value for this parameter will almost always refer to localhost, when the Studio and the server are placed in the same Tomcat server, which represents almost 99.9% of usage. Naturally, you will need to refer to the address of the external server if these two elements are located on different servers.
252 )))
253
254 = Configuring the OpenID Provider =
255
256 The PO must register DigDash as an RP in its list of RPs so that DigDash can take advantage of Single Sign-On.
257
258 The PO will also need to fill in the callback URL to identify the entry point to the DigDash application. The URL will be in the form
259
260 (% class="box infomessage" %)
261 (((
262 https:~/~/<address of DigDash server>:<port>/digdash_oidc_endpoint/oidcendpoint
263 )))
264
265
266 = Log Level =
267
268 You can customise the log level for the authentication valve.
269
270 By default, only errors are logged. However, if you want to have more details about the actions and exchanges between the various entities, you can set the value to 'DEBUG' instead of 'ERROR' in the log4j.properties file that has been imported into the Tomcat lib folder.
271
272 log4j.logger.org.**bsworks=ERROR**, stdout
273 becomes
274 log4j.logger.org.**bsworks=DEBUG**, stdout
275
276 = OpenID Connect and LDAP DigDash coexistence (optional) =
277
278 It is possible to combine direct authentication via the DigDash LDAP directory with the OpenID Connect method on your DigDash server.
279
280 == Prior configuration ==
281
282 In the **digdash.properties** file :
283
284 In the //studio.war// box, find and uncomment the following lines with the values shown:
285
286 {{code language="properties" cssClass="notranslate"}}
287 studio.allowLoginForm=true
288 {{/code}}
289
290 In the //digdash_dashbord.war// box, find and uncomment the following lines with the values shown:
291
292 {{code language="properties" cssClass="notranslate"}}
293 digdash_dashboard.allowLoginForm=true
294 {{/code}}
295
296
297 == Enabling DigDash LDAP mode ==
298
299 To activate the DigDash LDAP authentication mode, simply add the **loginForm **parameter to the URL with the value (% style="color:#27ae60" %)**true**(%%).
300
301 So, if you need to authenticate to the dashboard directly using your DigDash LDAP credentials when OpenIDConnect is already installed, the URL to use will be in the form :
302
303 (% class="box" %)
304 (((
305 https:~/~/<host>:<port>/digdash_dashboard/index.html**?(% style="color:#27ae60" %)loginForm=true(%%)**
306 )))
307
308 (% class="box warningmessage" %)
309 (((
310 (% style="color:#e67e22" %)**Please note **(%%): in general, the loginForm parameter and its value should be specified on each domain independently of the others (ddenterpriseapi for the server, digdash_dashboard for the dashboard, studio for the web studio) to authenticate via LDAP.
311 So activating the loginForm parameter on the dashboard (digdash_dashboard domain) will not automatically activate it on the web studio (studio domain), for example.
312 )))
313
314 == Re-enabling OpenID Connect mode ==
315
316 To deactivate the DigDash LDAP mode and return to a state where OpenID Connect SSO authentication is used, simply set the **loginForm **parameter to (% style="color:#c0392b" %)**false**(%%).
317 If you need to authenticate to the dashboard via OpenID Connect when direct authentication via DigDash LDAP was previously used, the URL to use will be in the form :
318
319 (% class="box" %)
320 (((
321 https:~/~/<host>:<port>/digdash_dashboard/index.html**?(% style="color:#c0392b" %)loginForm=false(%%)**
322 )))
323
324 The previous warning note should also be taken into account in this case.\\
325
326 {{warning}}
327 Pour passer d'un mode d'authentification à l'autre, il est fortement conseillé de suivre l'une des règles suivantes :
328
329 * se déconnecter de l'utilisateur courant dans le cadre d'une utilisation d'une même session navigateur
330 * utiliser une session navigateur différente (soit en navigation privée sur un même navigateur ou basculer sur un navigateur différent)
331 {{/warning}}
332
333 = Glossary =
334
335 In this document we will refer to :
336
337 * **Endpoint **: Point of entry
338 * **OP **: OpenID Provider or Identity Provider
339 * **RP **: Relying Party or Service Provider (DigDash)
340 * **SSO **: Single Sign On; OpenIDConnect is an SSO method.
341
342 = References =
343
344 https://www.oasis-open.org
345
346 //DigDash uses the tomcat8-oidcauth OpenSource library from Boyle Software, Inc. to support the OpenID Connect authentication method.//
347
348 https://www.boylesoftware.com/
349
350 https://github.com/boylesoftware/tomcat8-oidcauth