With MIRACL Trust SSO it is possible to configure web pages to display error messages, a logout page, a list of authorized Service Providers the logged in user has access to and a page which requires to enter user_id for the authentication.
A simple example of an authorized SP page would be:
# Default HTML Templates
If the pages parameters are not populated then it defaults to auto-populating the template parameters with very simple html 1.0 code, which is suitable for local testing of the program.
For testing, the /etc/miracl-sso/integrations/pages_template.yaml file
contains parameters that can be used to load simple html templates for
displaying error, logout and services pages (remember that these parameters do
not have to be stored in this file, they can be stored in any file that is then
listed in the config.yaml includes list):
pages:
error:
template: >-
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" /><title>SSO
ERROR</title></head><body><h1>SSO ERROR</h1><h2>{{.Data}}</h2><div><a
href="{{.URL}}/services" title="SSO Login">SSO LOGIN</a> <a
href="{{.URL}}/logout" title="Terminate the main SSO session">SSO
LOGOUT</a></div><div><table><tr><th>FIELD</th><th>VALUE</th></tr>
<tr><td>Program</td><td>{{.Program}}</td></tr><tr><td>Version</td>
<td>{{.Version}}</td></tr><tr><td>Release</td><td>{{.Release}}</td></tr><tr><td>IdP
URL</td><td>{{.URL}}</td></tr><tr><td>DateTime</td><td>{{.DateTime}}</td></tr>
<tr><td>Timestamp</td><td>{{.Timestamp}}</td></tr><tr><td>Status</td>
<td>{{.Status}}</td></tr><tr><td>Code</td><td>{{.Code}}</td></tr>
<tr><td>Message</td><td>{{.Message}}</td></tr><tr><td>Data</td>
<td>{{.Data}}</td></tr></table></div></body></html>
logout:
template: >-
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" /><title>SSO
LOGOUT</title></head><body><h1>SSO LOGOUT</h1><h2>The IDP Session has been
successfully deleted</h2><div><a href="{{.URL}}/services" title="SSO Login">SSO
LOGIN</a></div><h3>Logout links of visited Service Providers:</h3><ul>{{ range
$name, $logout := .SPList }}<li><a href="{{ $logout }}" title="Logout from {{
$name }}" target="_blank">{{ $name }}</a></li>{{ end }}</ul></body></html>
services:
template: >-
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" /><title>SSO Authorized Service
Providers</title></head><body><h1>SSO Authorized Service
Providers</h1><h2>{{.SessionUserName}}</h2><div><a href="{{.URL}}/logout"
title="Terminate the main SSO session">SSO LOGOUT</a></div><ul>{{ range $sp :=
.SPList }}<li><strong>{{ $sp.Name }}</strong> <em>{{ $sp.Description
}}</em><ul><li><a href="{{ $sp.IDPLogin }}" title="IdP-Login: {{ $sp.Description
}}" target="_blank">IdP-initiated login</a></li><li><a href="{{ $sp.Login }}"
title="Login: {{ $sp.Description }}" target="_blank">Login Page</a></li><li><a
href="{{ $sp.Logout }}" title="Logout: {{ $sp.Description }}"
target="_blank">Logout</a></li></ul></li>{{ end }}</ul></body></html>"
user_id:
template: >-
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" /><title>SSO User ID</title></head>
<body><form action="{{.URL}}/services"><label for="userid">Enter the user
id you want to authenticate with</label><br><input type="text" id="userid"
name="userid" value=""><br><input type="submit" value="Submit"></form></body></html>"
authentication:
template: >-
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" /><title>SSO Authentication Providers
</title></head><body><form action="{{.URL}}/services"><label>Choose the
provider this request is authenticated with</label><br>
{{ range $idp := .IDPList }}<div><input type="radio" id="{{ $idp }}"
name="idp" value="{{ $idp }}"><label for="{{ $idp }}">"{{ $idp }}"</label>
</div>{{ end }}<br><input type="submit" value="Submit"></form></body></html>
You note that the above snippet is different to the actual
/etc/miracl-sso/integrations/pages_template.yaml file. It contains the
templates that the config schema loads by default if no web page parameters are
filled in (for either html templates or fully-configured web pages).
-
The program is set up to serve authentication errors (404s, LDAP errors, SAML errors etc.) in json format. The above error page template example shows the variables that are available. Note that the Data field contains the error message.
-
It is possible to configure a logout page which gives a list of services the user is logged into for the current session. The logout page is served at the /logout endpoint of your server. Visiting this deletes the cookie associated with the session. The user can then click on any of these services to log out of that particular service (the logout links are configured in the individual SP config sections).
-
It is possible to make use of the /services endpoint to present a ’landing page’ list of services that the user is authorized to access. Accessing this endpoint presents the user with a QR or browser login page, followed by a ’landing page’ which presents the SPs that user is authorized to access by LDAP/AD config as below.
-
When the MIRACL Trust SSO has multiple configured IdPs and some of them contain user privilegies rules, it needs to know the user id before handling the request. Then /user_id page is called, so the user could enter the user_id which they want the request to be authorized with.
-
When the MIRACL Trust SSO has multiple configured IdPs but none of the authentication rules matches the request, then /authentication page is called which lists all IdPs and the user should choose which one to authenticate with.
