...
- A service defines the target UDMG Server and the supported authentication mechanism or provider.
- A provider define defines the type and the actual configuration for the related identity provider, for example the address of the LDAP server and the needed entity mapping.
...
Name | Description |
---|---|
local | Standard UDMG Server authentication, usernames and passwords are stored in the database. |
saml | SAML 2.0 Provider |
Google OAuth2 Provider | |
ldap | LDAP Server |
oidc | Standard OpenID Provider |
oauth | Standard OAuth2 Provider |
By default, the local
authentication is always enabled for all services.
Local Authentication
Local authentication is the standard authentication with usernames and passwords that are stored in the UDMG Server database. It is available for UDMG Admin UI, the REST API interface and the UDMG Client command line tool.
Note | ||
---|---|---|
| ||
When the UDMG Server is first started, a single user named 'admin' is created with the password 'admin_password'. This user is only to be used to create other users to administer the UDMG Server. It is therefore strongly recommended that you create one or more users immediately, then change the "admin" account password. |
Single Sign-On Settings
Before you begin
...
This is the identifier that is shared between UDMG and the Identity Provider
Configuration
Please refer to the pages:
LDAP Settings
UDMG Admin UI login page with the LDAP provider.
LDAP
ServiceExample of a service section in UDMG Authentication Proxy for LDAP authentication
Code Block | ||
---|---|---|
| ||
[service.ldap] protocol = "http" policy = "failover" [service.ldap.credential] username = "ldap_sync" password = "ldap_password" [[service.localldap.targets]] hostname = "localhost" port = 18080 [service.ldap.auth.ldap] file = "udmg-ldap-config.json" |
...
The details of the LDAP server are defined in the JSON file.
User Provisioning
In case of successful authentication on the LDAP, the UDMG user is created with default Read permission in the internal UDMG database if it does not exist. Otherwise the user credentials are updated in the database to allow for authentication on the REST and CLI interfaces.
Default permissions after the user provisioning:
The LDAP replication requires a user with permission for creating and updating users. For example to create the 'ldap_sync' user with the command line interface:
Code Block | ||
---|---|---|
| ||
[service.local.auth.ldap] file = "udmg-client user add -u ldap_sync -p ldap_password -r 'U=rw' |
Anonymous Binding
Example of provider configuration file udmg-ldap-config.json
...
for anonymous binding on the LDAP server.
Code Block | ||
---|---|---|
| ||
{ "host": "localhostldap:1389", "insecureNoSSL": true, "usernamePrompt": "Email Address", "userSearch": { "baseDN": "dc=stonebranch,dc=com", "filter": "(objectClass=*)", "username": "cn", "idAttr": "uidNumber", "emailAttr": "uidNumber", "nameAttr": "cn" }, "groupSearch": { "baseDN": "ou=readers,dc=stonebranch,dc=com", "filter": "(objectClass=groupOfNames)", "userMatchers": [ { "userAttr": "DN", "groupAttr": "member" } ], "nameAttr": "cn" } } |
Explicit Binding
...
Example of provider configuration file udmg-l
dap-config.json
for explicit binding on the LDAP server.
Code Block | ||
---|---|---|
| ||
{ "host": "localhostldap:1389", "bindDN": "cn=proxy,ou=users,dc=stonebranch,dc=com", "bindPW": "proxy_password", "insecureNoSSL": true, "usernamePrompt": "Email Address", "userSearch": { "baseDN": "dc=stonebranch,dc=com", "filter": "(objectClass=*)", "username": "uid", "idAttr": "uidNumber", "emailAttr": "uidNumber", "nameAttr": "cn" }, "groupSearch": { "baseDN": "ou=users,dc=stonebranch,dc=com", "filter": "(objectClass=groupOfNames)", "userMatchers": [{ "userAttr": "DN", "groupAttr": "member" }], "nameAttr": "cn" } } |
...