Skip to main content

nevisAuth Plug-In Implementation Notes

The implementation notes are provided for informational purposes only. Due to changes in the components or best practices, the implementation may change in a future version of the patterns.

nevisAuth Instance Pattern

  • The nevisAuth Instance pattern creates and configures a nevisAuth instance. The nevisAuth instance is named according to the pattern name.
  • The nevisAuth instance requires a TCP Service port. It uses 8991 as default.
  • The pattern creates an automatic keystore and truststore unless you assign different key and trust provider patterns.

Authentication Realm Pattern

  • The Authentication Realm pattern creates a Domain element in the esauth4.xml file according to the pattern name.
  • The pattern uses the assigned Authentication Step patterns to build trees which describe possible authentication flows.
    • Each node in the tree represents one step. It can consist of several AuthStates.
    • A node has one entry and one or two exist points (success and failure exit).
    • The leaves of the tree are added automatically. They configure AuthDone and AuthError AuthStates.
  • Configures the authentication so it points to the root of the tree for Initial Authentication.
  • Adds a Domain entry for stepup pointing to a state which chooses the correct session upgrade flow based on request:requiredRoles (containing the authentication level).

SAML SP Realm Pattern

  • Creates a Domain element in the esauth4.xml file according to the pattern name.
  • Adds a mapping to nevisProxy web.xml for the assertion consumer service URL. SAML responses returned by IDPs are consumed on this path.
  • Disables InterceptionRedirect for the application as this security feature is not required in combination with SAML.
  • Uses the assigned SAML IDP Connector patterns to create one ServiceProviderState for each associated IDP. The correct state is determined based on a configurable nevisAuth expression.
  • The final redirect of SP-initiated SAML logout can be defined by assigning the Logout pattern and setting the target URL there.
  • The SAML SP has its own session cookie which by default is named: Session_<patternName>

SAML IDP Pattern

  • The SAML IDP pattern is an add-on which can be assigned to nevisAuth Realm patterns (except SAML SP Realm) via the property Authentication Services
  • Adds a mapping to nevisProxy web.xml for the single-sign-on URL. SAML requests sent by SPs are consumed on this path.
  • For each assigned SAML SP Connector an IdentityProviderState is configured.