iamtf_idp

This is one of the key resources available in JOSSO. It allows you to define an identity provider. JOSSO supports multiple identity protocols, you can connect any SP using:

  • OpenID Connect 1.0
  • OAuth 2.0
  • SAML 2.0
  • JOSSO 1.0
  • Custom

You can mix heterogeneouse service providers that have different requireminets and connect them with a single IDP. For example, you can share identity between SAML and OIDC applications transparently, providing users with a single authentication experience.

To configure an IDP you must provide an identity source, an authentication mechanism and a keystore. Then you need to define each service provider, and reference the trusted IDP.

In JOSSO you can have multiple identity providers running in a single identity appliance.

Let's take a look at the following example:

resource "iamtf_idp" "idp" {
  
  ida  = iamtf_identity_appliance.ida-1.name
  
  name = "idp"

  keystore {
    resource = filebase64("./idp.p12")
    password = "changeme"
  }

  id_sources = [iamtf_idvault.sso-users.name]

  authn_basic {
    priority          = 0         
    pwd_hash          = "SHA-256"
    pwd_encoding      = "BASE64"
  }

  depends_on = [
    iamtf_idvault.sso-users
  ]

}

attributes

attributes mappings. Define IdP claim mappings.

  • type: List
  • optional: true
  • computed: true

include_unmapped_claims

when using a custom profile, include unmapped claims

  • type: Bool
  • optional: true

map

Custom attribute mappings

  • type: Set
  • optional: true

profile

Attribute profile to use: JOSSO, BASIC, ONE_TO_ONE, CUSTOM, EXTENSION

  • type: String
  • optional: true

authn_basic

This mechanism uses two credentials: username and password. Credentials are verified by the IDP by retrieving a know set of values from the connected identity source.

Basic authentication settings. JOSSO will verify user provided credentials (username, password) with stored values in an identity source

  • type: List
  • optional: true

Example 1

  authn_basic {
    priority          = 0         
    pwd_hash          = "SHA-256"
    pwd_encoding      = "BASE64"
  }

Example 2

  authn_basic {
    priority          = 0         
    pwd_hash          = "SHA-256"
    pwd_encoding      = "BASE64"
    crypt_salt_length = 0
    salt_prefix       = "sp1235"
    salt_suffix       = "sf5432"

    saml_authn_ctx = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"

  }

crypt_salt_length

crypt salt length (in bytes: 0, 8, 16, 24, 32, 48, 64, 128, 256)

  • type: Int
  • optional: true

extension

Allows you to use a custom component for a given resource. Components are installed as OSGi bundles in the server. You can refer to a component instance or create a new instance based on its class

  • type: List
  • optional: true

fqcn

component java FQCN. Refers to the OSGi component type or Java class to be instantiated

  • type: String
  • required

osgi_filter

filter to locate the OSGi service (Only when extension type is SERVICE).

  • type: String
  • optional: true

property

list of configuration properties and its values (only when extension type is INSTANCE)

  • type: Set
  • optional: true

type

extension type: SERVICE (for OSGi service references) or INSTANCE (for creating a new instance).

  • type: String
  • optional: true

priority

authentiacation priority compared to other mechanisms (ascening order)

  • type: Int
  • optional: true
  • computed: true

pwd_encoding

password encoding algorithm, valid values are:

  • NONE

  • BASE64

  • HEX

  • type: String

  • optional: true

pwd_hash

password hashing algorithm, valid values are:

  • NONE (NOT recommended!)

  • CRYPT (LDAP only)

  • BCRYPT

  • SHA-512

  • SHA-256

  • SHA-1

  • MD5 (NOT recommended!)

  • type: String

  • optional: true

salt_prefix

fixed salt prefix for password hashing

  • type: String
  • optional: true

salt_suffix

fixed salt suffix for password hashing

  • type: String
  • optional: true

saml_authn_ctx

reported SAML2 password authentication context. Some proivders required a specific value. Valid values are:

  • urn:oasis:names:tc:SAML:2.0:ac:classes:Password (default)

  • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  • type: String

  • optional: true

authn_bind_ldap

LDAP bind authentication settings

  • type: List
  • optional: true

authentication

credential to connect to the LDAP server

Valid values are: none, strong, simple

Default: simple

  • type: String
  • optional: true

extension

Allows you to use a custom component for a given resource. Components are installed as OSGi bundles in the server. You can refer to a component instance or create a new instance based on its class

  • type: List
  • optional: true

fqcn

component java FQCN. Refers to the OSGi component type or Java class to be instantiated

  • type: String
  • required

osgi_filter

filter to locate the OSGi service (Only when extension type is SERVICE).

  • type: String
  • optional: true

property

list of configuration properties and its values (only when extension type is INSTANCE)

  • type: Set
  • optional: true

type

extension type: SERVICE (for OSGi service references) or INSTANCE (for creating a new instance).

  • type: String
  • optional: true

initial_ctx_factory

Java JNDI initial context factory (default: com.sun.jndi.ldap.LdapCtxFactory)

  • type: String
  • optional: true

operational_attrs

Require LDAP operational attributes (useful for LDAP password policy management)

  • type: Bool
  • optional: true

password

secret credential to connect to the LDAP server

  • type: String
  • required

password_policy

Support LDAP password policy management. Values : none, ldap-rfc-draft (default none)

  • type: String
  • optional: true

Perform a user search by DN before authentiation

  • type: Bool
  • optional: true

priority

authentiacation priority compared to other mechanisms (ascening order)

  • type: Int
  • optional: true
  • computed: true

provider_url

LDAP server connection url: ldaps://localhost:636

  • type: String
  • required

referrals

how to process referrals in a directory node. Values: follow, ignore

Valid values are: follow, ignore

Default: follow

  • type: String
  • optional: true

saml_authn_ctx

reported SAML 2 authentication context class

Valid values:

urn:oasis:names:tc:SAML:2.0:ac:classes:Password

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  • type: String
  • optional: true

search_scope

LDAP search scope. Values : base, one, subtree, children

Valid values are: base, one, subtree and children

Default: subtree

  • type: String
  • optional: true

userid_attr

The Idp will provide the configured user identifier, ignoring the requested type(SAML 2)

  • type: String
  • optional: true

username

username credential to connect to the LDAP server

  • type: String
  • required

users_ctx_dn

DN to search for users

  • type: String
  • required

authn_client_cert

Basic authentication settings. JOSSO will verify user provided credentials (username, password) with stored values in an identity source

  • type: List
  • optional: true

clr_enabled

authentiacation priority compared to other mechanisms (ascening order)

  • type: Bool
  • optional: true
  • computed: true

crl_refresh_seconds

authentiacation priority compared to other mechanisms (ascening order)

  • type: Int
  • optional: true
  • computed: true

crl_url

authentiacation priority compared to other mechanisms (ascening order)

  • type: String
  • optional: true
  • computed: true

extension

Allows you to use a custom component for a given resource. Components are installed as OSGi bundles in the server. You can refer to a component instance or create a new instance based on its class

  • type: List
  • optional: true

fqcn

component java FQCN. Refers to the OSGi component type or Java class to be instantiated

  • type: String
  • required

osgi_filter

filter to locate the OSGi service (Only when extension type is SERVICE).

  • type: String
  • optional: true

property

list of configuration properties and its values (only when extension type is INSTANCE)

  • type: Set
  • optional: true

type

extension type: SERVICE (for OSGi service references) or INSTANCE (for creating a new instance).

  • type: String
  • optional: true

ocsp_enabled

authentiacation priority compared to other mechanisms (ascening order)

  • type: Bool
  • optional: true
  • computed: true

ocsp_server

authentiacation priority compared to other mechanisms (ascening order)

  • type: String
  • optional: true
  • computed: true

priority

authentiacation priority compared to other mechanisms (ascening order)

  • type: Int
  • optional: true
  • computed: true

uid

authentiacation priority compared to other mechanisms (ascening order)

  • type: String
  • optional: true
  • computed: true

authn_custom

Custom authentication mechanism

  • type: List
  • optional: true

claim_names

name of the claim to be used, depends on claim type

  • type: String
  • required

claim_type

Claim type

  • type: String
  • required

extension

Allows you to use a custom component for a given resource. Components are installed as OSGi bundles in the server. You can refer to a component instance or create a new instance based on its class

  • type: List
  • optional: true

fqcn

component java FQCN. Refers to the OSGi component type or Java class to be instantiated

  • type: String
  • required

osgi_filter

filter to locate the OSGi service (Only when extension type is SERVICE).

  • type: String
  • optional: true

property

list of configuration properties and its values (only when extension type is INSTANCE)

  • type: Set
  • optional: true

type

extension type: SERVICE (for OSGi service references) or INSTANCE (for creating a new instance).

  • type: String
  • optional: true

external_service

URL to external authentication service to collect claims

  • type: String
  • optional: true

inject_id_source

Inject identity source into custom authenticator (must have proper setter)

  • type: Bool
  • optional: true

saml_authn_ctx

SAML authentication context

  • type: String
  • required

type

Authentication type: BASIC, 2FA, PRE_AUTHN

  • type: String
  • required

authn_oauth2_pre

Basic authentication settings. JOSSO will verify user provided credentials (username, password) with stored values in an identity source

  • type: List
  • optional: true

authn_service

authentiacation priority compared to other mechanisms (ascening order)

  • type: String
  • optional: true
  • computed: true

extension

Allows you to use a custom component for a given resource. Components are installed as OSGi bundles in the server. You can refer to a component instance or create a new instance based on its class

  • type: List
  • optional: true

fqcn

component java FQCN. Refers to the OSGi component type or Java class to be instantiated

  • type: String
  • required

osgi_filter

filter to locate the OSGi service (Only when extension type is SERVICE).

  • type: String
  • optional: true

property

list of configuration properties and its values (only when extension type is INSTANCE)

  • type: Set
  • optional: true

type

extension type: SERVICE (for OSGi service references) or INSTANCE (for creating a new instance).

  • type: String
  • optional: true

external_auth

authentiacation priority compared to other mechanisms (ascening order)

  • type: Bool
  • optional: true
  • computed: true

priority

authentiacation priority compared to other mechanisms (ascening order)

  • type: Int
  • optional: true
  • computed: true

remember_me

authentiacation priority compared to other mechanisms (ascening order)

  • type: Bool
  • optional: true
  • computed: true

authn_wia

Windows Integrated Authentication. JOSSO will verify identity by contacting a domain controller

  • type: List
  • optional: true

domain

windows domain

  • type: String
  • required

domain_controller

domain controller server

  • type: String
  • required

extension

Allows you to use a custom component for a given resource. Components are installed as OSGi bundles in the server. You can refer to a component instance or create a new instance based on its class

  • type: List
  • optional: true

fqcn

component java FQCN. Refers to the OSGi component type or Java class to be instantiated

  • type: String
  • required

osgi_filter

filter to locate the OSGi service (Only when extension type is SERVICE).

  • type: String
  • optional: true

property

list of configuration properties and its values (only when extension type is INSTANCE)

  • type: Set
  • optional: true

type

extension type: SERVICE (for OSGi service references) or INSTANCE (for creating a new instance).

  • type: String
  • optional: true

host

JOSSO hostname

  • type: String
  • required

keytab

Kerberos keytab file

  • type: String
  • required

overwrite_kerberos_setup

override JOSSO kerberos configuration

  • type: Bool
  • optional: true
  • computed: true

port

JOSSO server port

  • type: Int
  • required

priority

authentiacation priority compared to other mechanisms (ascening order)

  • type: Int
  • required

protocol

JOSSO server protocol (http/https)

  • type: String
  • required

service_class

authentiacation priority compared to other mechanisms (ascening order)

  • type: String
  • required

service_name

authentiacation priority compared to other mechanisms (ascening order)

  • type: String
  • required

branding

the name of the UI branding plugin installed in JOSSO

  • type: String
  • optional: true

dashboard_url

External user dashborad URL

  • type: String
  • optional: true

description

provider description

  • type: String
  • optional: true

destroy_previous_session

JOSSO will logout an existing session to avoid exceeding the max session per user. if false, login will be denied after reaching the max.

  • type: Bool
  • optional: true

error_binding

The error binding allows you to customize and handle errors. Depending on the binding type, JOSSO will encode errors differently and redirect the user to dashboard_url including the encoded error information.

  • ARTIFACT: reserver for JOSSO internal usage.

  • JSON: send error details encoded in JSON format.

  • GET: send error details encoded in HTTP request query strings. how error information is encoded and shared with a custom user dashboard

  • type: String

  • optional: true

id_sources

list of identity sources used by the IDP. At least one is required.

  • type: Set
  • optional: true

ida

identity appliane name

  • type: String
  • required

keystore

Keystore configuration. A single keystore containing the private key and certificate is supported.

  • type: List
  • required

alias

Certificate and private key alias (optional)

  • type: String
  • optional: true

key_password

PKCS12 private key password (optional, the store password is used if not present)

  • type: String
  • optional: true

password

PKCS12 keystore password

  • type: String
  • required

resource

PKCS12 keystore in base64 format

  • type: String
  • required

max_sessions_per_user

Max number of sessions per user, -1 unbounded. This will limit the amount of simutaneous SSO sessions a user can create. Works in combination with destroy_previous_session.

  • type: Int
  • optional: true

name

idp name, unique in the appliance scope

  • type: String
  • required

oauth2

OAuth2 protocol settings. This is maily used by JOSSO internally, for SSO connetions OpenID Connect is the recommended protocol, which is a superset of OAuth2

  • type: List
  • optional: true
  • computed: true

enabled

enable OAuth2 protocol for this IDP

  • type: Bool
  • optional: true

pwdless_authn_enabled

passwordless authentication enabled. Usefull for one-click logins

  • type: Bool
  • optional: true

pwdless_authn_from

passwordless authn subject FROM

  • type: String
  • optional: true

pwdless_authn_subject

message subject used during one-click login

  • type: String
  • optional: true

pwdless_authn_template

name of the message template sent to the user during one-click login

  • type: String
  • optional: true

pwdless_authn_to

passwordless authn subject TO

  • type: String
  • optional: true

rememberme_token_validity

remember me token validity (sec, default 43200)

  • type: Int
  • optional: true

shared_key

IDP secret key to be shared with the OAuth client

  • type: String
  • required

token_validity

token validity (sec, default 300)

  • type: Int
  • optional: true

oidc

OpenID Connect protocol settings. This is the recommended SSO protocol. You must combine this with iamtf_app_odic resources (Applications)

  • type: List
  • optional: true
  • computed: true

access_token_ttl

access token time to live (sec)

  • type: Int
  • optional: true
  • computed: true

authz_code_ttl

authorization code time to live (sec)

  • type: Int
  • optional: true
  • computed: true

enabled

enable OIDC for this IDP

  • type: Bool
  • optional: true

id_token_ttl

id token time to live (sec)

  • type: Int
  • optional: true
  • computed: true

user_claims_in_access_token

include user claims in access token

  • type: Bool
  • optional: true

saml2

IDP SAML2 protocol settings

  • type: List
  • optional: true
  • computed: true

bindings

enabled SAML bindings

  • type: List
  • optional: true
  • computed: true

artifact

use Artifact binding

  • type: Bool
  • optional: true

http_post

use HTTP POST binding

  • type: Bool
  • optional: true

http_redirect

use HTTP REDIRECT binding

  • type: Bool
  • optional: true

local

use LOCAL binding

  • type: Bool
  • optional: true

soap

use SOAP binding

  • type: Bool
  • optional: true

encrypt_algorithm

encrypt assertion algorithm

  • type: String
  • optional: true

message_ttl

message ttl (sec)

  • type: Int
  • optional: true
  • computed: true

message_ttl_tolerance

message ttl tolerance (sec)

  • type: Int
  • optional: true
  • computed: true

sign_reqs

sign all requests to SPs

  • type: Bool
  • optional: true

signature_hash

signature hash algorithm

  • type: String
  • optional: true

want_authn_req_signed

want authn requests signed by SPs

  • type: Bool
  • optional: true

want_req_signed

want requests signed by SPs

  • type: Bool
  • optional: true

session_timeout

SSO session timeout (minutes, default 30)

  • type: Int
  • optional: true

sp

IDP to SP SAML 2 settings. Optional, only required is specific SAML IdP settings are required by the SP

  • type: List
  • optional: true
  • computed: true

name

name of the trusted sp. It normally is the name of the application plus the -sp suffix

  • type: String
  • required

saml2

IDP SAML2 protocol settings

  • type: List
  • optional: true
  • computed: true

bindings

enabled SAML bindings

  • type: List
  • optional: true
  • computed: true
artifact

use Artifact binding

  • type: Bool
  • optional: true
http_post

use HTTP POST binding

  • type: Bool
  • optional: true
http_redirect

use HTTP REDIRECT binding

  • type: Bool
  • optional: true
local

use LOCAL binding

  • type: Bool
  • optional: true
soap

use SOAP binding

  • type: Bool
  • optional: true

encrypt_algorithm

encrypt assertion algorithm

  • type: String
  • optional: true

message_ttl

message ttl (sec)

  • type: Int
  • optional: true
  • computed: true

message_ttl_tolerance

message ttl tolerance (sec)

  • type: Int
  • optional: true
  • computed: true

sign_reqs

sign all requests to SPs

  • type: Bool
  • optional: true

signature_hash

signature hash algorithm

  • type: String
  • optional: true

want_authn_req_signed

want authn requests signed by SPs

  • type: Bool
  • optional: true

want_req_signed

want requests signed by SPs

  • type: Bool
  • optional: true

subject_authn_policies

subject authentication policies

  • type: List
  • optional: true

name

Name of the authentication policy

  • type: String
  • required

subject_id

subject identifier. valid values: PRINCIPAL, EMAIL, ATTRIBUTE, CUSTOM

  • type: String
  • optional: true

subject_id_attr

subject identifier attribute, only valid for ATTRIBUTE and CUSTOM subject identifier

  • type: String
  • optional: true
Last Updated:
Contributors: Sebastian