Records in this category

Sticky FAQs

»

ID #1178

How could be set both IP (on-campus) and LDAP (off-campus) authentication for a Muse application?

The functioning principle of this authentication scenario is as follows:
- the enduser accesses the provided Muse URL;
- if the enduser's IP is among the IPs/subnets configured for the desired application then he/she will be successfully logged in;
- if the enduser is not IP authenticated then he/she will be presented with a Muse logon form where to enter the personal LDAP authentication details.
Below are the steps to implement this scenario:
1) configure the necessary Muse login modules for the desired application. Below is their list in order along with the correct flag values:
- ICELoginModuleXML - required;
- ICELoginModuleIP - sufficient;
- ICELoginModuleParametersRemap - required;
- ICELoginModuleLDAP - requisite.
The configuration of the login modules is done through the Muse Console for Applications Administration as follows: select the desired application from the list of application and click on the left menu - "Login Modules"; from this location manage the login modules: add, delete or edit them. The ICELoginModuleParametersRemap login module must have the following attributes and values: ldapUserPwd="wwwAuthPwd" ldapUserID="wwwAuthID" (see below).
The context for the desired application in the $ICE_HOME/jaas.config file should look like:
    ApplicationID {
     com.edulib.ice.security.authentication.ICELoginModuleXML required  passwords="${ICE_HOME}/profiles/passwords.xml";
     com.edulib.ice.security.authentication.ICELoginModuleIP sufficient  hosts="${ICE_HOME}/profiles/hosts.xml";
     com.edulib.ice.security.authentication.ICELoginModuleParametersRemap required  ldapUserPwd="wwwAuthPwd" ldapUserID="wwwAuthID";
     com.edulib.ice.security.authentication.ICELoginModuleLDAP requisite  config="${MUSE_HOME}/home/ApplicationID/profiles/ICELoginModuleLDAP.xml";
    };
2) Configure the login modules' properties.
- copy ${ICE_HOME}/profiles/ICELoginModuleLDAP.xml to ${MUSE_HOME}/home/ApplicationID/profiles/ICELoginModuleLDAP.xml (is not already existing);
    - for the ICELoginModuleIP login module add a new entry in the ${ICE_HOME}/profiles/hosts.xml file for the desired application along with the list of IPs/subnets that will access the application by IP.
    - for the ICELoginModuleLDAP login module make the necessary configurations in the ${MUSE_HOME}/home/ApplicationID/profiles/ICELoginModuleLDAP.xml with the access details and settings for the LDAP server. The following fields from the ${MUSE_HOME}/home/ApplicationID/profiles/ICELoginModuleLDAP.xml must be filled in with proper values: LDAP-URL, BASE-DN and USER-AUTHENTICATION.
3) Add the necessary HTML files for the desired application for handling the IP/LDAP authentication scenario:
- an index (index.html) file which will be the access point for the enduser; the role of this is to transparently submit the username and password of the application.
<body onload="document.logonForm.submit()">
   <form name="logonForm" action="/muse/servlet/MusePeer" method="post">
      <input type="hidden" name="action" value="logon" />
      <input type="hidden" name="errorTemplate" value="logon/ApplicationID/index2.html" />
      <input type="hidden" name="userID" value="ApplicationID" />
      <input type="hidden" name="userPwd" value="ApplicationPassword" />
   </form>
</body>
- a page (index2.html) which presents the logon form for the LDAP details in case the IP authentication fails;
<form name="logonForm" action="/muse/servlet/MusePeer" method="post">
   <input type="hidden" name="action" value="logon" />
   <input type="hidden" name="errorTemplate" value="logon/ApplicationID/error.html" />
   <input type="hidden" name="userID" value="ApplicationID" />
   <input type="hidden" name="userPwd" value="ApplicationPassword" />
   <input type="hidden" name="parameterName0" value="wwwAuthID" />
   <input type="hidden" name="parameterName1" value="wwwAuthPwd" />
   <input type="hidden" name="useProperties" value="true" />
   User Name: <input class="input" name="parameterValue0" type="text" size="25" />
   Password: <input class="input" name="parameterValue1" type="password" size="25" />
   <input class="button" type="submit" title="Login" value="Login" />
</form>
 
- an error (error.html) page which is displayed in case the LDAP authentication fails too.
<form name="logonForm" action="/muse/servlet/MusePeer" method="post">
   <input type="hidden" name="action" value="logon" />
   <input type="hidden" name="errorTemplate" value="logon/ApplicationID/error.html" />
   <input type="hidden" name="userID" value="ApplicationID" />
   <input type="hidden" name="userPwd" value="ApplicationID" />
   <input type="hidden" name="parameterName0" value="wwwAuthID" />
   <input type="hidden" name="parameterName1" value="wwwAuthPwd" />
   <input type="hidden" name="useProperties" value="true" />
   User Name: <input class="input" name="parameterValue0" type="text" size="25" />
   Password: <input class="input" name="parameterValue1" type="password" size="25" />
   <input class="button" type="submit" title="Login" value="Login" />
</form>
Note: replace all ApplicationID and ApplicationPassword occurrences with the exact application ID and application password you wish to configure. Also, the html code above is the basic one, with no formatting. Please format it as needed and enclose it in complete/valid html pages.
Categories for this entry

Tags: ip, LDAP, off campus, on campus

Related entries: -

Last update: 2013-09-23 15:17
Author: Administrator
Revision: 1.0

Print this record Send FAQ to a friend Show this as PDF file
Rate this FAQ

Average rating: 0 (0 Votes)

completely useless 1 2 3 4 5 most valuable

You cannot comment on this entry

powered by phpMyFAQ 2.7.2