Configure Mistral
Mistral have a file-based configuration, to configure Mistral you need to edit the config/mistral_config.xml file and set up the differents parameters. If you have already configured Mistral-IdM, you probably are ready to work with the Administrator Module.
This file is organized in the following sections:
- Mistral Config
- Mistral Certs Config
- LDAP Config
- eXist-db Config
- XKMS Config (optional)
Mistral Config
In this section you have to set up the parameters related with component of Mistral-IdM.
- MISTRAL_IDP_URL: the URL of Mistral-IdM Identity Provider module, it is the core of the authentication.
- MISTRAL_ATTR_URL: the URL of Mistral Attribute module, it returns the attributes linked to an end user when are asked by the IDP.
- MISTRAL_AUTHZ_URL: the URL of Mistral Authentication module, it is the core of the authorization. It takes an access decision based on the defined policies.
- MISTRAL_IDP_CERT_URL: (optional) only needed if you like enable authentication with certificates. It should be a URL with SSL support and which asks for Client Certificate. See Enable Authentication with certificates for more info.
- MISTRAL_IDP_CERT_URL: (optional) only needed if you like enable authentication with certificates. See Enable Authentication with certificates for more info.
Mistral Certs Config
This section configures the parameters related with the server certificates. Since Mistral uses three modules, it should have three different server keys installed: IDP PKCS12, AUTHZ PKCS12 and ATTR PKCS12.
- IDP_PKCS12_PATH: path of the PKCS12 file of the Identity Provider.
- IDP_PKCS12_PASSWORD: password of the IdP PKCS12.
- IDP_PKCS12_CERT_ALIAS: alias which contain the private key of IdP into PKCS12.
- IDP_PRIVATE_KEY_PASSWORD: password of the private key into PKCS12.
- AUTHZ_PKCS12_PATH: path of the PKCS12 file of the Authentication module.
- AUTHZ_PKCS12_PASSWORD: password of the AUTHZ PKCS12.
- AUTHZ_PKCS12_CERT_ALIAS: alias which contain the private key of AUTHZ into PKCS12.
- AUTHZ_PRIVATE_KEY_PASSWORD: password of the private key into PKCS12.
- ATTR_PKCS12_PATH: path of the PKCS12 file of the Attribute Module.
- ATTR_PKCS12_PASSWORD: password of the ATTR PKCS12.
- ATTR_PKCS12_CERT_ALIAS: alias which contain the private key of ATTR into PKCS12.
- ATTR_PRIVATE_KEY_PASSWORD: password of the private key into PKCS12.
- IDP_CERT_PATH: path of the public certificate of the Identity Provider.
- ATTR_CERT_PATH: path of the public certificate of the Attribute module.
- AUTHZ_CERT_PATH: path of the public certificate of the Authentication module.
Note: path could be absolutes or relatives, if they are relatives, the base directory will be the Mistral installacion folder (e.g. /usr/share/mistral/).
LDAP Config
This section configures the parameters related with LDAP server.
- LDAP_URL: URL of the LDAP server.
- LDAP_USER: user name with, at least, read permision in LDAP server.
- LDAP_PASSWORD: password of the user.
- LDAP_USERS_SUFFIX: LDAP suffix where the users are located. 'ou=users,dc=mistral,dc=com' by default.
- LDAP_ROLES_SUFFIX: LDAP suffix where the roles are located. 'ou=roles,dc=mistral,dc=com' by default.
eXist-db Config
This section configure the parameters related with eXist-db database.
- EXISTDB_URL: URL of the Mistral database into eXist-db which allow xmlrpc access.
- EXISTDB_USER: user name with read permision in Mistral database.
- EXISTDB_PASSWORD: password of the user.
XKMS Config
-- Only needed if you want enable the authentication based on certificates --
- XKMS_SERVER: URL of the XKMS Server. See Enable Authentication with certificates for more info.
Other
- LOGIN_WEB_PATH: path of the html page with will be showed when a client should be authenticated.
- SESSION_MINUTES: time in minutes which a session expires, and a client need to re-send his credentials.
- SET_CLIENT_IP: [true/false], set if Identity Provider will mark SAML messages with the IP of the client. In case yes, a client only will be able to authenticate if she tries to get a resource with the same machine which he has sent his credentials before. That improve the security but decreases the privacy.
- CHECK_SIGNATURES: [true/false], if is established to true, SAML signatures will be validated making use the public key.
- SIGN_MESSAGES: [true/false], if true, all SAML messages will be digitally signed making use the private key.
Edit the login web page
To edit the web page which is showed when a client need to be authenticated you have to follow this step:
- Create a html web page, this web must have a post form with the input fields 'user' and 'password'. If you like authentication with certificates you have to add another form with no fields.
- Edit manually the form, and in the 'action' parameter set '#MISTRAL_IDP_URL#' (without the quotation marks). If you have the certificates form, in its 'action' parameter set '#MISTRAL_IDP_CERT_URL#'.
- In the forms insert '#FORM_LOGIN#' as if it was a new html element.
An example could be like this:
<body>
<h1>This is a authentication web example</h1>
<form method="post" action="#MISTRAL_IDP_URL#">Login:
<input name="login" size="25" type="text">Password:
<input name="password" size="25" type="password">
<input value="Send" type="submit">
#FORM_LOGIN#
</form>
<h2>Authenticate by certs</h2>
<form method="post" action="#MISTRAL_IDP_CERT_URL#">
#FORM_LOGIN#
<input value="Send" type="submit">
</form>
</body>