Authorization Manager
The Authorization Manager is configured by an XML file which
contains a ClientAuthorizationConfig element, which in turn
contains a Client element for every client service allowed to
use Moria.
The actual service authentication is performed outside of Moria (by
the application server) so password and/or certificates must be
configured in the server that performs the authentication (for
example, Apache or
Resin).
A Client element consists of the following:
-
A required name attribute which is identical to the
principal used for the client service's external authentication.
-
A DisplayName child element with a text child element
containing the full name of the client service. This is the
service name that is presented on the login page.
-
An URL child element with a text child element containing
an URL pointing to the main page of the client service. This URL
is used to connect a link from the displayed client service name
(on the login page) to a page where the client service may
describe itself to the user.
-
A Home child element with a text child element that
specifies which organization the client service belongs to. The
short-form organization names should be consistent with
short-form organization names appearing elsewhere in other
configuration files, such as the Web
Module configuration file.
Not currently used.
-
A Language child element with a text child element that
gives the default language used on the web interfaces (such as
the login web page) for this client service. This language will
be used as the default language for the login page if the user
has not previously selected another language. If not present the
system-wide Moria default language will be used instead. Note
that this two-character language code must match one of the
two-character language codes defined in the
Web Module configuration file.
-
An Affiliation child element containing one or more
Organization child elements, which again contain a text
child element. The text child element should match the
short-form organization names defined in the
Web Module configuration file. Users
belonging to one of these affiliated organizations may be
authenticated against a secondary (or tertiary, and so on)
authentication server (or location within the same
authentication server) when using this service. This allows an
organization to publish a service for which only a certain set
of users may be authenticated without allowing these users to
access other services (unless their organization is also
affiliated with these services, of course).
-
An OrgsAllowed child element containing one or more
Organization child elements, which again contain a text
child element. The text child element should match the
short-form organization names defined in the
Web Module configuration file. Users
belonging to one of these allowed organizations may access this
client service; others cannot.
-
An Attributes child element containing one or more
Attribute child elements. The Attribute child
element(s) contain the attributes name (gives the
physical name of a physical user attribute the client service is
allowed to read), sso (true or false; tells whether the
client service is allowed to read this attribute when using
SSO), and secLevel (used to classify an attribute request
according to security level and optionally display a
warning/description to the user on the login page). Security
levels range from 0 to 2, with 0 being the lowest. Note that
for a client service to be allowed a ticket granting ticket the
configuration must be allowed to read the tgt attribute
and use it for SSO.
-
The Operations child element contains one or more
Operation child elements for those operations the client
service is allowed to perform. The Operation child
element has an attribute name specifying the allowed
operation's name. The following operations are defined:
| Operation | Explanation |
|---|
| InteractiveAuth | Allow normal interactive authentication. |
| DirectAuth | Allow the user's username/password to be sent
through the client service. Handle with care, as
this is a potential security pitfall. |
| ProxyAuth |
Allows a subsystem to perform user authentication
using a proxy ticket. Also needed for the parent
system in order to be able to issue a proxy ticket.
|
| VerifyUserExistence | Allows the client service to check whether a given
user actually exists. |
-
The Subsystems child element contains a
Subsystem child element for every secondary client
service the primary client service is allowed to use proxy
authentication in cooperation with (that is, which secondary
client service(s) are allowed to make use of proxy tickets
issued to the primary client service). Each
secondary client service must be configured to be allowed to use
the operation ProxyAuth.
Example Authorization Manager configuration file:
<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
<ClientAuthorizationConfig>
<Client name="test">
<DisplayName>Foobar</DisplayName>
<URL>http://www.feide.no/</URL>
<Home>uio.no</Home>
<Language>no</Language>
<Affiliation>
<Organization name="uninett.no"/>
<Organization name="uio.no"/>
</Affiliation>
<OrgsAllowed>
<Organization name="uninett.no"/>
<Organization name="uio.no"/>
</OrgsAllowed>
<Attributes>
<Attribute name="attr1" sso="true" secLevel="0"/>
<Attribute name="attr2" sso="true" secLevel="1"/>
<Attribute name="attr3" sso="false" secLevel="2"/>
<Attribute name="tgt" sso="true" secLevel="0"/>
</Attributes>
<Operations>
<Operation name="DirectAuth"/>
<Operation name="InteractiveAuth"/>
<Operation name="VerifyUserExistence"/>
<Operation name="ProxyAuth"/>
</Operations>
<Subsystems>
<Subsystem name="sub1"/>
<Subsystem name="sub2"/>
</Subsystems>
</Client>
<Client name="sub1">
<DisplayName>Subsystem 1</DisplayName>
<URL>http://www.feide.no/</URL>
<Home>uio.no</Home>
<Language>no</Language>
<Affiliation>
<Organization name="uninett.no"/>
<Organization name="uio.no"/>
</Affiliation>
<OrgsAllowed>
<Organization name="uninett.no"/>
<Organization name="uio.no"/>
</OrgsAllowed>
<Attributes>
<Attribute name="attr1" sso="true" secLevel="0"/>
<Attribute name="attr2" sso="true" secLevel="1"/>
<Attribute name="attr3" sso="false" secLevel="2"/>
</Attributes>
<Operations>
<Operation name="ProxyAuth"/>
</Operations>
<Subsystems>
</Subsystems>
</Client>
</ClientAuthorizationConfig>
