Skip to main content
Skip table of contents

HTTP-based Service Provider

Here we will create a dummy Service Provider on TB.Connect itself.

Configure the HTTP-Based SP in the Gateway

This will make sure the Gateway forwards the requests to a certain backend (dummy in our case). Connect via ssh to the TrustBuilder host as user trustbuilder and edit the file /opt/trustbuilder/gateway/instances/default/locations/root/00_idhub.conf

Add the following to the end of the file:

CODE 
location /backend {
    access_by_lua_block {
        local header_map = {
            x_hdr_subject = "credential.attributes['idp|up_subject']",
            x_hdr_firstname = "credential.attributes['common|firstname']",
            x_hdr_middlenames = "credential.attributes['common|middlenames']",
            x_hdr_lastname = "credential.attributes['common|lastname']",
            x_hdr_department = "credential.attributes['common|department']",
        }
        require("trustbuilder-gateway.protect").web_app(header_map)
    }
    proxy_pass http://orchestrator_backend/backend;
 }

This will make sure that the /backend URL on the Gateway is forwarded to the TB.Connect instance. The access_by_lua_block part makes sure that authorization is required  (hence triggering authentication) and that the listed user attributes  will be transmitted as HTTP headers.

Configure the SP in TB.Connect

This will let TB.Connect know that there is a service provider configured on the Gateway.

In the Menu under Configuration click on Service Providers. Click on the Add New SP button.

  • Enter HTTP header based SP in the Display Name field.

  • Enter /backend in the URL field.

  • Enter /backend in the Description field. 

  • Select Proxy Locations as  Type. Extra fields will now appear below the Type option.

  • Enter /backend in the Location field.

Then click on Save & Close. The new service provider should now appear in the list.

Click the Edit authorizations button (shield icon) on the right of your new SP.

  • Select Custom Authentication Scheme.

  • Then click on Save.

Click the  Edit identity button (human icon) on the right of your new SP.

  • Under Subject Configuration select User password loginid.

  • Then click Save & Close.

To test the access tot the SP log out of the TB.Connect portal and go to: https://your-tb-ip-address/backend/

When you log in with user penny you should see something like this:

Add an Authentication Rule

Now log back in to the TB.Connect portal and in the Menu click Service Providers.

Then for the HTTP header based SP click the Edit authorizations button.

  • In the Sub Menu click Authentication Rule.

  • Click the Add New Statement button.

  • Click the Add Simple Condition button.

    • In the left dropdown box select the department attribute.

    • In the right dropdown box select MultiValue>Includes Any.

    • Select all of the enumerated values (development, sales and support).

    • In the then dropdown box at the bottom select allow.

    • Then click Save.

To test the access tot the SP log out of the TB.Connect portal and go to

https://your-tb-ip-address/backend/

You will now be presented with a login page. Select the Username & Password method and log in with the user penny. You will not get access as Penny does not have a value assigned to the  Department attribute.

Try again with the user coopers and you should see something like this:

Note that multi valued attributes are sent as multiple HTTP headers with the same name.

Now try to access the different JSP files we created.

https://your-tb-ip-address/backend/sales.jsp

https://your-tb-ip-address/backend/development.jsp

You should have access.

Also try to login with users hofstadterl and wolowitzh. They all should have access.

Add an Application Rule

Now log back in to the TB.Connect portal and in the Menu click Service Providers.

Then for the HTTP header based SP click the Edit authorizations button.

In the Sub Menu click Application Rule.

Then click the Add New URI Resource button.

  • Enter /development.jsp in the URI field.

  • Select the GET method.

  • Click the Add New Statement button.

  • Click the Add Simple Condition button.

  • In the left dropdown box select the department attribute.

  • In the right dropdown box select MultiValue>Includes.

  • Select development in the enumerated list.

  • In the then dropdown box at the bottom select allow.

  • Then click Save And Close.

Then click the Add New URI Resource button.

  • Enter /sales.jsp in the URI field.

  • Select the GET method.

  • In the left dropdown box select the department attribute.

  • In the right dropdown box select MultiValue>Includes.

  • Select sales in the enumerated list.

  • In the then dropdown box at the bottom select allow.

  • Then click Save And Close.

Now try to access the different JSP files with the three different users.

https://your-tb-ip-address/backend/
https://your-tb-ip-address/backend/sales.jsp
https://your-tb-ip-address/backend/development.jsp

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close