Element Summary

ElementDescriptionClass
ldap-bind-storeAn implementation of an Identity and Credential Store which obtains credential, user and role information from an LDAP server using JNDI, based on the configuration properties.

It allows to set whatever options your LDAP JNDI provider supports your Gateway configuration file. Examples of standard property names are:

  • initialContextFactory = "java.naming.factory.initial"
  • securityProtocol = "java.naming.security.protocol"
  • providerUrl = "java.naming.provider.url"
  • securityAuthentication = "java.naming.security.authentication"

This store implementation is both an Identity Store and Credential Store. Since in JOSSO the authentication of the user is left to the configured Authentication Scheme, this store implementation cannot delegate user identity assertion by binding to the LDAP server. For that reason it retrieves the required credentials from the directory leaving the authentication procedure to the configured Authentication Scheme. The store must be supplied with the configuratoin parameters so that it can retrieve user identity information.

Additional component properties include:

  • securityPrincipal: the DN of the user to be used to bind to the LDAP Server
  • securityCredential: the securityPrincipal password to be used for binding to the LDAP Server.
  • securityAuthentication: the security level to be used with the LDAP Server session. Its value is one of the following strings: "none", "simple", "strong". If not set, "simple" will be used.
  • usersCtxDN : the fixed distinguished name to the context to search for user accounts.
  • principalUidAttributeID: the name of the attribute that contains the user login name. This is used to locate the user.
  • rolesCtxDN : The fixed distinguished name to the context to search for user roles.
  • uidAttributeID: the name of the attribute that, in the object containing the user roles, references role members. The attribute value should be the DN of the user associated with the role. This is used to locate the user roles.
  • roleAttributeID : The name of the attribute that contains the role name
  • credentialQueryString : The query string to obtain user credentials. It should have the following format : user_attribute_name=credential_attribute_name,... For example : uid=username,userPassword=password
  • userPropertiesQueryString : The query string to obtain user properties. It should have the following format : ldap_attribute_name=user_attribute_name,... For example : mail=mail,cn=description
A sample LDAP Identity Store configuration :

<sso-identity-store>
<class>org.josso.gateway.identity.service.store.ldap.LDAPBindIdentityStore</class>
<initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
<providerUrl>ldap://localhost</providerUrl>
<securityPrincipal>cn=Manager\,dc=my-domain\,dc=com</securityPrincipal>
<securityCredential>secret</securityCredential>
<securityAuthentication>simple</securityAuthentication>
<usersCtxDN>ou=People\,dc=my-domain\,dc=com</usersCtxDN>
<principalUidAttributeID>uid</principalUidAttributeID>
<rolesCtxDN>ou=Roles\,dc=my-domain\,dc=com</rolesCtxDN>
<uidAttributeID>uniquemember</uidAttributeID>
<roleAttributeID>cn</roleAttributeID>
<credentialQueryString>uid=username\,userPassword=password</credentialQueryString>
<userPropertiesQueryString>mail=mail\,cn=description</userPropertiesQueryString>
</sso-identity-store>

A sample LDAP Credential Store configuration :

<credential-store>
<class>org.josso.gateway.identity.service.store.ldap.LDAPBindIdentityStore</class>
<initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
<providerUrl>ldap://localhost</providerUrl>
<securityPrincipal>cn=Manager\,dc=my-domain\,dc=com</securityPrincipal>
<securityCredential>secret</securityCredential>
<securityAuthentication>simple</securityAuthentication>
<usersCtxDN>ou=People\,dc=my-domain\,dc=com</usersCtxDN>
<principalUidAttributeID>uid</principalUidAttributeID>
<rolesCtxDN>ou=Roles\,dc=my-domain\,dc=com</rolesCtxDN>
<uidAttributeID>uniquemember</uidAttributeID>
<roleAttributeID>cn</roleAttributeID>
<credentialQueryString>uid=username\,userPassword=password</credentialQueryString>
<userPropertiesQueryString>mail=mail\,cn=description</userPropertiesQueryString>
</credential-store>
org.josso.gateway.identity.service.store.ldap.LDAPBindIdentityStore
ldap-storeAn implementation of an Identity and Credential Store which obtains credential, user and role information from an LDAP server using JNDI, based on the configuration properties.

It allows to set whatever options your LDAP JNDI provider supports your Gateway configuration file. Examples of standard property names are:

  • initialContextFactory = "java.naming.factory.initial"
  • securityProtocol = "java.naming.security.protocol"
  • providerUrl = "java.naming.provider.url"
  • securityAuthentication = "java.naming.security.authentication"

This store implementation is both an Identity Store and Credential Store. Since in JOSSO the authentication of the user is left to the configured Authentication Scheme, this store implementation cannot delegate user identity assertion by binding to the LDAP server. For that reason it retrieves the required credentials from the directory leaving the authentication procedure to the configured Authentication Scheme. The store must be supplied with the configuratoin parameters so that it can retrieve user identity information.

Additional component properties include:

  • securityPrincipal: the DN of the user to be used to bind to the LDAP Server
  • securityCredential: the securityPrincipal password to be used for binding to the LDAP Server.
  • securityAuthentication: the security level to be used with the LDAP Server session. Its value is one of the following strings: "none", "simple", "strong". If not set, "simple" will be used.
  • ldapSearchScope : alows control over LDAP search scope : valid values are ONELEVEL, SUBTREE
  • usersCtxDN : the fixed distinguished name to the context to search for user accounts.
  • principalUidAttributeID: the name of the attribute that contains the user login name. This is used to locate the user.
  • rolesCtxDN : The fixed distinguished name to the context to search for user roles.
  • uidAttributeID: the name of the attribute that, in the object containing the user roles, references role members. The attribute value should be the DN of the user associated with the role. This is used to locate the user roles.
  • roleAttributeID : The name of the attribute that contains the role name
  • roleMatchingMOde : The way JOSSO gets users roles, values UDN (default) and UID.
  • credentialQueryString : The query string to obtain user credentials. It should have the following format : user_attribute_name=credential_attribute_name,... For example : uid=username,userPassword=password
  • userPropertiesQueryString : The query string to obtain user properties. It should have the following format : ldap_attribute_name=user_attribute_name,... For example : mail=mail,cn=description
A sample LDAP Identity Store configuration :

<sso-identity-store>
<class>org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore</class>
<initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
<providerUrl>ldap://localhost</providerUrl>
<securityPrincipal>cn=Manager\,dc=my-domain\,dc=com</securityPrincipal>
<securityCredential>secret</securityCredential>
<securityAuthentication>simple</securityAuthentication>
<usersCtxDN>ou=People\,dc=my-domain\,dc=com</usersCtxDN>
<principalUidAttributeID>uid</principalUidAttributeID>
<rolesCtxDN>ou=Roles\,dc=my-domain\,dc=com</rolesCtxDN>
<uidAttributeID>uniquemember</uidAttributeID>
<roleMatchingMode>UDN</roleMatchingMode>
<roleAttributeID>cn</roleAttributeID>
<credentialQueryString>uid=username\,userPassword=password</credentialQueryString>
<userPropertiesQueryString>mail=mail\,cn=description</userPropertiesQueryString>
<ldapSearchScope>SUBTREE</ldapSearchScope>
</sso-identity-store>

A sample LDAP Credential Store configuration :

<credential-store>
<class>org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore</class>
<initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
<providerUrl>ldap://localhost</providerUrl>
<securityPrincipal>cn=Manager\,dc=my-domain\,dc=com</securityPrincipal>
<securityCredential>secret</securityCredential>
<securityAuthentication>simple</securityAuthentication>
<usersCtxDN>ou=People\,dc=my-domain\,dc=com</usersCtxDN>
<principalUidAttributeID>uid</principalUidAttributeID>
<rolesCtxDN>ou=Roles\,dc=my-domain\,dc=com</rolesCtxDN>
<uidAttributeID>uniquemember</uidAttributeID>
<roleAttributeID>cn</roleAttributeID>
<credentialQueryString>uid=username\,userPassword=password</credentialQueryString>
<userPropertiesQueryString>mail=mail\,cn=description</userPropertiesQueryString>
</credential-store>
org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore

Element Detail

Element: ldap-bind-store

AttributeTypeDescription
credentialQueryStringxs:string
enableStartTlsxs:boolean
initialContextFactoryxs:stringConfiguration Properties
ldapSearchScopexs:string
principalLookupAttributeIDxs:string
principalUidAttributeIDxs:string
providerUrlxs:string
roleAttributeIDxs:string
roleMatchingModexs:string
rolesCtxDNxs:string
securityAuthenticationxs:string
securityCredentialxs:string
securityPrincipalxs:string
securityProtocolxs:string
trustStorexs:string
trustStorePasswordxs:string
uidAttributeIDxs:string
updateableCredentialAttributexs:string
useBindCredentialsxs:boolean
userCertificateAtrributeIDxs:string
userPropertiesQueryStringxs:string
usersCtxDNxs:string

Element: ldap-store

AttributeTypeDescription
credentialQueryStringxs:string
enableStartTlsxs:boolean
initialContextFactoryxs:stringConfiguration Properties
ldapSearchScopexs:string
principalLookupAttributeIDxs:string
principalUidAttributeIDxs:string
providerUrlxs:string
roleAttributeIDxs:string
roleMatchingModexs:string
rolesCtxDNxs:string
securityAuthenticationxs:string
securityCredentialxs:string
securityPrincipalxs:string
securityProtocolxs:string
trustStorexs:string
trustStorePasswordxs:string
uidAttributeIDxs:string
updateableCredentialAttributexs:string
useBindCredentialsxs:boolean
userCertificateAtrributeIDxs:string
userPropertiesQueryStringxs:string
usersCtxDNxs:string