Configure Managed Fusion for SSO
The "SSO Trusted HTTP" realm type (trusted-http
in the REST API) is useful in single sign-on (SSO) environments.
If SSO is already set up in your environment, user identities and group information can be sent to Fusion through HTTP headers (REMOTE_USER, for example). The SSO Trusted HTTP realm type provides the configuration options for integrating this into Fusion’s authentication systems. It also supports allowing access to only a set of known client IPs, and mapping groups to Fusion roles.
Use the Realms API to configure this realm type:
curl -u USERNAME:PASSWORD -H 'content-type:application/json' -X POST :3000/api/realm-configs -d @./realm-config.json
Below is a sample configuration:
{"id":"test-id",
"enabled":true,
"name":"sso-test",
"realmType":"trusted-http",
"config":{"identityKey":"REMOTE_USER",
"groups": {"key":"GROUPS",
"delimiter":"|",
"roleMapping": [["a","admin"], ["b","foo"]]},
"allowedIps":["127.0.0.1", "0:0:0:0:0:0:0:1", "localhost"]}}
|
The name of an HTTP header. If this key is found in the request headers, its value is used as the identity of the client (username, for example). |
|
Configuration keys for auth groups: * * * |
|
Allow access to only a set of known client IPs. When this property is defined and the client IP is not included in it, the realm logic return a 401. Leaving this field empty makes the realm nonoperational. To accept traffic from all destinations for development, you can use an IP such as 0.0.0.0/0. In production the concrete IP should be specified. |