Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Overview

UDMG Authentication Proxy enables the authentication of users to the UDMG Server REST API with a token mechanism to maintain the authenticated connection for a period of time. Its main purpose is to allow a user session to happen on the UDMG Admin UI which only relies on the REST API. By extension, it provides integration with other authentication mechanisms like LDAP and SSO and can be used by other UDMG Server REST clients to access the UDMG API with these additional Identity Providers.


The Authentication Proxy concept is split between service and provider entities.

  • A service defines the target UDMG Server and the supported authentication mechanism or provider.
  • A provider defines the type and the actual configuration for the related identity provider, for example the address of the LDAP server and the needed entity mapping.

The combination between service and provider is flexible and allows the grouping per target environment or per desired authentication type.

For example, the same UDMG Authentication Proxy can be setup to give access to:

  • Preproduction with LDAP authentication
  • Quality Assurance with SSO SAML authentication
  • Development with Local authentication 


The provider types are the following:

NameDescription
local

Standard UDMG Server authentication, usernames and passwords are stored in the UDMG Server database. 

This includes the additional TOTP login method. 

samlSAML 2.0 Provider.
googleGoogle OAuth2 Provider.
ldapLDAP Server.
oidcStandard OpenID Provider.
oauthStandard OAuth2 Provider.

By default, the local authentication is always enabled for all services.

Local Authentication

Local authentication is the standard authentication with usernames and passwords that are stored in the UDMG Server database. It is available for UDMG Admin UI, the REST API interface, and the UDMG Client command line (CLI) tool.


Note

When the UDMG Server is first started, a single user named 'admin' is created with the password 'admin_password'. The user has full administrative permissions and should only be used to create other users to administer the UDMG Server. It is strongly recommended that you create one or more users immediately and then change the "admin" account password.

Single Sign-On Settings

Before you begin

In order to provide an integration via an SSO Provider, it is required that the UDMG users have an email value.

The user's email value is the identifier that is shared between UDMG and the Identity Provider.

Configuration

Please refer to the pages:


LDAP Settings

UDMG Admin UI login page with the LDAP Provider.

Example of a service section in UDMG Authentication Proxy for LDAP authentication.

[service.ldap]
protocol = "http"
policy = "failover"

[service.ldap.credential]
username = "ldap_sync"
password = "ldap_password"

[[service.ldap.targets]]
hostname = "localhost"
port = 18080

[service.ldap.auth.ldap]
file = "udmg-ldap-config.json"

The details of the LDAP server are defined in the JSON file. 

User Provisioning

In case of successful authentication on the LDAP, the UDMG user is created with default Read permission in the internal UDMG Server database, if it does not exist.

Otherwise, the user credentials are updated in the UDMG Server database to enable the access and authentication on the REST and CLI interfaces.

The default permissions after the user provisioning:


The one-way LDAP replication requires a user with the permission for creating and updating users. For example, to create the 'ldap_sync' user with the command line interface:

udmg-client user add -u ldap_sync -p ldap_password -r 'U=rw'


Anonymous Binding

Example of provider configuration file udmg-ldap-config.json for anonymous binding on the LDAP server.

{
  "host": "ldap:1389",
  "insecureNoSSL": true,
  "usernamePrompt": "Email Address",
  "userSearch": {
    "baseDN": "dc=stonebranch,dc=com",
    "filter": "(objectClass=*)",
    "username": "cn",
    "idAttr": "uidNumber",
    "emailAttr": "uidNumber",
    "nameAttr": "cn"
  },
  "groupSearch": {
    "baseDN": "ou=readers,dc=stonebranch,dc=com",
    "filter": "(objectClass=groupOfNames)",
    "userMatchers": [
      {
        "userAttr": "DN",
        "groupAttr": "member"
      }
    ],
    "nameAttr": "cn"
  }
}

Explicit Binding

Example of provider configuration file udmg-ldap-config.json for explicit binding on the LDAP server.

{
	"host": "ldap:1389",
	"bindDN": "cn=proxy,ou=users,dc=stonebranch,dc=com",
	"bindPW": "proxy_password",
	"insecureNoSSL": true,
	"usernamePrompt": "Email Address",
	"userSearch": {
		"baseDN": "dc=stonebranch,dc=com",
		"filter": "(objectClass=*)",
		"username": "uid",
		"idAttr": "uidNumber",
		"emailAttr": "uidNumber",
		"nameAttr": "cn"
	},
	"groupSearch": {
		"baseDN": "ou=users,dc=stonebranch,dc=com",
		"filter": "(objectClass=groupOfNames)",
		"userMatchers": [{
			"userAttr": "DN",
			"groupAttr": "member"
		}],
		"nameAttr": "cn"
	}
}
  • No labels