Skip to end of metadata
Go to start of metadata

 

This configuration is available from version 3.7

midPoint provides different types of authentication mechanisms. You can use default authentication (against local midPoint DB) or LDAP (AD) authentication. It can be also configured as a part of your SSO solution. Default authentication mechanism uses midPoint database for authentication and no additional configuration is needed.

midPoint uses Spring Security framework for authentication. Configuration classes can be found in gui/admin-gui project in package com.evolveum.midpoint.web.boot, namely:

  • WebSecurityConfig.java
  • LdapSecurityConfig.java
  • CasSecurityConfig.java

Enabling concrete authentication mechanism

Mechanism used for authentication is configured via spring boot profiles, e.g. via -Dspring.profiles.active=... JVM command-line option.

LDAP authentication

In this case "ldap" profile needs to be activated using comand-line option:

MidPoint also needs information about LDAP connection configuration. This configuration must be located inside midpoint.home/application.yml file. Example of such configuration:

LDAP authentication via explicit attribute (e.g. email)

This feature was provided by the community and is available from version 3.9.

MidPoint authentication implicitly logs users under the same username as they typed-in in the midPoint's login form. For example, user types "jack" and if LDAP authenticates user successfully, "jack" is logged into midPoint.

This feature allows specifying explicit LDAP attribute (using "naming-attr" yml property) that is retrieved from user's LDAP account and contains value that matches midPoint's username. Combining this with custom LDAP filter ("pattern" property) allows users to authenticate with arbitrary unique attribute. For example, user types "jack@example.com" into login form, LDAP finds corresponding entry and return its naming attribute value - "jack". MidPoint logs in "jack" - if such UserType exists.

Following example authenticates users based on "mail" attribute. User is then correlated to midPoint's username by LDAP attribute "uid".

Cas Authentication

In this case "cas" profile needs to be activated using comand-line option:

TODO: Configuration for CAS integration.

 

 

 

This configuration is available from version 3.4.1

 

midPoint provides different types of authentication mechanisms. You can use default authentication (against local midPoint DB) or LDAP (AD) authentication. It can be also configured as a part of your SSO solution. Default authentication mechanism uses midPoint database for authentication and no additional configuration is needed. 

midPoint uses Spring Security framework for authentication. Configuration files for authentication can be found in gui/admin-gui project. In the src/main/webapp/WEB-INF folder you can find different context files, namely:

  • ctx-webapp.xml - configuration for gui component initialization. In this configuration file you can also find configuration for properties placeholder files. The reference to the properties file needs to be change here.
  • ctx-web-security.xml - configuration for spring security initialisation, e.g. filters for URLs, default login/logout page configuration etc. Unless midPoint is a part of a CAS SSO solution, no modifications are needed to this file. 
  • ctx-web-security-basic.xml - configuration for authentication against (local) midPoint database.
  • ctx-web-security-cas.xml - CAS login/logout authentication configuration
  • ctx-web-security-ldap.xml - LDAP authentication configuration

Enabling concrete authentication mechanism

Mechanism used for authentication is configured as environmental variable. The configuration depends on the application server or web container that is used to run midPoint, e.g. for the Tomcat application server it is done using JVM command-line option:

 

Possible values for the option are (for now) ldap and cas. According to this configuration one of the ctx-web-security-*.xml configuration is applied. If this option is not specified, the default (ctx-web-security-basic.xml) is used.

Configuration properties

In addition to the JVM command-line option used to defined authentication mechanism which will be used, it is also needed to change the values of property placeholders according to your environment. The property placeholder file (midpoint-config.properties) is located in the gui/admin-gui project in the src/main/resources folder. The default location of this file can be changed according to your need, just set the path to the .properties file in the ctx-webapp.xml. Then, in the midpoint-config.properties set up the concrete values, e.g. the hostname of you LDAP server, service account used to search records in LDAP server etc.

See also

  • No labels