8.8 Managing Direct Access to the Identity Server
Users usually log into the Identity Server when they request access to a Web resource. They are redirected by the Access Gateway from the resource to the Identity Server to provide the required credentials for the resource. After they are authenticated, they are not prompted for credentials again, unless a resource requires credentials that they haven’t already supplied.
However, users can log directly into the Identity Server and access the User Portal, or they can access information about available Web Services Description Language (WSDL) services. This section describes how to manage access to these pages.
8.8.1 Logging In to the User Portal
Users can log directly into the Identity Server when they enter the Base URL of the Identity Server in their browsers. For example, if your base URL is http://bfrei.provo.novell.com:8080/nidp, entering this URL prompts the user to authenticate with the credentials required for the default contract. If successful, the user is redirected to /nipd/app and the following page is displayed:
Figure 8-3 User Portal
This User Portal does not contain much useful information for the user unless you have set up federation or have enabled the Liberty profiles. (See Section 10.0, Configuring User Authentication and Federation and Section 12.0, Configuring Liberty Web Services.)
8.8.2 Blocking Access to the User Portal
If you do not want users to have access to this User Portal page, you can disable direct login to the Identity Server by modifying a JSP page.
After a user successfully authenticates to the NIDP server directly, the main.jsp page from /opt/novell/nids/lib/webapp/jsp is presented to the user. This page builds the portal page with links to the banner.jsp, nav.jsp, federations.jsp, and home.jsp, which are in the same directory. The beginning lines of the main.jsp page build an HTTP response header. Find the following lines in the file:
<%
response.setHeader("Pragma", "No-cache");
response.setHeader("Cache-Control", "no-cache");
To avoid building the entire portal page that you do not want the users to access, inject an HTTP redirect so that users directly accessing the NIDP server are redirected to a page that you want them to access. For example to redirect users to novell.com, add the following line below the setHeader command:
response.sendRedirect("http://www.novell.com");
Users are redirected to http://www.novell.com rather than to /nidp/app.
After saving the file, you do not need to restart Tomcat or the NIDP server. The changes should be effective immediately.
8.8.3 Blocking Access to the WSDL Services Page
Users can access the WSDL service page when they enter the Base URL of the Identity Server in their browsers with the path to the Services page. For example, if your base URL is http://bfrei.provo.novell.com:8080/nidp, the users can access the services page with the following URL:
http://bfrei.provo.novell.com:8080/nidp/services
The Services page contains the following information and links:
Figure 8-4 WSDL Services Page
If you do not want your users to have access to this page, you can block access by modifying the web.xml file in the /opt/novell/nids/lib/webapp/WEB-INF directory. Near the top of the file, in the context initialization parameters section, add the following lines:
<context-param>
<param-name>wsfServicesList</param-name>
<param-value>full</param-value>
</context-param>
When <param-value> has a value of full, users can access the Services page. To modify this behavior, replace full with one of the following values:
Table 8-1 Context Parameter Values
|
Value |
Description |
|---|---|
|
404 |
Returns an HTTP 404 status code: Not Found |
|
403 |
Returns an HTTP 403 status code: Forbidden |
|
empty |
Returns an empty services list |
If the parameter is removed from the file or if you enter an invalid value, the value is interpreted as full, and users have access to the page.
You need to restart Tomcat for your modifications to take effect:
/etc/init.d/novell-tomcat4 restart