Product Selector

Fusion 5.9
    Fusion 5.9

    Security Realms

    Fusion uses security realms to authenticate users of the Fusion UI. Each user has an assigned security realm, which the user must choose when logging in. Choosing a different realm results in an authentication failure.

    A security realm also provides a list of roles:

    • The list always includes the role(s) that are specified in the security realm.

    • (Optional) The security realm can reference one or more Fusion roles and/or get groups to which the user belongs from an external directory service that is the authentication provider. Fusion maps the group names to role names and adds these roles to the user’s list of roles.

    Fusion does not use permissions from the LDAP to authorize UI access or API requests. It only obtains group names (optionally), which are used as role names or are mapped to role names. If an Active Directory Security Query Trimming Stage is used, then directory-service permissions are used for trimming. If a connector supports security trimming, then connector permissions are used for trimming.

    Requests to the Fusion REST API must specify a security realm for per-request authentication, unless a session cookie is used (which contains information about the security realm).

    Fusion authorizes requested operations based on API permissions specified for the user and for the user’s role(s). Fusion considers the role(s) specified in the user definition and in the security realm. Fusion creates a list of roles when a session is created, that is, when a user logs in or when the Sessions REST API creates a session. Authorization based on permissions is at request time.

    You can define multiple security realms for a Fusion instance. This lets you give different sets of users different levels of access to specific Fusion collections.

    The directory service that you use to return group information must be the same one that is used for authentication.

    Security Realm Types

    When you create a security realm, you can choose among the following security realm types:

    OpenID Connect

    OpenID Connect is an identity authorization layer which supplements the OAuth 2.0 protocol.

    Fusion’s OpenID Connect security realm has been tested with Google and Okta.

    Native

    Fusion has a single preconfigured security realm named native. The admin user is in the native realm. The native realm also provides a fallback mechanism in case of LDAP server or communication failure.

    This realm is required to bootstrap Fusion. Because all requests to Fusion require authentication and authorization, on initial startup you must access the Fusion UI to set the admin password. After Fusion has a valid admin password, it creates the admin account in the Fusion native realm.

    For the native realm, Fusion manages all authentication and permissions information directly.

    You can create Fusion user accounts and manage them using either the Fusion UI or the User API.

    Passwords are not stored, but are hashed using bcrypt.

    SSO Trusted HTTP

    The "SSO Trusted HTTP" realm type (trusted-http in the REST API) is useful in single sign-on (SSO) environments.

    If the SSO environment contains groups that make sense regarding partitioning Fusion functionality for Fusion users (that is, giving Fusion users different UI and API permissions based on the SSO groups), then you can configure an SSO Trusted HTTP security realm to return a list of group names, and then map the groups to Fusion roles in the security realm definition.

    JWT

    The JSON Web Token (JWT) realm uses an “Authorization” header in the request to authenticate the user and the data inside the JWT token for the authorization. You can configure Fusion to use a shared secret key to encrypt the JWT payload.

    For Fusion’s JWT realm, first create a JWT token, with the tool you use to validate users. Then create a Fusion realm.

    Kerberos

    In the case where a host domain uses Kerberos for authentication and LDAP for authorization, Fusion can be configured to do the same, by configuring a realm of type "LDAP" and then specifying Kerberos as the authentication mechanism.

    Kerberos support requires Fusion 5.9.5.

    Fusion stores a local user record in ZooKeeper and a mapping to the Kerberos principal.

    SPNEGO is used for authentication via Kerberos.

    See how to configure Fusion for Kerberos in Unix and Windows.

    LDAP

    You can use LDAP as an authentication provider for Fusion. If the LDAP contains groups that make sense regarding partitioning Fusion functionality for Fusion users (that is, giving Fusion users different UI and API permissions based on the LDAP-group memberships of LDAP users), then you can configure an LDAP security realm to search for LDAP groups and to map the LDAP groups to Fusion roles.

    Fusion stores a local user record in ZooKeeper, and authentication is performed by the LDAP server. User accounts can be managed by Fusion, or created automatically, in which case the Fusion user ID maps directly to the LDAP Distinguished Name (DN). Fusion permissions can be assigned automatically based on LDAP group membership.

    SAML

    Fusion stores a local user record in ZooKeeper and the URL and information about the SAML Identity Provider. The SAML 2.0 protocol is used to provide web browser single sign-on.

    Manage Security Realms

    Only Fusion users with admin privileges can manage security realms. There are two ways to manage security realms:

    In the Fusion UI

    Navigate to System > Access Control > Security Realms.

    Using the Realms API

    Use the http://FUSION_HOST:FUSION_PORT/api/realm-configs/ endpoint to manage security realms. See the Realms API reference for details. In production environments, use port 8765.