"security": {
      "enable": true,
      "inactiveInterval": 600,
      "encryptionKeyFile" : "./bin/saga.ek",
      "defaultRole": "admin",

      "type": "<AUTHENTICATION_TYPE>",

.
.
.
}

Saga Server counts with

4 authentication types

• Config - Uses usernames and passwords defined in the configuration file
• LDAP - Uses the LDAP protocol to connect to a Directory Server
• SAML - (Removed in 1.3.3) SSO login method offering more secure authentication. (Currently on development, available Microsoft SSO)
• OIDC - (Added in 1.3.3) OpenID Connect (OIDC) is an open authentication protocol that works on top of the OAuth 2.0 framework.

Authentication Type

Config

Config authentication is the most basic of all, ideal for demos, but not recommended for production environments, unless in a close environment. This authentication uses Users, Passwords and Roles defined in the same config file, under the users field, one entry per user.

Config will allow you to login via Form and Basic Authentication

"security": {
 	"enable": true,
    "inactiveInterval": 600,
    "encryptionKeyFile" : "./bin/saga.ek",
    "defaultRole": "admin",
    "type": "config",

    "users": [
     	{
         	"username": "admin",
         	"password": "password",
         	"roles": "admin"
        },
        {
         	"username": "user1",
         	"password": "p@ssword",
         	"roles": "editor"
        },
        {...}
        .
        .
        .
 	]
}

LDAP

LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers.

LDAP will allow you to login via Form and Basic Authentication

• Parameter
  summary Url to the LDAP server name server required true

• Parameter
  summary Field to use as the user account default cn name userAccountField

• Parameter
  summary LDAP distinguished name to the location of the users name bindDN required true

• Parameter
  summary Field to use as the user ID default uid name idField

• Parameter
  summary Field to use as the user password default password name passwordField

• Parameter
  summary Names of the attributes to return for the user profile name attributes type string array required true

"security": {
	"enable": true,
 	"inactiveInterval": 600,
    "encryptionKeyFile" : "./bin/saga.ek",
    "defaultRole": "admin",
    "type": "ldap",

    "ldap": {
     	"server": "ldap://localhost:10389",
        "userAccountField": "cn",
        "bindDN": "ou=Users,dc=example,dc=com",
        "idField": "uid",
        "passwordField": "userPassword",
        "attributes": [
         	"givenName",
            "mail"
    	]
	},
}

SAML (Removed on 1.3.3)

Security Assertion Markup Language (SAML) is a login standard that helps users access applications based on sessions in another context. It’s a single sign-on (SSO) login method offering more secure authentication (with a better user experience) than usernames and passwords.

SAML will redirect you to the provider login page, so no login page is required.

• Parameter
  summary Path to the keystore holding the certificates name keystorePath required true

• Parameter
  summary password to the keystore name keystorePassword required true

• Parameter
  summary Password to the keys in the keystore name privateKeyPassword required true

• Parameter
  summary If true, the identityProviderMetadataPath receives the path to an XML file. If false, the identityProviderMetadataPath receives a web url to find the xml file with the information of de IDP. name identityProviderUseFileSystem required true

• Parameter
  summary Path to the identity provider, provided by the SAML Service. Consult the How to Article for saml in SAGA developers space to see how to obtain this field. name identityProviderMetadataPath required true

• Parameter
  summary The time out in seconds for the SAML server to provide an answer. default 3600 name timeOut required true

• Parameter
  summary Each value correspond to a field of the IDP that must be mapped to a new variable name. For example http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name mapped to a key called username. name mappedAttributes required true

• Parameter
  summary Server url of the Saga Server. Called by the authentication provider name serverURL required true

  
  
  • This will be used to generate the callback url which is form like this <Server_URL>/saga/auth/callback

  • Note
    You need to add the callback url (e.g. http://localhost:8080

• • /saga/auth/callback or https://localhost:443/saga/auth/callback) to your Authentication provider

• Parameter
  summary Attribute to use as the user ID name nameIdAttribute

Without FileSystem:

localhost:8080",
        "timeOut": 86400,
        "nameIdAttribute": "nameId",
        "mappedAttributes": {
          "username": "field.name",
          "displayName":  "field.displayname",
          "email":  "field.emailaddress",
          "id": "field.objectidentifier"
        }
      }
    },

Image Added

OpenId Connect (Added on 1.3.3)

OpenID Connect (OIDC) is an open authentication protocol that works on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end-user and obtain basic user profile information in an interoperable and REST-like manner.

OIDC will redirect you to the provider login page, so no login page is required.

• Parameter
  summary Server url of the Saga Server. Called by the authentication provider name serverURL required true

• Parameter
  summary Provided by the OpenID Connect provider name clientId required true

• Parameter
  summary Provided by the OpenID Connect provider (to read the metadata of the identity provider) name discoveryURI required true

• Parameter
  summary Scopes are used by an application during authentication to authorize access to a user's details, like name and picture default openid email profile name scope

  
  
  • This will be used to generate the callback url which is form like this <Server_URL>/saga/auth/callback?client_name=OidcClient

  • Note
    You need to add the callback url (e.g. http

• • ://localhost:8080/saga/auth/callback?client_name=OidcClient or https://localhost/saga/auth/callback?client_name=OidcClient) to your Authentication provider

Without FileSystem:

"security": {
      "enable": true,
      "encryptionKeyFile" : "./bin/saga.ek",
      "inactiveInterval": 600,
      "type": "openid",
      "defaultRole": "admin",

   	  "openid": {
        "serverURL": "http://localhost:8080",
        "clientId": "clientId",
        "discoveryURI": "discoveryURI"
      }
    },

Image Added

Login Methods

Currently Saga Server has 3 methods to login, (besides the login of SAML)

Form

The Form login , will enable the login page for the Saga Server, here you can user your username and password to access. This method uses a POST HTTP request.

Image Added

Basic Authentication

When employing Basic Authentication, users include an encoded string in the Authorization header of each request they make. The string is used by the request’s recipient to verify user’s identity and rights to access a resource.

The Authorization header follows this format:

Authorization: Basic <credentials>

We then construct the credentials like this:

1. The user’s username and password are combined with a colon.
2. The resulting string is base64 encoded.

curl --location --request GET 'http://localhost:8080/saga/api/client/process/units' \
--header 'Authorization: Basic <Base64(USERNAME:PASSWORD)>'

API Key

When employing API Keys, the service include an API Key string in the Authorization header of each request they make. The string is used by the request’s recipient to verify service’s identity and rights to access a resource.

The Authorization header follows this format:

Authorization: Saga <API_KEY>

This API Keys, must be created in the Credentials section inside the Tools Menu. This keys can only be created by an authenticated user

Image Added

curl --location --request GET 'http://localhost:8080/saga/api/client/process/units' \
--header 'Authorization: Saga <API_KEY>'