Configure: User Federation for Authentication
Learn how to set up user authentication through federated identity management.
Configure: User Federation for Authentication
Learn how to set up user authentication through federated identity management.
How to configure user federation for authentication?
In this article is described instructions for configuring user federation to be used as authentication protocol. This can be done both for Active Directory and for LDAP.
User Federation means, that users are able to authenticate to Matrix42 Pro and IGA solutions, by using same credentials (username & password) as in Customers (AD/LDAP) directory.
Step-by-Step Instructions
1. Authentication task for authentication needs to be configured in Service Management platform, before configuring Secure Access component. If you don't want to configure authentication task first, you can do whole configuration directly in Secure Access.
2. Login to Secure Access admin console
Select correct realm you are configuring this federation
3. Validate that configuration is stored correctly in Secure Access component
- Validation can be made in: https://{TENANT_NAME.com}/auth/ and use account main.admin (and appropriate password read from the tenant configuration).
4. By selecting User Federation, a list of Authentication tasks should appear (if the list is empty, wait one minute, to transfer data from Service Management to Secure Access; if the list is still empty.
5. Selecting Edit from the particular task reveals details of LDAPS connection. It's worth checking if all the settings are in place in here, especially:
- Import Users: ON
- Edit Mode: READ_ONLY
6. After saving the connection, a Action menu reveals at the right upper corner, allowing admin to synchronize all Users from LDAP to Secure Access
7. Check if the AD_GroupMapper is in place. Select Mappers from the top bar of the User federation. Among the default ones, one (or more) group-ldap-mapper types should be visible here.
- If there is no AD_GroupMapper created automatically, user is able to create own one, with a click of blue Add mapper button.
Example of AD group mapper
8. After configuration is reviewed, Admin can try to Synchronize all users (mentioned in one of the previous screens). That should bring a message similar to
9. Synchronized users can be reviewed under Users section
10. Configuration should be done now and it is possible to test authentication
11. Next step is to configure user levels and roles: https://docs.efecte.com/configure-authentication/configure-esa-to-use-esm-roles
Troubleshooting
Secure Access logs can be downloaded from Pro/IGA solutions Connectors tab, from Logs side menu. Then download under esa logs, keycloak.log file.
1. If Secure Access logs are showing some troubles related to SSL connection, like for example:
Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.storage.ldap.idm.query.internal.LDAPQuery@292d8e81 at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:289)
at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:174)
... 80 more
Caused by: javax.naming.CommunicationException: simple bind failed: 10.0.2.110:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2897)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:243)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:116)
at org.jboss.as.naming.InitialContext.init(InitialContext.java:101)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:91)
at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.createLdapContext(LDAPContextManager.java:80)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.getLdapContext(LDAPContextManager.java:100)
at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.initPagination(LDAPQuery.java:213)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.searchPaginated(LDAPOperationManager.java:293)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:277)
... 81 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1383)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1291)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435)
at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:804)
at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1166)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:448)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:421)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 102 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 121 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
... 127 more
|
2. If SSL is being used to connect ESA to Active Directory, ESA must be aware of the certificate which AD is presenting. That is a manual step and it requires:
- Ssh to host (if you don't have access to host, contact Matrix42)
- Ssh to Secure Access (ESA) container
- Go into /opt/esa (make sure there is a truststore.jks file)
-
In test environments, you can Issue the following command (if you don't have certificate file):
- echo -n | openssl s_client -connect IP_OF_AD_SERVER:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > NAME_OF_THE_FILE_FOR_EXAMPLE_IP_OF_AD_SERVER.crt
- But in production environments it is recommended to get root or intermediate certificate from Customer, those are usually longer valid than server level certificates.
- An example could be:
-
echo -n | openssl s_client -connect 10.0.2.110:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > 10.0.2.110.crt
3. After you have certificate file, it needs to be imported into truststore.jks file
- keytool -importcert -file NAME_OF_CERT_FILE.crt -keystore truststore.jks -alias “ALIAS_OF_THE_CERTIFICATE”
- For example: keytool -importcert -file AD_certificate.crt -keystore truststore.jks -alias AD_certificate
4. Reboot Secure Access to take certificate into use
- Exit from esa docker to host, with command: exit
-
After that process, ESA container needs to be restarted to apply new certificates, by running these commands on host(replace [TENANT] with your tenantname):
docker stop [TENANT]-esa && run-image -e TENANT=[TENANT] esa
Table of Contents