Skip to main content
Version: 3.8.1

Authentication

Configure type#

Symphony offers different authentication options that will be listed in the following sections. To decide which one to use you need to update

com.agosense.symphony.ui-default.cfg

and

com.agosense.symphony.ui.generic-default.cfg

by creating/adding the following entry:

auth=<comma separated list of types>

where types can be:

  • FORM
  • JWT
  • OIDC

When using OIDC no other authentication can mixed. An example config could look like this:

auth=FORM,JWT

where in case a valid signed JWT is provided this will be sufficient for authentication. If not the user needs to authenticate through the form based authentication.

FORM#

Form based authentication is enabled by default. Users and passwords are stored in:

conf/password.properties

User entries have to follow this schema:

user.<userid>=<password>

The password is stored as a md5 hash.

To create such as hash, run:

echo -n "password" | md5sum

OpenID Connect#

Symphony supports authentication through an Identity Provider (IDP) using OpenID Connect. In case authentication is required symphony will forward the user to the Login Page of the IDP to authenticate. The user to be used must also be created in symphony in orer to be authorized after the authentication step. The names in symphony and in the IDP must match. To use openid you need to specify the following properties in conf/bundles/symphony.security-default.cfg (example values when using keycloack as IDP):

oidc.discoveryUri=http(s)://<IDPHost>:<IDPPort>/realms/symphony/.well-known/openid/openid-configuration

oidc.id=<client id - e.g. symphony>

oidc.secret=<secret>

oidc.allowselfsigned=<true if IDP runs on https with self signed certificate>

oidc.disableHostnameVerifier=<true if hostname of the IDP and the certificate common name in the server certificate differ>

oidc.forceHttpsForAuthEndpoint=<true if only https connections to the IDP should be allowed>

JSON Web Token#

Symphony supports authentication based on JSON Web Tokens (JWT). Symphony expcts the JWT to be included in the request header (Parameter: JWT). For security reasons symphony only supports signed JWT tokens. You should add the private key used for signing the JWT to conf/bundles/com.agosense.nucleus.http.deploy.default.cfg:

jwtSecret=<private jwt signing key>

By default the JWT must include the symphony user to authorize with in an attribute called username. You can adjust by specifying the following attribute:

jwtUsernameAttribute=<your attribute>