Configuring Fusion for SSO
The "SSO Trusted HTTP" realm type (trusted-http
in the REST API) is useful in single sign-on (SSO) environments.
If SSO is already set up in your environment, user identities and group information can be sent to Fusion through HTTP headers (REMOTE_USER, for example). The SSO Trusted HTTP realm type provides the configuration options for integrating this into Fusion’s authentication systems. It also supports allowing access to only a set of known client IPs, and mapping groups to Fusion roles.
Use the Realms API to configure this realm type:
curl -u user:pass -H 'content-type:application/json' -X POST :3000/api/realm-configs -d @./realm-config.json
Below is a sample configuration:
{"id":"test-id", "enabled":true, "name":"sso-test", "realmType":"trusted-http", "config":{"identityKey":"REMOTE_USER", "groups": {"key":"GROUPS", "delimiter":"|", "roleMapping": [["a","admin"], ["b","foo"]]}, "allowedIps":["127.0.0.1", "0:0:0:0:0:0:0:1", "localhost"]}}
|
The name of an HTTP header. If this key is found in the request headers, its value is used as the identity of the client (username, for example). |
|
Configuration keys for auth groups: * * * |
|
Allow access to only a set of known client IPs. When this property is defined and the client IP is not included in it, the realm logic return a 401. The |