How to configure Kiuwan authentication with your own LDAP service

Do you already have a corporate authentication service based on LDAP? Now Kiuwan Code Analysis allows you to configure the authentication of your account users with your own LDAP service. Most of our customers use Microsoft Active Directory as a repository for user credentials. However, the procedure I’m about to tell you here is valid to integrate Kiuwan with any other users repository, even if it’s not based on LDAP.
If your company has a corporate authentication service implemented, your users and passwords will most probably be stored in an Active Directory, an OpenLDAP or an IBM Tivoli. If that is your case, you don’t want to have a different password for your Kiuwan account. By integrating Kiuwan with your LDAP service, you get to delegate your company users authentication in it.

 

How does it work?

Your company users won’t connect to https://www.kiuwan.com to sign in, but to an internal URL of your corporate network that you choose, like: http://kiuwan.yourdomain.com or http://yourdomain.com/kiuwan, for example.
In this address you will have an authentication service application that will relay on your local LDAP service. If you have permissions to access Kiuwan, it will generate a JWT authentication token including the username, which is encrypted using a secret key that you can generate in your Kiuwan account settings page.
This token is sent to Kiuwan, so it makes the validation and creates the session for the user, who is automatically redirected to https://www.kiuwan.com, to access the application.

 

kiuwan-delegate-authentication-schema

 

Requirements

You only need to install a Java application server on your premises for wich you can configure an IP or a domain name address or an internal subdomain. Tomcat should be enough.
There are not specific hardware requirements, since this service will not have a heavy load. It just handles authentication and redirects users to Kiuwan.
This application server must have conectivity to your LDAP service, but there is no need to have Internet access. Your users should be able to access to https://www.kiuwan.com through the Internet using their browsers.

 

A sample application

You can find a simple authentication application (kiuwan/kiuwan-local-authentication) as a way to get started. This application uses Tomcat (tomcat-users.xml) as authentication mechanism.
The steps are simple:
    1. Install [Tomcat 8.5.11]  (or another application server or use one you already have in your company) on a server.
    2. Compile and deploy the sample authentication service application we provide for authenticating users in your application server.
    3. Configure the authentication service application’s in index.jsp page. (Remember, this is a sample application. Do not use it as production code)

 

 

Secret key

The required clientId and secretKey fields are generated from kiuwan. You need login in kiuwan and go to Account Management – Secret keys:

 

kiuwan-secret-keys

Security settings

You need also configure the security settings in the application server where you deployed our authentication service application, to connect to your LDAP or any other authentication server.
In this example, we use Tomcat (tomcat-users.xml):

 

 

The user (kuser) is a valid used in kiuwan. To add users to your kiuwan account, login in kiuwan and go to Users Management – Add.
Configure the web.xml file to use this authentication mechanism:

 

You are done! Now you just have to tell your Kiuwan users to use the URL you have defined to access our authentication service application.
Aaah! and remember that this same configuration is also valid if you have Single-Sign-On mechanisms such as LDAP, SPNEGO or IBM WebSeal.
Have fun analyzing!