This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
integration:start [2018/05/18 10:03] 10.144.24.34 |
integration:start [2018/06/14 12:52] tjotov [REMOTE_USER or any other attribute] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== No-code integration ====== | ====== No-code integration ====== | ||
===== Overview ===== | ===== Overview ===== | ||
- | ADUCID offers No—code integration as default | + | ADUCID offers No—code integration as default |
+ | Many applications support header authentication by default or have authentication module available or can be easily modified to user header authentication. | ||
{{: | {{: | ||
===== How it works ===== | ===== How it works ===== | ||
- | - User open web application | + | - User opens a web application |
- | - Apache resolves it 401 - unauthenticated | + | - Apache resolves it with code 401 - unauthenticated |
- [[integration: | - [[integration: | ||
- | - As soon as user authenticates page is reloaded and proxypass used to retrieve | + | - As soon as user authenticates page is reloaded and proxypass used to retrieve |
- Or Apache has to handle 403 Unauthorized - see [[integration: | - Or Apache has to handle 403 Unauthorized - see [[integration: | ||
- | - | + | |
+ | In Apache configuration just require authentication: | ||
+ | | ||
+ | ===== REMOTE_USER or any other attribute ===== | ||
+ | User ID is sent to application in header attribute | ||
+ | In ADUCID AIM it is called UDI | ||
+ | As we use Apache you can rename it to anything else - some applications use x-forwarded-user or other user ID | ||
+ | |||
+ | Example how to send X-forwarded-user instead of REMOTE_USER: | ||
+ | RewriteEngine On | ||
+ | RewriteCond %{LA-U: | ||
+ | RewriteRule .* - [E=RU:%1] | ||
+ | RequestHeader set X-Forwarded-User %{RU}e | ||
+ | ===== Security remarks ===== | ||
+ | Apache has to be accessible only via TLS (https) | ||
+ | Back-end application has to be separated and accessible only from Apache (http, ajp, ...) | ||
+ | Apache installed for ADUCID shouldn' | ||
+ | Headers from client are not transported to the back-end as ProxyPass is used (unless you configure Apache to do it) | ||
+ | So if users sents REMOTE_USER to Apache, it is wiped out and target application won't see it | ||
+ | |||
+ | ===== Technical overview ===== | ||
+ | {{: | ||
+ | |||
+ | This picture describes internal components of No-code integration solution. | ||
+ | |||
+ | ===== Other topics ===== | ||
+ | * [[integration: | ||
+ | * [[integration: | ||
+ | * [[integration: | ||
+ | * [[integration: |