Product Selector

Fusion 5.9
    Fusion 5.9

    Configure Fusion for SSO

    The "SSO Trusted HTTP" realm type (trusted-http in the REST API) is useful in single sign-on (SSO) environments.

    If SSO is already set up in your environment, user identities and group information can be sent to Fusion through HTTP headers (REMOTE_USER, for example). The SSO Trusted HTTP realm type provides the configuration options for integrating this into Fusion’s authentication systems. It also supports allowing access to only a set of known client IPs, and mapping groups to Fusion roles.

    Use the Realms API to configure this realm type:

    curl -u USERNAME:PASSWORD -H 'content-type:application/json' -X POST :3000/api/realm-configs -d @./realm-config.json

    Below is a sample configuration:

    {"id":"test-id",
     "enabled":true,
     "name":"sso-test",
     "realmType":"trusted-http",
     "config":{"identityKey":"REMOTE_USER",
               "groups": {"key":"GROUPS",
                          "delimiter":"|",
                           "roleMapping": [["a","admin"], ["b","foo"]]},
               "allowedIps":["127.0.0.1", "0:0:0:0:0:0:0:1", "localhost"]}}

    identityKey

    The name of an HTTP header. If this key is found in the request headers, its value is used as the identity of the client (username, for example).

    groups

    Configuration keys for auth groups:

    * key + The name of an HTTP header, used as the source of group names.

    * delimiter + The character used to split the value (defaults to comma).

    * roleMapping + A set of 2-tuples, used for mapping the external group values to Fusion Roles.

    allowedIps

    Allow access to only a set of known client IPs. When this property is defined and the client IP is not included in it, the realm logic return a 401.

    In Fusion 5.0.0+, leaving this field empty makes the realm nonoperational. To accept traffic from all destinations for development, you can use an IP such as 0.0.0.0/0. In production the concrete IP should be specified.

    Prior to Fusion 5.0.0, the X-FORWARDED-FOR header is inspected for this client IP first; the value is split on comma, and the first entry is taken. This would normally be used in cases where the client was forwarded to Fusion through one or more external proxy servers. If the X-FORWARDED-FOR header is not present in the request, the REMOTE-ADDR header value is used instead.