Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
{
security: {
protocol: process.env.PROTOCOL || 'http', // https or http
/*******************************************************************************
* Content Security Policy for the requests,
*******************************************************************************/
allowDomainsAccess: {
// Defines the default policy for fetching resources such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media
defaults: [],
// Defines valid sources of images.
images: ['image.tmdb.org'],
// Defines valid sources of stylesheets or CSS.
styles: [],
// Defines valid sources of JavaScript.
scripts: [],
// Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. If not allowed the browser emulates a 400
connects: []
},
allowGroups: ['Administrators'], // Groups with access to the user interface
encryption: {
secretKey: __utils.absPath('./config/server/auth/epk'),
iv: __utils.absPath('./config/server/auth/eiv')
},
/*******************************************************************************
* SSL Certificate, only aplicable when protocol is https
*******************************************************************************/
serverCert: {
certFilePath: __utils.absPath('./config/certs/server/all/server-cert.pem'),
keyFilePath: __utils.absPath('./config/certs/server/all/server-key.pem'),
keyFilePassphrase: ''
},
/*******************************************************************************
* Group Expansion
*******************************************************************************/
groupExpansion: {
enabled: false,
url: 'http://localhost:50505/groupExpansion?username=${user.account}&json=1'
},
/*******************************************************************************
* User Authentication
*******************************************************************************/
auth: { . . . },
permissions: {
default_role: 'reader',
file: __utils.absPath('./config/server/auth/permissions.csv')
},
roles: {
file: __utils.absPath('./config/server/auth/roles.csv')
}
},
} |
...
language | js |
---|---|
theme | DJango |
title | Authentication Configuration |
...
allowGroups - Security groups allow to access the user interface, if none, then it is available for anyone
Note |
---|
If auth is none, this will not take effect |
iv - the IV complementing the secret key
Warning |
---|
Recommend always change these values |
file - A CSV file which will be use to kick-start the permissions database, this will only be use if the database still doesn't exist. The format for the CSV is Name, Alias, Account, Role.
Note |
---|
If auth is none, this will not take effect |
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
{
security |
...
: { . . |
...
|
...
|
...
. |
...
/******************************************************************************* * |
...
User Authentication |
...
*******************************************************************************/ auth: { |
...
|
...
|
...
type: 'none', |
...
passport: { secret: 'SearchTech' |
...
|
...
}, |
...
oauth2: |
...
{ provider: 'google', |
...
|
...
callbackUrlDomain: DOMAIN_NAME, |
...
|
...
|
...
calllbackUrlPort: SERVER_PORT, |
...
google: { |
...
scope: ['profile', ' |
...
email'], |
...
clientID: '790123979285-osjbhimrhnbvnaofplavp9auh9tgkq5k.apps.googleusercontent.com', // Client ID |
...
|
...
|
...
clientSecret: '9RjuURmdon0UePqIbS2wJB9h' |
...
|
...
|
...
|
...
}, |
...
// Sample OKTA authentication // |
...
login: |
...
[email protected] // password: Horrible-Dotterel-75 |
...
|
...
|
...
|
...
|
...
|
...
|
...
okta: { |
...
domain: |
...
'domain', |
...
callbackUrlDomain: |
...
DOMAIN_NAME, calllbackUrlPort: SERVER_PORT, |
...
scope: ['profile', 'email'], |
...
clientID: ' |
...
client-id', |
...
// Client ID |
...
clientSecret: ' |
...
client-secret' |
...
} |
...
}, saml2: { |
...
provider: ' |
...
google', // supported values: google google: |
...
{ |
...
|
...
entryPoint: 'https:// |
...
accounts. |
...
google.com/ |
...
o/saml2/idp?idpid=C02oz2242', // replace with value appropriate for your project issuer: 'nikepoc', // replace with value appropriate for your project certPath: __utils.absPath('./config/certs/saml2/all/ |
...
google-saml2.pem'), // replace with value appropriate for your project attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the property name from the SAML profile |
...
_id: 'nameID', email: 'nameID', firstName: 'firstName', lastName: 'lastName', groups: 'groups' } }, |
...
okta: { |
...
|
...
|
...
entryPoint: ' |
...
https://cagsearchdemoseia.okta.com/app/cagsearchdemoorg743328_nikepocalex_1/exkpkxgzlpV0GyoMS356/sso/saml', |
...
// replace with value appropriate for your project |
...
|
...
issuer: 'nikepoc', // replace with value appropriate for your |
...
project |
...
certPath: |
...
__utils.absPath('./config/certs/saml2/all/okta-saml2.pem'), // replace with value appropriate for your project |
...
attributesMapping: |
...
{ // |
...
key |
...
is |
...
the |
...
property name stored in the SEIA user profile, the value is the property name from the SAML profile |
...
_id: ' |
...
nameID', |
...
|
...
email: ' |
...
nameID', |
...
firstName: ' |
...
firstName', |
...
lastName: |
...
' |
...
lastName', |
...
|
...
|
...
|
...
|
...
|
...
groups: 'groups' |
...
} |
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
} }, |
...
ldap: |
...
{ provider: 'apacheds', |
...
|
...
|
...
|
...
|
...
|
...
|
...
apacheds: { |
...
server: |
...
{ |
...
url: ' |
...
ldap://localhost:10389', |
...
bindDN: ' |
...
uid=admin, ou=system', // Bind DN or User |
...
bindCredentials: ' |
...
secret', |
...
// password |
...
searchBase: ' |
...
ou=users,dc=esui,dc=com', |
...
searchFilter: ' |
...
(uid={{username}})', |
...
searchAttributes: [' |
...
uid' |
...
, 'cn', 'sn', 'displayName', 'ou', 'photo'] |
...
}, |
...
|
...
attributesMapping: { |
...
// key is the property name stored in the SEIA user profile, the value is the user attribute in |
...
LDAP |
...
_id: ' |
...
uid', // _id is required |
...
account: ' |
...
uid', // account is for roles and group expansion |
...
email: ' |
...
uid', |
...
firstName: ' |
...
cn', |
...
lastName: ' |
...
sn', |
...
name: |
...
' |
...
cn', |
...
alias: |
...
'displayName', // if the alias is not given, one is created from the first and last name or roles |
...
groups: 'ou', |
...
photo: 'photo' } |
...
}, ad: |
...
{ |
...
server: { |
...
|
...
|
...
|
...
|
...
url: 'ldaps://ad.corporate.com:636', bindDN: 'cn=non-person,ou=system,dc=corp,dc=corporate,dc=com', |
...
bindCredentials: ' |
...
secret', |
...
searchBase: ' |
...
dc=corp,dc=corporate,dc=com', |
...
searchFilter: '(&(objectcategory=person)(objectclass=user)(|(samaccountname={{username}})(mail={{username}})))', |
...
searchAttributes: [' |
...
displayName', |
...
|
...
'mail', 'samaccountname'], |
...
tlsOptions: |
...
{ |
...
ca: |
...
[ |
...
// fs.readFileSync('/path/to/root_ca_cert.crt') |
...
] |
...
}
},
attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the user attribute in LDAP
_id: 'samaccountname',
account: 'samaccountname', // account is for roles and group expansion
email: 'mail',
firstName: 'givenName',
lastName: 'sn',
groups: 'groups'
}
}
}
},
.
.
.
}
} |
type - Indicate the type of authentication to use, by default is none. Currently Enterprise Search handles 3 authentications oauth2, smal2 and ldap.
Note |
---|
If the type is none, allowGroups will not take effect, as well as permissions |
The attributesMapping in the providers (the ones which have) maps the data collected to a common, the only required properties to map are _id and account, other properties are optional or replaced with a default value