{ security: { protocol: process.env.PROTOCOL || 'http', // https or http /******************************************************************************* * Content Security Policy for the requests, *******************************************************************************/ allowDomainsAccess: { // Defines the default policy for fetching resources such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media defaults: [], // Defines valid sources of images. images: ['image.tmdb.org'], // Defines valid sources of stylesheets or CSS. styles: [], // Defines valid sources of JavaScript. scripts: [], // Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. If not allowed the browser emulates a 400 connects: [] }, allowGroups: ['Administrators'], // Groups with access to the user interface encryption: { secretKey: __utils.absPath('./config/server/auth/epk'), iv: __utils.absPath('./config/server/auth/eiv') }, /******************************************************************************* * SSL Certificate, only aplicable when protocol is https *******************************************************************************/ serverCert: { certFilePath: __utils.absPath('./config/certs/server/all/server-cert.pem'), keyFilePath: __utils.absPath('./config/certs/server/all/server-key.pem'), keyFilePassphrase: '' }, /******************************************************************************* * Group Expansion *******************************************************************************/ groupExpansion: { enabled: false, url: 'http://localhost:50505/groupExpansion?username=${user.account}&json=1' }, /******************************************************************************* * User Authentication *******************************************************************************/ auth: { . . . }, permissions: { default_role: 'reader', file: __utils.absPath('./config/server/auth/permissions.csv') }, roles: { file: __utils.absPath('./config/server/auth/roles.csv') } }, }
allowGroups - Security groups allow to access the user interface, if none, then it is available for anyone
If auth is none, this will not take effect
iv - the IV complementing the secret key
Recommend always change these values
file - A CSV file which will be use to kick-start the permissions database, this will only be use if the database still doesn't exist. The format for the CSV is Name, Alias, Account, Role.
If auth is none, this will not take effect
{ security: { . . . /******************************************************************************* * User Authentication *******************************************************************************/ auth: { type: 'none', passport: { secret: 'SearchTech' }, oauth2: { provider: 'google', callbackUrlDomain: DOMAIN_NAME, calllbackUrlPort: SERVER_PORT, google: { scope: ['profile', 'email'], clientID: '790123979285-osjbhimrhnbvnaofplavp9auh9tgkq5k.apps.googleusercontent.com', // Client ID clientSecret: '9RjuURmdon0UePqIbS2wJB9h' }, // Sample OKTA authentication // login: [email protected] // password: Horrible-Dotterel-75 okta: { domain: 'domain', callbackUrlDomain: DOMAIN_NAME, calllbackUrlPort: SERVER_PORT, scope: ['profile', 'email'], clientID: 'client-id', // Client ID clientSecret: 'client-secret' } }, saml2: { provider: 'google', // supported values: google google: { entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=C02oz2242', // replace with value appropriate for your project issuer: 'nikepoc', // replace with value appropriate for your project certPath: __utils.absPath('./config/certs/saml2/all/google-saml2.pem'), // replace with value appropriate for your project attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the property name from the SAML profile _id: 'nameID', email: 'nameID', firstName: 'firstName', lastName: 'lastName', groups: 'groups' } }, okta: { entryPoint: 'https://cagsearchdemoseia.okta.com/app/cagsearchdemoorg743328_nikepocalex_1/exkpkxgzlpV0GyoMS356/sso/saml', // replace with value appropriate for your project issuer: 'nikepoc', // replace with value appropriate for your project certPath: __utils.absPath('./config/certs/saml2/all/okta-saml2.pem'), // replace with value appropriate for your project attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the property name from the SAML profile _id: 'nameID', email: 'nameID', firstName: 'firstName', lastName: 'lastName', groups: 'groups' } } }, ldap: { provider: 'apacheds', apacheds: { server: { url: 'ldap://localhost:10389', bindDN: 'uid=admin, ou=system', // Bind DN or User bindCredentials: 'secret', // password searchBase: 'ou=users,dc=esui,dc=com', searchFilter: '(uid={{username}})', searchAttributes: ['uid', 'cn', 'sn', 'displayName', 'ou', 'photo'] }, attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the user attribute in LDAP _id: 'uid', // _id is required account: 'uid', // account is for roles and group expansion email: 'uid', firstName: 'cn', lastName: 'sn', name: 'cn', alias: 'displayName', // if the alias is not given, one is created from the first and last name or roles groups: 'ou', photo: 'photo' } }, ad: { server: { url: 'ldaps://ad.corporate.com:636', bindDN: 'cn=non-person,ou=system,dc=corp,dc=corporate,dc=com', bindCredentials: 'secret', searchBase: 'dc=corp,dc=corporate,dc=com', searchFilter: '(&(objectcategory=person)(objectclass=user)(|(samaccountname={{username}})(mail={{username}})))', searchAttributes: ['displayName', 'mail', 'samaccountname'], tlsOptions: { ca: [ // fs.readFileSync('/path/to/root_ca_cert.crt') ] } }, attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the user attribute in LDAP _id: 'samaccountname', account: 'samaccountname', // account is for roles and group expansion email: 'mail', firstName: 'givenName', lastName: 'sn', groups: 'groups' } } } }, . . . } }
type - Indicate the type of authentication to use, by default is none. Currently Enterprise Search handles 3 authentications oauth2, smal2 and ldap.
If the type is none, allowGroups will not take effect, as well as permissions
The attributesMapping in the providers (the ones which have) maps the data collected to a common, the only required properties to map are _id and account, other properties are optional or replaced with a default value