Authentication
#
Configure typeSymphony offers different authentication options that will be listed in the following sections. To decide which one to use you need to update
com.agosense.symphony.ui-default.cfg
and
com.agosense.symphony.ui.generic-default.cfg
by creating/adding the following entry:
auth=<comma separated list of types>
where types can be:
FORM
JWT
OIDC
When using OIDC
no other authentication can mixed. An example config could look like this:
auth=FORM,JWT
where in case a valid signed JWT is provided this will be sufficient for authentication. If not the user needs to authenticate through the form based authentication.
#
FORMForm based authentication is enabled by default. Users and passwords are stored in:
conf/password.properties
User entries have to follow this schema:
user.<userid>=<password>
The password is stored as a md5
hash.
To create such as hash, run:
echo -n "password" | md5sum
#
OpenID ConnectSymphony supports authentication through an Identity Provider (IDP) using OpenID Connect. In case authentication is required symphony will forward the user to the Login Page of the IDP to authenticate. The user to be used must also be created in symphony in orer to be authorized after the authentication step. The names in symphony and in the IDP must match.
To use openid you need to specify the following properties in conf/bundles/symphony.security-default.cfg
(example values when using keycloack as IDP):
oidc.discoveryUri=http(s)://<IDPHost>:<IDPPort>/realms/symphony/.well-known/openid/openid-configuration
oidc.id=<client id - e.g. symphony>
oidc.secret=<secret>
oidc.allowselfsigned=<true if IDP runs on https with self signed certificate>
oidc.disableHostnameVerifier=<true if hostname of the IDP and the certificate common name in the server certificate differ>
oidc.forceHttpsForAuthEndpoint=<true if only https connections to the IDP should be allowed>
#
JSON Web TokenSymphony supports authentication based on JSON Web Tokens (JWT). Symphony expcts the JWT to be included in the request header (Parameter: JWT
).
For security reasons symphony only supports signed JWT tokens. You should add the private key used for signing the JWT to conf/bundles/com.agosense.nucleus.http.deploy.default.cfg
:
jwtSecret=<private jwt signing key>
By default the JWT must include the symphony user to authorize with in an attribute called username
. You can adjust by specifying the following attribute:
jwtUsernameAttribute=<your attribute>