Realms APIFusion Proxy APIs
Realms are used to authenticate users across several different user access control systems.
For more information, view the API specification.
There are seven realm types currently supported:
-
Native, which uses Fusion itself to manage users and passwords.
-
LDAP, which uses an LDAP server as the source of truth for usernames and passwords.
-
Kerberos, where Fusion can be configured to use Kerberos for authentication.
-
SAML, which uses the SAML 2.0 protocol to provide single sign-on.
-
SSO Trusted HTTP, which can be configured to return a list of group names, and then map the groups to Fusion roles in the security realm definition.
-
JSON Web Token (JWT), where you can configure Fusion to use a shared secret key to encrypt the JWT payload.
-
OpenID Connect, which is an identity authorization layer that supplements the OAuth 2.0 protocol. See Security Realms for more information about each realm type.
Authenticating users with an LDAP system creates a user record in Fusion, which includes a property for the realm the user belongs to. This Fusion user record is used by administrators to grant users access permissions for the UI or REST API services.
Create, Update, Delete or List Realms
The path for this request is:
/api/realm-configs/<id>
where <id> is the ID of a realm. The ID is optional for a GET request and omitted from a POST request.
A GET request returns the configured realms. If ID is omitted, all realms will be returned.
A POST request creates a new realm. If the request is successful, a new ID will be generated.
A PUT request updates a realm.
A DELETE request removes the realm.
Input
Parameter | Description |
---|---|
name |
The name of the realm. This name will appear on the login screen of the UI, and will appear in user records to identify the realm they belong to. |
realmType |
String value for realm type. |
enabled |
If true, the realm is available for users to use with system authentication. |
ephemeralUsers |
Prevents ephemeral users from being created in ZooKeeper during login. Enabling this property negates |
config.autoCreateUsers |
Enables/disables the auto-creation of Fusion user accounts after users successfully authenticate for the first time. |
roleNames |
Indicates which roles are dynamically applied to users in the realm. |
Additonal Properties per Realm Type
Each realm type requires additional properties for configuration, which should be specified within the config
object field.
See the following documentation for each realm type:
-
Native. Native is a preconfigured security realm and Fusion manages all authentication and permissions information directly.
-
Kerberos. Configure Fusion for Kerberos in Unix, Configure Fusion for Kerberos in Windows
-
SSO Trusted HTTP. Configure Fusion for SSO
-
OpenID Connect. Configure OpenID Connect Authentication
Output
When creating a new realm, the output will include the properties for the realm just created, or an error to indicate a problem with the entry.
For a GET request, the output will include all defined properties of the realm.
For a DELETE or a PUT request, no output will be returned.
Examples
Get details of the default 'native' realm:
REQUEST
curl -u USERNAME:PASSWORD https://FUSION_HOST:FUSION_PORT/api/realm-configs/86df9b5b-4a1c-4b0b-bc10-25aee55fef63
RESPONSE
{
"enabled": true,
"id": "86df9b5b-4a1c-4b0b-bc10-25aee55fef63",
"name": "native",
"realmType": "native"
}
Create a realm to support LDAP authentication:
REQUEST
curl -u USERNAME:PASSWORD -X POST -H 'Content-type: application/json' -d '{
"realmType": "ldap",
"name": "dev-ldap3",
"enabled": true,
"roleNames": ["developer","admin"],
"config": {
"autoCreateUsers": true,
"host": "FUSION_HOST",
"ssl": true,
"port": 10636,
"ephemeralUsers": false,
"login": {
"bindDnTemplate": "uid={},ou=users,dc=security,dc=example,dc=com"
}
}
}' https://FUSION_HOST:FUSION_PORT/api/realm-configs
RESPONSE
{
"realmType": "ldap",
"id": "fd90a918-1e5c-4f27-952c-fd81a068ee85",
"name": "dev-ldap3",
"enabled": true,
"createdAt": "2021-07-28T15:15:04Z",
"config": {
"autoCreateUsers": true,
"host": "FUSION_HOST",
"ssl": true,
"port": 10636,
"ephemeralUsers": false,
"login": {
"bindDnTemplate": "uid={},ou=users,dc=security,dc=example,dc=com"
}
},
"roleNames": [
"developer",
"admin"
]
}