HTTP-based Service Provider
Here we will create a dummy Service Provider on TB.Connect itself.
Configure the HTTP-Based SP in the Gateway
This will make sure the Gateway forwards the requests to a certain backend (dummy in our case). Connect via ssh to the TrustBuilder host as user trustbuilder
and edit the file /opt/trustbuilder/gateway/instances/default/locations/root/00_idhub.conf
Add the following to the end of the file:
location /backend {
access_by_lua_block {
local header_map = {
x_hdr_subject = "credential.attributes['idp|up_subject']",
x_hdr_firstname = "credential.attributes['common|firstname']",
x_hdr_middlenames = "credential.attributes['common|middlenames']",
x_hdr_lastname = "credential.attributes['common|lastname']",
x_hdr_department = "credential.attributes['common|department']",
}
require("trustbuilder-gateway.protect").web_app(header_map)
}
proxy_pass http://orchestrator_backend/backend;
}
This will make sure that the /backend URL on the Gateway is forwarded to the TB.Connect instance. The access_by_lua_block part makes sure that authorization is required (hence triggering authentication) and that the listed user attributes will be transmitted as HTTP headers.
Configure the SP in TB.Connect
This will let TB.Connect know that there is a service provider configured on the Gateway.
In the Menu under Configuration click on Service Providers. Click on the Add New SP button.
Enter
HTTP header based SP
in the Display Name field.Enter
/backend
in the URL field.Enter
/backend
in the Description field.Select
Proxy Locations
as Type. Extra fields will now appear below the Type option.Enter
/backend
in the Location field.
Then click on Save & Close. The new service provider should now appear in the list.
Click the Edit authorizations button (shield icon) on the right of your new SP.
Select Custom Authentication Scheme.
Then click on Save.
Click the Edit identity button (human icon) on the right of your new SP.
Under Subject Configuration select User password loginid.
Then click Save & Close.
To test the access tot the SP log out of the TB.Connect portal and go to: https://your-tb-ip-address/backend/
When you log in with user penny
you should see something like this:

Add an Authentication Rule
Now log back in to the TB.Connect portal and in the Menu click Service Providers.
Then for the HTTP header based SP click the Edit authorizations button.
In the Sub Menu click Authentication Rule.
Click the Add New Statement button.
Click the Add Simple Condition button.
In the left dropdown box select the department attribute.
In the right dropdown box select MultiValue>Includes Any.
Select all of the enumerated values (development, sales and support).
In the then dropdown box at the bottom select allow.
Then click Save.
To test the access tot the SP log out of the TB.Connect portal and go to
You will now be presented with a login page. Select the Username & Password method and log in with the user penny
. You will not get access as Penny does not have a value assigned to the Department attribute.
Try again with the user coopers
and you should see something like this:

Note that multi valued attributes are sent as multiple HTTP headers with the same name.
Now try to access the different JSP files we created.
https://your-tb-ip-address/backend/sales.jsp
https://your-tb-ip-address/backend/development.jsp
You should have access.
Also try to login with users hofstadterl and wolowitzh. They all should have access.
Add an Application Rule
Now log back in to the TB.Connect portal and in the Menu click Service Providers.
Then for the HTTP header based SP click the Edit authorizations button.
In the Sub Menu click Application Rule.
Then click the Add New URI Resource button.
Enter
/development.jsp
in the URI field.Select the GET method.
Click the Add New Statement button.
Click the Add Simple Condition button.
In the left dropdown box select the department attribute.
In the right dropdown box select MultiValue>Includes.
Select development in the enumerated list.
In the then dropdown box at the bottom select allow.
Then click Save And Close.
Then click the Add New URI Resource button.
Enter
/sales.jsp
in the URI field.Select the GET method.
In the left dropdown box select the department attribute.
In the right dropdown box select MultiValue>Includes.
Select sales in the enumerated list.
In the then dropdown box at the bottom select allow.
Then click Save And Close.
Now try to access the different JSP files with the three different users.
https://your-tb-ip-address/backend/
https://your-tb-ip-address/backend/sales.jsp
https://your-tb-ip-address/backend/development.jsp