On the configuration file you can find the security section, in this section option like the encryptionKey, inactive timeout, roles and authentication can be found:
Parameter |
---|
summary | Enables the server authentication, including login page (if need) |
---|
default | false |
---|
name | enable |
---|
type | boolean |
---|
required | true |
---|
|
Parameter |
---|
summary | Defines the timeout for an inactive session, after the timeout is trigger, the session will expire and the user will need to login again |
---|
default | 600 |
---|
name | inactiveInterval |
---|
type | integer |
---|
|
- Every action perform by the user, restarts the timeout
Parameter |
---|
summary | Location of the file holding the encryption key, Saga server provides one by default |
---|
default | ./bin/saga.ek |
---|
name | encryptionKeyFile |
---|
required | true |
---|
|
Warning |
---|
Change the encyptionKeyFile as soon as you start a working on a new project |
Parameter |
---|
summary | Default role to be use in the users if no role is provided. At the moment Saga Server has 2 roles admin and editor |
---|
default | admin |
---|
name | defaultRole |
---|
|
Parameter |
---|
summary | Defines the type of authentication to be use by the server |
---|
default | config |
---|
name | type |
---|
|
- Additional configuration is required depending on the type of security selected
Saga_json |
---|
"security": {
"enable": true,
"inactiveInterval": 600,
"encryptionKeyFile" : "./bin/saga.ek",
"defaultRole": "admin",
"type": "<AUTHENTICATION_TYPE>",
.
.
.
} |
Saga Server counts with 3 authentication types
- Config - Uses usernames and passwords defined in the configuration file
- LDAP - Uses the LDAP protocol to connect to a Directory Server
- SAML - SSO login method offering more secure authentication. (Currently on development, available Microsoft SSO)
Authentication Type
Config
Config authentication is the most basic of all, ideal for demos, but not recommended for production environments, unless in a close environment. This authentication uses Users, Passwords and Roles defined in the same config file, under the users field, one entry per user.
Config will allow you to login via Form and Basic Authentication
Saga_json |
---|
"security": {
"enable": true,
"inactiveInterval": 600,
"encryptionKeyFile" : "./bin/saga.ek",
"defaultRole": "admin",
"type": "config",
"users": [
{
"username": "admin",
"password": "password",
"roles": "admin"
},
{
"username": "user1",
"password": "p@ssword",
"roles": "editor"
},
{...}
.
.
.
]
} |
LDAP
LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers.
LDAP will allow you to login via Form and Basic Authentication
Parameter |
---|
summary | Url to the LDAP server |
---|
name | server |
---|
required | true |
---|
|
Parameter |
---|
summary | Field to use as the user account |
---|
default | cn |
---|
name | userAccountField |
---|
|
Parameter |
---|
summary | LDAP distinguished name to the location of the users |
---|
name | bindDN |
---|
required | true |
---|
|
Parameter |
---|
summary | Field to use as the user ID |
---|
default | uid |
---|
name | idField |
---|
|
Parameter |
---|
summary | Field to use as the user password |
---|
default | password |
---|
name | passwordField |
---|
|
Parameter |
---|
summary | Names of the attributes to return for the user profile |
---|
name | attributes |
---|
type | string array |
---|
required | true |
---|
|
Saga_json |
---|
"security": {
"enable": true,
"inactiveInterval": 600,
"encryptionKeyFile" : "./bin/saga.ek",
"defaultRole": "admin",
"type": "ldap",
"ldap": {
"server": "ldap://localhost:10389",
"userAccountField": "cn",
"bindDN": "ou=Users,dc=example,dc=com",
"idField": "uid",
"passwordField": "userPassword",
"attributes": [
"givenName",
"mail"
]
},
} |
SAML
Security Assertion Markup Language (SAML) is a login standard that helps users access applications based on sessions in another context. It’s a single sign-on (SSO) login method offering more secure authentication (with a better user experience) than usernames and passwords.
SAML will redirect you to the provider login page, so no login page is required.
Note |
---|
Currently it is under development, but Microsoft SSO is supported |
Parameter |
---|
summary | Path to the keystore holding the certificates |
---|
name | keystorePath |
---|
required | true |
---|
|
Parameter |
---|
summary | password to the keystore |
---|
name | keystorePassword |
---|
required | true |
---|
|
Parameter |
---|
summary | Password to the keys in the keystore |
---|
name | privateKeyPassword |
---|
required | true |
---|
|
Parameter |
---|
summary | If true, the identityProviderMetadataPath receives the path to an XML file. If false, the identityProviderMetadataPath receives a web url to find the xml file with the information of de IDP. |
---|
name | useFileSystem |
---|
required | true |
---|
|
Parameter |
---|
summary | Path to the identity provider, provided by the SAML Service. Consult the How to Article for saml in SAGA developers space to see how to obtain this field. |
---|
name | identityProviderMetadataPath |
---|
required | true |
---|
|
Parameter |
---|
summary | Server url of the Saga Server. Called by the authentication provider |
---|
name | serverURL |
---|
required | true |
---|
|
Parameter |
---|
summary | The time out in seconds for the SAML server to provide an answer. |
---|
default | 3600 |
---|
name | timeOut |
---|
required | true |
---|
|
Parameter |
---|
summary | Each value correspond to a field of the IDP that must be mapped to a new variable name. For example http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name mapped to a key called username. |
---|
name | mappedAttributes |
---|
required | true |
---|
|
- This will be used to generate the callback url which is form like this <Server_URL>/saga/auth/callback
Note |
---|
You need to add the callback url (e.g. http://localhost:8080/saga/auth/callback or https://localhost:443/saga/auth/callback) to your Authentication provider |
Parameter |
---|
summary | Attribute to use as the user ID |
---|
name | nameIdAttribute |
---|
|
Without FileSystem:
Saga_json |
---|
"security": {
"enable": true,
"encryptionKeyFile" : "./bin/saga.ek",
"inactiveInterval": 600,
"type": "saml",
"defaultRole": "admin",
"saml": {
"keystorePath": "bin/samlKeystore.jks",
"keystorePassword": "pac4j-demo-passwd",
"privateKeyPassword": "pac4j-demo-passwd",
"useFileSystem": false,
"identityProviderMetadataPath": "https://your.provider.com/identityProvider.xml",
"serverURL": "http://localhost:8080",
"timeOut": 86400,
"nameIdAttribute": "nameId",
"mappedAttributes": {
"username": "field.name",
"displayName": "field.displayname",
"email": "field.emailaddress",
"id": "field.objectidentifier"
}
}
}, |
![](/download/attachments/808388949/image2022-4-28_13-11-19.png?version=1&modificationDate=1651173079925&api=v2)
Login Methods
Currently Saga Server has 3 methods to login, (besides the login of SAML)
The Form login , will enable the login page for the Saga Server, here you can user your username and password to access. This method uses a POST HTTP request.
![](/download/attachments/808388949/image2022-4-28_12-42-12.png?version=1&modificationDate=1651171332383&api=v2)
Basic Authentication
When employing Basic Authentication, users include an encoded string in the Authorization header of each request they make. The string is used by the request’s recipient to verify user’s identity and rights to access a resource.
The Authorization header follows this format:
Authorization: Basic <credentials>
We then construct the credentials
like this:
- The user’s username and password are combined with a colon.
- The resulting string is base64 encoded.
Code Block |
---|
curl --location --request GET 'http://localhost:8080/saga/api/client/process/units' \
--header 'Authorization: Basic <Base64(USERNAME:PASSWORD)>' |
API Key
Info |
---|
This method is recommended when having communication between services without user interaction. |
When employing API Keys, the service include an API Key string in the Authorization header of each request they make. The string is used by the request’s recipient to verify service’s identity and rights to access a resource.
The Authorization header follows this format:
Authorization: Saga <API_KEY>
This API Keys, must be created in the Credentials section inside the Tools Menu. This keys can only be created by an authenticated user
![](/download/attachments/808388949/image2022-4-28_12-57-53.png?version=1&modificationDate=1651172273326&api=v2)
Code Block |
---|
curl --location --request GET 'http://localhost:8080/saga/api/client/process/units' \
--header 'Authorization: Saga <API_KEY>' |