Identity provider - Reverse proxy
- Kiss, Mate
AVAILABLE IN 9.6.6 AND LATER
Overview
This authentication option allows using a reverse proxy to handle the authentication of the users, meaning that once the user has logged into their proxy, they can seamlessly access the Verba Web Application.
When the users attempt to access the Verba Web Application URL, the proxy server authenticates the incoming request against your authentication system. After successful authentication, the proxy sets a request header with the authenticated user identity and sends this information to Verba Web Application. The Verba Web Application accepts the incoming HTTP request from the proxy, and if it recognizes the user contained in the header, the user will be automatically logged in to the application. For successful single sign-on, all requests from the proxy to the Verba Web Application must include the authentication headers. If the header is not included in a request, then the user is returned to the login page. The Web Application uses the authenticated header for the duration of the browser session.
The header value is trusted without further checks or additional authentication, all incoming connections from the reverse proxy will log in all users based on the HTTP headers.
It is highly recommended to restrict the access to the Verba Web Application to the proxy server(s) by configuring either:
- Windows Firewall
- or Remote Address Filtering on Tomcat. For more information, see https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter.
A sample scenario is shown on the diagram below.
- The user opens the Verba Web Application URL which is directed to the Reverse Proxy
- The Reverse Proxy authenticates the user with the Authentication Server
After successful user authentication, the Reverse Proxy forwards the request to the Verba Web Application and provides the user identity in request headers
The Verba Web Application validates the user identity and if the user is recognized the user is logged into the application automatically.
An example of reverse proxy-based authentication is base on Symantec SiteMinder (formerly CA SiteMinder). In this configuration, the Reverse Proxy is a Microsoft IIS web server that is integrated with the SiteMinder Agent.
Configuration
Step 1 - Provide a Name.
Step 2 - Provide the user attribute for the matching in Verba User Attribute setting.
Step 3 - If not exact matching of the attribute is required, change the Verba User Attribute Matching
Step 4 - Provide the Request Header sent by the reverse proxy
Step 5 - Provide a Regex that matches the header immediately before the User Attribute
Step 6 - Provide a Regex that matches immediately after the User Attribute
| Item | Description |
|---|---|
| Verba User Attribute | The user attribute used for matching the user |
| Verba User Attribute Matching | Defines the matching for the user attribute |
| Request Header | The header sent by the reverse proxy |
| Prefix Regex | Regex matching the prefix |
| Stop Regex | Regex for stopping after the User Attribute |