Integrating with Single-Sign-On (SSO) Authentication Schemes

Moab Viewpoint

Integrating with Single-Sign-On (SSO) Authentication Schemes

The HttpRequestLoginModule is used to grab parameters from a user's HTTP request and assign them to Principals for that user.

Configuration

Below is a sample configuration that parses the value of the parm1 HTTP header into an HttpHeaderPrincipal and assigns it to the user's Subject (which can then be used to assign permissions). In addition, it parses the value of the dnparm as an LDAP DN, assigning LdapGroupPrincipals for every ou= declaration in the DN.

<login-module class="com.cri.security.server.modules.HttpRequestLoginModule" flag="optional">
  <option name="parameter-list">parm1</option>
  <option name="dn-parameter-list">dnparm</option>
</login-module>

If an HTTP request arrives at the server with the following headers,

parm1:"A Parm Value" dnparm:"cn=Nathan,s=Wells,c=USA,o=Adaptive Computing,ou=UI Team,ou=BackEnd,dc=adaptivecomputing,dc=com" unused_parm:"This parameter/header is unused"

these Principals are assigned to the user:

HttpHeaderPrincipal name: "A Parm Value"
LdapGroupPrincipal name: "UI Team"
LdapGroupPrincipal name: "BackEnd"