Overview
If you want to use third authentication system instead of use EnginFrame Portal to authenticate the users, you can configure a trusted proxy that will send the user, after successful login, to EnginFrame portal.
Requirements
- A third service that can authenticate your user.
- Apache module that can ask the third service to approve the user.
- Apache virtualhost that will forward the approved username and the traffic to EF Portal using AJP connector
Architecture
- The user will access specific page of Apache.
- It wil login using any supported module by Apache (for example, mod_auth_mellon) to connect into IDP server (like Keycloak, EntraID etc).
- Then, if approved, the user traffic will be forwared to EF Portal through Apache with the header X-Authenticated-User containing the username.
Note: Apache can be replaced by any other proxy software (nginx, haproxy etc) that is capable to set the X-Authenticated-User and can forward http/https traffic.
Configuring
As example we will use Apache as a authenticator authority, but remember that you can use any external tool that can integrate with Apache.
Install Apache service and then setup this VirtualHost:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName efportal.mydomain.com
# Enable the proxy engine to handle SSL backends
SSLProxyEngine On
# Ignore SSL certificate verification for the backend
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
# Preserve the original host header
ProxyPreserveHost On
<Location "/enginframe">
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
ProxyPass ajp://localhost:8009/enginframe flushpackets=on
ProxyPassReverse ajp://localhost:8009/enginframe
</Location>
# SSL Certificate configuration
SSLCertificateFile /etc/letsencrypt/live/efportal.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/efportal.mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Note: Adapt efportal.mydomain.com and SSL parameters to your configuration.
Create a user and a password to test the login:
htpasswd -c /etc/httpd/.htpasswd efadmin
Then edit the file /opt/nisp/enginframe/conf/tomcat/conf/server.xml
and add this connector:
<Connector protocol="AJP/1.3"
address="127.0.0.1"
port="8009"
redirectPort="8443"
tomcatAuthentication="false"
secretRequired="false"
/>
Find the connector that is enabled by default (usually listening 8443 port) and add address=”127.0.0.1″ into the connector:
<Connector address="127.0.0.1" port="8443" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/certs/ef.tomcat.keystore" keystorePass="533f7be99cd35eb4e41a6d1161799d3aba916f43" server="Apache" URIEncoding="utf-8"
/>
This is important because EF Portal will accept the username sent by Apache, so you need to make sure that no one can connect directly into EF Portal Tomcat server.
Now edit the file /opt/nisp/enginframe/conf/tomcat/conf/context.xml and after the following line
<Context>
add:
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
Finally, edit the file /opt/nisp/enginframe/2024.1-r1874/enginframe/conf/server.conf
and set:
EF_HTTP_AUTHENTICATION=true
Restart Apache and the Tomcat server to apply the configuration.
systemctl restart httpd enginframe