Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Overview

UDMG Authentication Proxy enables the authentication of users to the UDMG Server REST API with a token mechanism to maintain the authenticated connection for a period of time. Its main purpose is to allow a user session to happen on the UDMG Admin UI which only relies on the REST API.  By extension, it provides integration with other authentication mechanisms like LDAP and SSO and can be used by other UDMG Server REST clients to access the UDMG API with these additional identity providers.


The Authentication Proxy concept is split between service and provider entities.

  • A service defines the target UDMG Server and the supported authentication mechanism or provider.
  • A provider define the type and the actual configuration for the related identity provider, for example the address of the LDAP server and the needed entity mapping.

The combination between service and provider is flexible and allows to group per target environment or per desired authentication type.

For example, the same UDMG Authentication Proxy can be setup to give access to:

  • Preproduction with LDAP authentication
  • Quality Assurance with SSO SAML authentication
  • Development with Local authentication 


The provider types are the following:

NameDescription
localStandard UDMG Server authentication, usernames and passwords are stored the database. 
samlSAML 2.0 Provider
googleGoogle OAuth2 Provider
ldapLDAP Server
oidcStandard OpenID Provider
oauthStandard OAuth2 Provider

By default, the local authentication is always enabled for all services.

Single Sign-On Settings

Before you begin


In order to provide an integration via an SSO Provider, it is required that the UDMG users have an email value.

This is the identifier that is shared between UDMG and the Identity Provider


Configuration

Please refer to the pages:


LDAP

LDAP Service

[service.local.auth.ldap]
file = "ldap-config.json"


Anonymous Binding:


[service.local.auth.ldap]
file = "ldap-config.json"
{
  "host": "localhost:1389",
  "insecureNoSSL": true,
  "usernamePrompt": "Email Address",
  "userSearch": {
    "baseDN": "dc=stonebranch,dc=com",
    "filter": "(objectClass=*)",
    "username": "cn",
    "idAttr": "uidNumber",
    "emailAttr": "uidNumber",
    "nameAttr": "cn"
  },
  "groupSearch": {
    "baseDN": "ou=readers,dc=stonebranch,dc=com",
    "filter": "(objectClass=groupOfNames)",
    "userMatchers": [
      {
        "userAttr": "DN",
        "groupAttr": "member"
      }
    ],
    "nameAttr": "cn"
  }
}

Explicit Binding:

{
	"host": "localhost:1389",
	"bindDN": "cn=proxy,ou=users,dc=stonebranch,dc=com",
	"bindPW": "proxy",
	"insecureNoSSL": true,
	"usernamePrompt": "Email Address",
	"userSearch": {
		"baseDN": "dc=stonebranch,dc=com",
		"filter": "(objectClass=*)",
		"username": "uid",
		"idAttr": "uidNumber",
		"emailAttr": "uidNumber",
		"nameAttr": "cn"
	},
	"groupSearch": {
		"baseDN": "ou=users,dc=stonebranch,dc=com",
		"filter": "(objectClass=groupOfNames)",
		"userMatchers": [{
			"userAttr": "DN",
			"groupAttr": "member"
		}],
		"nameAttr": "cn"
	}
}
  • No labels