View Source

Available authentication methods

AkiomaUser

Front-end - Back-end interaction:

Build.One Documentation > Authentication > AU FrontEnd-Backend interaction.png

Basic hybridRealm authentication. The PASOE validates the provided credentials (username & password) directly, using the ISwatAuthenticationService.

ActiveDirectory

Front-end - Back-end interaction:

Build.One Documentation > Authentication > FrontEnd-Backend interaction.png

The client sends POST request with AD credentials to the "/web/Login/Login.html" access-point on the PASOE (swat-backend).

PASOE forwards AD credentials to NodeJS (node-main).

NodeJS handles AD authentication, using passport with passport-ldapauth strategy. Then responds with ssoSessionId & ssoUserId, if authentication successful.

PASOES passes back to Client the ssoSessionId & ssoUserId.

Client logins into PASOE with ssoUserId & ssoSessionId.

PASOE handles login using HybridRealm with ISwatAuthenticationService by checking if the ssoSessionId & ssoUserId is valid in nodeJs.

Client is authenticated.

Note: node-main is hidden behind PASOE server from the client's perspective.

In order to use ActiveDirectory authentication, the following configuration settings must be present in pasoe-config.xml / OEPAS_config.xml:

ssoAuthenticationURI - node-main access-point for AD authentication - takes username, password
ssoAuthenticationCheckURI - node-main access-point for checking if a valid SSO session was created, for verifying if the AD authentication was successful.
ssoAuthenticationSecretKey - OPTIONAL - secret key known by PASOE and node-main that is passed in the requests to node-main. Provides additional validation that the requests are done from a trusted source (PASOE).

Example:

	<AllowedAuthentication>ActiveDirectory</AllowedAuthentication>
	<ssoAuthenticationURI>http://localhost:8888/auth/ad/login</ssoAuthenticationURI>
	<ssoAuthenticationCheckURI>http://localhost:8888/auth/ad/sessions</ssoAuthenticationCheckURI>
	<ssoAuthenticationSecretKey>12345678901</ssoAuthenticationSecretKey><!-- OPTIONAL -->

AzureActiveDirectory

TBD by Sergiu Morar / Sebastian Lucaciu

Security settings

Enable/Disable authentication methods

In order to use the existing AkiomaUser and/or ActiveDirectory authentication/s, the <AllowedAuthentication> property must be present in the pasoe-config.xml / OEPAS_config.xml configuration file.

The AllowedAuthentication property is a comma separated list, containing enabled authentication methods. Default value is "AkiomaUser".

Example:

<AllowedAuthentication>AkiomaUser,ActiveDirectory</AllowedAuthentication>

The property is checked, during the authentication processes, if the current authentication is allowed.

Example for AkiomaUser check:

    METHOD PROTECTED VOID CheckIsAllowedAkiomaUserAuth():
        IF LOOKUP("AkiomaUser", SessionManager:AllowedAuthentication) EQ 0 THEN
            UNDO, THROW NEW Exception("AkiomaUser authentication is disabled!", 1).
    END METHOD.