Configuring Fusion for SSO

The "SSO Trusted HTTP" realm type (trusted-http in the REST API) is useful in single sign-on (SSO) environments.

If SSO is already set up in your environment, user identities and group information can be sent to Fusion through HTTP headers (REMOTE_USER, for example). The SSO Trusted HTTP realm type provides the configuration options for integrating this into Fusion’s authentication systems. It also supports allowing access to only a set of known client IPs, and mapping groups to Fusion roles.

Use the Realms API to configure this realm type:

curl -u user:pass -H 'content-type:application/json' -X POST :3000/api/realm-configs -d @./realm-config.json

Below is a sample configuration:

{"id":"test-id",
 "enabled":true,
 "name":"sso-test",
 "realmType":"trusted-http",
 "config":{"identityKey":"REMOTE_USER",
           "groups": {"key":"GROUPS",
                      "delimiter":"|",
                       "roleMapping": [["a","admin"], ["b","foo"]]},
           "allowedIps":["127.0.0.1", "0:0:0:0:0:0:0:1", "localhost"]}}

identityKey

The name of an HTTP headers entry. If this key is found in the headers map, it used as the identity of the client (username, for example).

The X-FORWARDED-FOR header is inspected for this client IP first; the value is split on comma, and the first entry is taken. This would normally be used in cases where the client was forwarded to Fusion through one or more external proxy servers. If the X-FORWARDED-FOR header is not present in the request, the REMOTE-ADDR header value is used instead.

groups

Configuration keys for auth groups:

* key + The name of an HTTP header, used as the source of group names.

* delimiter + The character used to split the value (defaults to comma).

* roleMapping + A set of 2-tuples, used for mapping the external group values to Fusion Roles.

allowedIps

Allow access to only a set of known client IPs. When this property is defined and the client IP is not included in it, the realm logic return a 401.