Managed Fusion Proxy APIs
/api/realm-configs/<id>
where <id>
is the ID of a realm. The ID is optional for a GET request and omitted from a POST request.
A GET request returns the configured realms. If ID is omitted, all realms will be returned.
A POST request creates a new realm. If the request is successful, a new ID will be generated.
A PUT request updates a realm.
A DELETE request removes the realm.
Parameter | Description |
---|---|
name Required | The name of the realm. This name will appear on the login screen of the UI, and will appear in user records to identify the realm they belong to. |
realmType Required | String value for realm type. |
enabled Required | If true, the realm is available for users to use with system authentication. |
ephemeralUsers | Prevents ephemeral users from being created in ZooKeeper during login. Enabling this property negates config.autoCreateUsers . |
config.autoCreateUsers | Enables/disables the auto-creation of Managed Fusion user accounts after users successfully authenticate for the first time. |
roleNames | Indicates which roles are dynamically applied to users in the realm. |
config
object field.
See the following documentation for each realm type:
Configure Managed Fusion for LDAP
name
– Name of the security realm. It must be unique. It should be descriptive but short.
type
– Select ldap from the pulldown menu.
When you select ldap, Managed Fusion displays additional, LDAP-specific configuration options.
enabled
checkbox – Whether Managed Fusion allows user logins for this security realm. The default is yes (checked).
auto-create users
checkbox – Whether a user account is created automatically upon initial authentication. The default is yes (checked). If the checkbox is unchecked, then a Managed Fusion user with admin permissions must create Managed Fusion users.
{}
) as a placeholder for the value of the Managed Fusion username.Name | Description |
cn | commonName |
dc | domainComponent |
email address | |
ou | organizationalUnitName |
sn | surname |
uid | userId |
Configure Managed Fusion for Kerberos in Unix
kerberos.
and your domain name. For example, kerberos.example.com
kinit
. Obtain and cache a ticket from the KDC (domain login)kdestroy
. Destroys credentials (domain logout)klist
. Lists cached credentialsktutil
. Create or add credentials to a keytab filekrb5.conf
.
On most Unix systems, this file is located at /etc/krb5.conf
.This file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms.If your organization realm name is “MYORG.ORG”, and your KDC server is named “kerberos.myorg.org”, then you edit two entries.
The first entry is libdefaults
. Set MYORG.ORG as the default realm:realms
. Add MYORG.ORG as a realm:kinit
is the Kerberos authentication command.
To get started, you authenticate to Kerberos using the Kerberos principal name and password (which you may need to obtain from your sysadmin).
For this example, the principal name is “prince.”kinit
command prompts for a password. Successful authentication is silent. Unsuccessful authentication results in an error message.The command klist
shows all cached Kerberos credentials. To check that you have successfully authenticated, run this command:ktutil
creates the service principal keytab file
which holds the encrypted credentials that the Managed Fusion UI Proxy will use for Kerberos authentication.
In order to generate the keytab file, you must have a set of cached credentials, therefore, first run the kinit
command (step 2).From the command line, run the command ktutil
.
You must enter your password twice.kdestroy
.kinit -kt <keytab file> <principal>
, where <principal>
is the name of a principal within the keytab file.klist
.kdestroy
, which removes any existing credentials, effectively logging you out of Kerberos.kdestroy
command. This command succeeds silently.
To check that credentials have been removed, re-run the klist command:klist
. The output should be similar to this:kdestroy
.curl
command-line utility.curl
for SPNEGO--negotiate
option enables SPNEGO in curl
.IE and Safari require no additional configuration to use SPNEGO.To configure Firefox, access the low level configuration page by loading the about:config page. Then go to the network.negotiate-auth.trusted-uris preference and add the hostname or the domain of the web server that is HTTP Kerberos SPNEGO protected (if using multiple domains and hostname use comma to separate them).The Chrome browser must be launched from the command line with several added parameters.To run Chrome on linux:Configure Managed Fusion for Kerberos in Windows
NETBIOS Domain | FUSIONIS |
Fully qualified domain name | fusionis.life |
fusionis.life
server, locate the “Users” folder, right-click on the folder and select New > User.First name
and Display name
fields both hold the exact same value.User name | Notes |
---|---|
Distinguished name (DN) |
|
User Principal Name (UPN) | kerberos500@fusionis.life |
NETBIOS Domain\samAccountName | FUSIONIS\kerberos500 |
kerberos500.keytab
file required to set up the Kerberos realm in Fusion. The command will also set the service principal to HTTP/fusionis.life@FUSIONIS.LIFE
.DsCrackNames returned 0x2 in the name entry for kerberos500. Ktpass:failed getting target domain for specified user.
Delete the user, and repeat the steps above.Type | Kerberos |
Keytab file | The path to the keytab file you saved on the server |
Service principal | The service principal you generated in the previous step |
Kerberos name mapping | The field that specifies the mapping from a Kerberos Principal name to a short name |
kinit
to login as a user prior to running.Navigate your web browser to http://fusionis.life:8764
. If you are automatically logged in, Kerberos is working.http://fusionis.life:8764
. If you are automatically logged in, Kerberos is working.about:config
in your browser’s URL bar. If a message appears stating “This might void your warranty!”, click “I accept the risk!”.Search for the string network.negotiate-auth.trusted-uris
, double-click the field, and enter fusionis.life
into the field that appears. Click “Ok”.Navigate your web browser to http://fusionis.life:8764
. If you are automatically logged in, Kerberos is working.var/log/proxy/proxy.log
after attempting to make a request.See Stack Overflow for addtional steps to resolve this issue.Configure Managed Fusion for SAML
https://www.my-idp.com/<my-app-path>/sso/saml
.
<saml:Issuer>
in the SAML payload. For example: http://www.my-idp.com/exk686w2xi5KTuSXz0h7
.
audienceRestriction
in the SAML assertion, in which case, the field must match <saml:Audience>
in the SAML payload.
api/saml
.https://EXAMPLE_COMPANY.b.lucidworks.cloud:6764/api/saml
.If the Managed Fusion application is running behind a load-balancer, this URL is the load-balancer URL plus path api/saml
. The load-balancer must be session-sticky so the sequence of messages that comprise the SAML protocol successfully run to completion.AudienceRestriction
tag may be part of the SAML message. This tag specifies the domain where the SAML trust conditions are valid. This domain is usually where the Managed Fusion app is running. For example, https://EXAMPLE_COMPANY.b.lucidworks.cloud
.api/realm-configs
returns a JSON list of all the configuration objects for all realms. After configuring a SAML realm named "saml-test"
using the okta.com
developer preview tool, the configuration object for this realm is:Configure Managed Fusion for SSO
trusted-http
in the REST API) is useful in single sign-on (SSO) environments.If SSO is already set up in your environment, user identities and group information can be sent to Fusion through HTTP headers (REMOTE_USER, for example). The SSO Trusted HTTP realm type provides the configuration options for integrating this into Fusion’s authentication systems. It also supports allowing access to only a set of known client IPs, and mapping groups to Fusion roles.Use the Realms API to configure this realm type:identityKey | The name of an HTTP header. If this key is found in the request headers, its value is used as the identity of the client (username, for example). |
groups | Configuration keys for auth groups:
|
allowedIps | Allow access to only a set of known client IPs. When this property is defined and the client IP is not included in it, the realm logic return a 401. Leaving this field empty makes the realm nonoperational. To accept traffic from all destinations for development, you can use an IP such as 0.0.0.0/0. In production the concrete IP should be specified. |
Configure OpenID Connect authentication
Field | Description | Example |
name | Name of the OIDC realm. | oidc |
clientSecret | A secret value shared between the application and the authentication server. | N/A |
redirectUri | The URI that displays after the user signs in. | https://EXAMPLE_COMPANY.b.lucidworks.cloud:6764/admin |
authorizationUri | The authorization server URI. | https://$\{yourOktaDomain}/oauth2/default/v1/authorize |
tokenUri | The URI where the access token is obtained. | https://$\{yourOktaDomain}/oauth2/default/v1/token |
clientId | A unique value which identifies the client. | N/A |
jwkSetUri | The URL of the authorization server’s JSON Web Key Set (JWKS). | https://$\{yourOktaDomain}/oauth2/default/v1/keys |
authorizationUri
, tokenUri
, jwkSetUri
, and issuer
..*
, which exposes all groups.