Build.One Documentation
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

 

Available authentication methods

AkiomaUser

Front-end - Back-end interaction:

Basic hybridRealm authentication. The PASOE validates the provided credentials (username & password) directly, using the ISwatAuthenticationService.

 

ActiveDirectory

Front-end - Back-end interaction:

 

The client sends POST request with AD credentials to the "/web/Login/Login.html" access-point on the PASOE (swat-backend).

PASOE forwards AD credentials to NodeJS (node-main).

NodeJS handles AD authentication, using passport with passport-ldapauth strategy. Then responds with ssoSessionId & ssoUserId, if authentication successful.

PASOES passes back to Client the ssoSessionId & ssoUserId.

Client logins into PASOE with ssoUserId & ssoSessionId.

PASOE handles login using HybridRealm with ISwatAuthenticationService by checking if the ssoSessionId & ssoUserId is valid in nodeJs.

Client is authenticated.

 

 

Note: node-main is hidden behind PASOE server from the client's perspective.

 

In order to use ActiveDirectory authentication, the following configuration settings must be present in pasoe-config.xml / OEPAS_config.xml:

  • ssoAuthenticationURI - node-main access-point for AD authentication - takes username, password 
  • ssoAuthenticationCheckURI - node-main access-point for checking if a valid SSO session was created, for verifying if the AD authentication was successful.
  • ssoAuthenticationSecretKey - OPTIONAL - secret key known by PASOE and node-main that is passed in the requests to node-main. Provides additional validation that the requests are done from a trusted source (PASOE).

Example:

pasoe-config.xml / OEPAS_config.xml
	<AllowedAuthentication>ActiveDirectory</AllowedAuthentication>
	<ssoAuthenticationURI>http://localhost:8888/auth/ad/login</ssoAuthenticationURI>
	<ssoAuthenticationCheckURI>http://localhost:8888/auth/ad/sessions</ssoAuthenticationCheckURI>
	<ssoAuthenticationSecretKey>12345678901</ssoAuthenticationSecretKey><!-- OPTIONAL -->

 

AzureActiveDirectory

TBD by Sergiu MorarSebastian Lucaciu

 

Security settings

Enable/Disable authentication methods

In order to use the existing AkiomaUser and/or ActiveDirectory authentication/s, the <AllowedAuthentication> property must be present in the pasoe-config.xml / OEPAS_config.xml configuration file.

The AllowedAuthentication property is a comma separated list, containing enabled authentication methods. Default value is "AkiomaUser".

 

Example:

pasoe_config.xml / OEPAS_config.xml
<AllowedAuthentication>AkiomaUser,ActiveDirectory</AllowedAuthentication>

 

The property is checked, during the authentication processes, if the current authentication is allowed.

 

Example for AkiomaUser check:

CheckIsAllowedAkiomaUserAuth
    METHOD PROTECTED VOID CheckIsAllowedAkiomaUserAuth():
        IF LOOKUP("AkiomaUser", SessionManager:AllowedAuthentication) EQ 0 THEN
            UNDO, THROW NEW Exception("AkiomaUser authentication is disabled!", 1).
    END METHOD.

 

 

  • No labels