Custom SSO Authentication in iHub 3.1

Martin Sadowski · July 23, 2015

Hi,
 
we are trying to implement custom SSO Authentication in iHub 3.1 using a custom Security Adapter. The Application we are trying to integrate reports into is an OpenID Connect Provider.
Looking at the Security Adapter API we are not able to redirect the user to the Authorization Endpoint because we are only given the HttpServletRequest (not Response).
Is there a way of achieving our implementation using other APIs or modifications? Or what is the correct way of implementing a OpenID Connect / OAuth2 Workflow?
 
Thanks in advance

kclark · July 24, 2015

Martin --
 I've attached a pretty vanilla example of how you can authenticate a user with IPSE and OAuth2. There are a couple things to note about this code.
 
1. This Class assumes that your SSO mechanism has already requested a token from the OAuth2 Server and set it as a cookie named "actPassword" and set the OAuth2 username in a cookie called "actUserName". So you'll notice on line 101 I'm calling getToken(). In implementation you will have already got this token.
 
2. From what I know of OAuth2 there is no standardized way to check if a token is still valid or not. So take note of checkToken(). If your implementation has no way to ask if a token is still valid, then make a request to some endpoint and if the response is 201 then you can assume it's valid otherwise return false.
 
3. This sample uses a password grant type vs others. I did this for a couple reasons. First, I didn't want to redirect the user away from the page when requesting a code that would then be used to generated a token. Secondly, so I can protect the client_id, client_secret, and other credentials. By taking this approach I can keep all of this information server side.
 
 This is not implementation ready but should give a low level idea of how you can implement something. In implementation it might look something like this:
<pre class="_prettyXprint">
User Entry Point ---> SSO Mechanism ---> Username/Pass ---> OAuth2 Server
OAuth2 Server ---> Auth Token ---> SSO Mechanism ---> Auth Token Set in Session ---> User Redirect</pre>
 Note that if you do want/need a grant type of code which implements a redirect then you would implement this at login time with your SSO implementation. Also, take this sample as a grain of salt as I'm sure there are other ways to do this. Take a look and let me know if you have any questions.

Martin Sadowski · July 24, 2015

Hi Kristopher,
 
thanks for you reply.
 
I understand what your described workflow is looking like. Unfortunately this doesn't fit for us as we need to implement the "normal" and secure Authorization Code Flow.
I get the idea of building my own "entry point" sitting in front of the security adapter. Inside the security adapter I work with the authorization code.
 
The interesting questions are:
- Is it supported to have this run inside of iHub? How? May I deploy a custom JSP for that? May I perhabs modify the login mask as you stated here (<a data-ipb='nomediaparse' href='http://developer.actuate.com/community/forum/index.php?/topic/36965-custom-login-page/#entry137976)?'>http://developer.actuate.com/community/forum/index.php?/topic/36965-custom-login-page/#entry137976)?</a> Or is it planned to grant access to the HttpServletResponse from inside the security adapter? 
- How can this work with using the JSAPI for displaying the reports?
 
Thanks again in advance

kclark · July 24, 2015

You can defiantly deploy your own JSP pages in the iHub or modify the default login page as discussed in the topic you linked to.
 
I'll do a little bit of sample coding and reply back with answers to your specific points you've listed. But from what I'm understanding of your needs, my first reaction would be to modify the login page to fire a redirect request to a custom JSP page after a code has been generated. I would store that JSP page either in the same location as the login page or house it in the shipped tomcat that iPortal uses.

Custom SSO Authentication in iHub 3.1

Comments

Categories