Configure Managed Fusion for SSO

The "SSO Trusted HTTP" realm type (trusted-http in the REST API) is useful in single sign-on (SSO) environments.

If SSO is already set up in your environment, user identities and group information can be sent to Fusion through HTTP headers (REMOTE_USER, for example). The SSO Trusted HTTP realm type provides the configuration options for integrating this into Fusion’s authentication systems. It also supports allowing access to only a set of known client IPs, and mapping groups to Fusion roles.

Use the Realms API to configure this realm type:

curl -u USERNAME:PASSWORD -H 'content-type:application/json' -X POST :3000/api/realm-configs -d @./realm-config.json

Below is a sample configuration:

{"id":"test-id",
 "enabled":true,
 "name":"sso-test",
 "realmType":"trusted-http",
 "config":{"identityKey":"REMOTE_USER",
           "groups": {"key":"GROUPS",
                      "delimiter":"|",
                       "roleMapping": [["a","admin"], ["b","foo"]]},
           "allowedIps":["127.0.0.1", "0:0:0:0:0:0:0:1", "localhost"]}}

identityKey

The name of an HTTP header. If this key is found in the request headers, its value is used as the identity of the client (username, for example).

groups

Configuration keys for auth groups:

* key + The name of an HTTP header, used as the source of group names.

* delimiter + The character used to split the value (defaults to comma).

* roleMapping + A set of 2-tuples, used for mapping the external group values to Fusion Roles.

allowedIps

Allow access to only a set of known client IPs. When this property is defined and the client IP is not included in it, the realm logic return a 401.

Leaving this field empty makes the realm nonoperational. To accept traffic from all destinations for development, you can use an IP such as 0.0.0.0/0. In production the concrete IP should be specified.