Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
{ security: { protocol: process.env.PROTOCOL || 'http', // https or http /******************************************************************************* * Content Security Policy for the requests, *******************************************************************************/ allowDomainsAccess: { // Defines the default policy for fetching resources such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media defaults: [], // Defines valid sources of images. images: ['image.tmdb.org'], // Defines valid sources of stylesheets or CSS. styles: [], // Defines valid sources of JavaScript. scripts: [], // Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. If not allowed the browser emulates a 400 connects: [] }, allowGroups: ['Administrators'], // Groups with access to the user interface encryption: { secretKey: __utils.absPath('./config/server/auth/epk'), iv: __utils.absPath('./config/server/auth/eiv') }, /******************************************************************************* * SSL Certificate, only aplicable when protocol is https *******************************************************************************/ serverCert: { certFilePath: __utils.absPath('./config/certs/server/all/server-cert.pem'), keyFilePath: __utils.absPath('./config/certs/server/all/server-key.pem'), keyFilePassphrase: '' }, /******************************************************************************* * Group Expansion *******************************************************************************/ groupExpansion: { enabled: false, url: 'http://localhost:50505/groupExpansion?username=${user.account}&json=1' }, /******************************************************************************* * User Authentication *******************************************************************************/ auth: { . . . }, permissions: { default_role: 'reader', file: __utils.absPath('./config/server/auth/permissions.csv') }, roles: { file: __utils.absPath('./config/server/auth/roles.csv') } }, } |
allowGroups - Security groups allow to access the user interface, if none, then it is available for anyone
Note |
---|
If auth is none, this will not take effect |
iv - the IV complementing the secret key
Warning |
---|
Recommend always change these values |
file - A CSV file which will be use to kick-start the permissions database, this will only be use if the database still doesn't exist. The format for the CSV is Name, Alias, Account, Role.
Note |
---|
If auth is none, this will not take effect |
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
{ security: { . . . /******************************************************************************* * User Authentication *******************************************************************************/ auth: { type: 'none', passport: { secret: 'SearchTech' }, oauth2: { provider: 'google', callbackUrlDomain: DOMAIN_NAME, calllbackUrlPort: SERVER_PORT, google: { scope: ['profile', 'email'], clientID: '790123979285-osjbhimrhnbvnaofplavp9auh9tgkq5k.apps.googleusercontent.com', // Client ID clientSecret: '9RjuURmdon0UePqIbS2wJB9h' }, // Sample OKTA authentication // login: [email protected] // password: Horrible-Dotterel-75 okta: { domain: 'domain', callbackUrlDomain: DOMAIN_NAME, calllbackUrlPort: SERVER_PORT, scope: ['profile', 'email'], clientID: 'client-id', // Client ID clientSecret: 'client-secret' } }, saml2: { provider: 'google', // supported values: google google: { entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=C02oz2242', // replace with value appropriate for your project issuer: 'nikepoc', // replace with value appropriate for your project certPath: __utils.absPath('./config/certs/saml2/all/google-saml2.pem'), // replace with value appropriate for your project attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the property name from the SAML profile _id: 'nameID', email: 'nameID', firstName: 'firstName', lastName: 'lastName', groups: 'groups' } }, okta: { entryPoint: 'https://cagsearchdemoseia.okta.com/app/cagsearchdemoorg743328_nikepocalex_1/exkpkxgzlpV0GyoMS356/sso/saml', // replace with value appropriate for your project issuer: 'nikepoc', // replace with value appropriate for your project certPath: __utils.absPath('./config/certs/saml2/all/okta-saml2.pem'), // replace with value appropriate for your project attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the property name from the SAML profile _id: 'nameID', email: 'nameID', firstName: 'firstName', lastName: 'lastName', groups: 'groups' } } }, ldap: { provider: 'apacheds', apacheds: { server: { url: 'ldap://localhost:10389', bindDN: 'uid=admin, ou=system', // Bind DN or User bindCredentials: 'secret', // password searchBase: 'ou=users,dc=esui,dc=com', searchFilter: '(uid={{username}})', searchAttributes: ['uid', 'cn', 'sn', 'displayName', 'ou', 'photo'] }, attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the user attribute in LDAP _id: 'uid', // _id is required account: 'uid', // account is for roles and group expansion email: 'uid', firstName: 'cn', lastName: 'sn', name: 'cn', alias: 'displayName', // if the alias is not given, one is created from the first and last name or roles groups: 'ou', photo: 'photo' } }, ad: { server: { url: 'ldaps://ad.corporate.com:636', bindDN: 'cn=non-person,ou=system,dc=corp,dc=corporate,dc=com', bindCredentials: 'secret', searchBase: 'dc=corp,dc=corporate,dc=com', searchFilter: '(&(objectcategory=person)(objectclass=user)(|(samaccountname={{username}})(mail={{username}})))', searchAttributes: ['displayName', 'mail', 'samaccountname'], tlsOptions: { ca: [ // fs.readFileSync('/path/to/root_ca_cert.crt') ] } }, attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the user attribute in LDAP _id: 'samaccountname', account: 'samaccountname', // account is for roles and group expansion email: 'mail', firstName: 'givenName', lastName: 'sn', groups: 'groups' } } } }, . . . } } |
type - Indicate the type of authentication to use, by default is none. Currently Enterprise Search handles 3 authentications oauth2, smal2 and ldap.
Note |
---|
If the type is none, allowGroups will not take effect, as well as permissions |
The attributesMapping in the providers (the ones which have) maps the data collected to a common, the only required properties to map are _id and account, other properties are optional or replaced with a default value