Page History
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
{
security: {
protocol: process.env.PROTOCOL || 'http', // https or http
/*******************************************************************************
* Content Security Policy for the requests,
*******************************************************************************/
allowDomainsAccess: {
// Defines the default policy for fetching resources such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media
defaults: [],
// Defines valid sources of images.
images: ['image.tmdb.org'],
// Defines valid sources of stylesheets or CSS.
styles: [],
// Defines valid sources of JavaScript.
scripts: [],
// Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. If not allowed the browser emulates a 400
connects: []
},
allowGroups: ['Administrators'], // Groups with access to the user interface
encryption: {
secretKey: __utils.absPath('./config/server/auth/epk'),
iv: __utils.absPath('./config/server/auth/eiv')
},
/*******************************************************************************
* SSL Certificate, only aplicable when protocol is https
*******************************************************************************/
serverCert: {
certFilePath: __utils.absPath('./config/certs/server/all/server-cert.pem'),
keyFilePath: __utils.absPath('./config/certs/server/all/server-key.pem'),
keyFilePassphrase: ''
},
/*******************************************************************************
* Group Expansion
*******************************************************************************/
groupExpansion: {
enabled: false,
url: 'http://localhost:50505/groupExpansion?username=${user.account}&json=1'
},
/*******************************************************************************
* User Authentication
*******************************************************************************/
auth: { . . . },
permissions: {
default_role: 'reader',
file: __utils.absPath('./config/server/auth/permissions.csv')
},
roles: {
file: __utils.absPath('./config/server/auth/roles.csv')
}
},
} |
- protocol - the protocol can be https or http declare environment variable or directly in the configuration
- allowDomainsAccess - These properties are for the security headers, if any resource has an external source, it needs to be specified here, otherwise it will block its access to the user interface
- defaults - Defines the default policy for fetching resources such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media.
- images- Defines valid sources of images.
- styles- Defines valid sources of stylesheets or CSS.
- scripts- Defines valid sources of JavaScript.
- connects- Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. If not allowed the browser emulates a 400|
allowGroups - Security groups allow to access the user interface, if none, then it is available for anyone
Note If auth is none, this will not take effect
- encryption - Encryption properties
- secretKey - the secret key which will be use in the encryption
iv - the IV complementing the secret key
Warning Recommend always change these values
- serverCert - The certificates configuration
- certFilePath - Certificate
- keyFilePath - Key Certificate
- keyFilePassphrase - Passphrase
- groupExpansion - Connection to the Aspire service which will expand the groups of each user logged
- enable - Enables and disables the group expansion
- url - Url to the Aspire service, it mush contain the replacement variable ${user.account} in order to get the correct user groups
- auth - Will be explained below
- permissions - Permission properties which will be manage later in the user interface
- default_role - If a permission doesn't have role, or the user is not specified, this will be role assigned
file - A CSV file which will be use to kick-start the permissions database, this will only be use if the database still doesn't exist. The format for the CSV is Name, Alias, Account, Role.
Note If auth is none, this will not take effect
- roles - Roles properties which will be available for the permissions
- file - A CSV file which will be use to kick-start the roles database, this will only be use if the database still doesn't exist. The format for the CSV is ID, Role, Value.
Authentication
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
{
security: {
.
.
.
/*******************************************************************************
* User Authentication
*******************************************************************************/
auth: {
type: 'none',
passport: {
secret: 'SearchTech'
},
oauth2: {
provider: 'google',
callbackUrlDomain: DOMAIN_NAME,
calllbackUrlPort: SERVER_PORT,
google: {
scope: ['profile', 'email'],
clientID: '790123979285-osjbhimrhnbvnaofplavp9auh9tgkq5k.apps.googleusercontent.com', // Client ID
clientSecret: '9RjuURmdon0UePqIbS2wJB9h'
},
// Sample OKTA authentication
// login: [email protected]
// password: Horrible-Dotterel-75
okta: {
domain: 'domain',
callbackUrlDomain: DOMAIN_NAME,
calllbackUrlPort: SERVER_PORT,
scope: ['profile', 'email'],
clientID: 'client-id', // Client ID
clientSecret: 'client-secret'
}
},
saml2: {
provider: 'google', // supported values: google
google: {
entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=C02oz2242', // replace with value appropriate for your project
issuer: 'nikepoc', // replace with value appropriate for your project
certPath: __utils.absPath('./config/certs/saml2/all/google-saml2.pem'), // replace with value appropriate for your project
attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the property name from the SAML profile
_id: 'nameID',
email: 'nameID',
firstName: 'firstName',
lastName: 'lastName',
groups: 'groups'
}
},
okta: {
entryPoint: 'https://cagsearchdemoseia.okta.com/app/cagsearchdemoorg743328_nikepocalex_1/exkpkxgzlpV0GyoMS356/sso/saml', // replace with value appropriate for your project
issuer: 'nikepoc', // replace with value appropriate for your project
certPath: __utils.absPath('./config/certs/saml2/all/okta-saml2.pem'), // replace with value appropriate for your project
attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the property name from the SAML profile
_id: 'nameID',
email: 'nameID',
firstName: 'firstName',
lastName: 'lastName',
groups: 'groups'
}
}
},
ldap: {
provider: 'apacheds',
apacheds: {
server: {
url: 'ldap://localhost:10389',
bindDN: 'uid=admin, ou=system', // Bind DN or User
bindCredentials: 'secret', // password
searchBase: 'ou=users,dc=esui,dc=com',
searchFilter: '(uid={{username}})',
searchAttributes: ['uid', 'cn', 'sn', 'displayName', 'ou', 'photo']
},
attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the user attribute in LDAP
_id: 'uid', // _id is required
account: 'uid', // account is for roles and group expansion
email: 'uid',
firstName: 'cn',
lastName: 'sn',
name: 'cn',
alias: 'displayName', // if the alias is not given, one is created from the first and last name or roles
groups: 'ou',
photo: 'photo'
}
},
ad: {
server: {
url: 'ldaps://ad.corporate.com:636',
bindDN: 'cn=non-person,ou=system,dc=corp,dc=corporate,dc=com',
bindCredentials: 'secret',
searchBase: 'dc=corp,dc=corporate,dc=com',
searchFilter: '(&(objectcategory=person)(objectclass=user)(|(samaccountname={{username}})(mail={{username}})))',
searchAttributes: ['displayName', 'mail', 'samaccountname'],
tlsOptions: {
ca: [
// fs.readFileSync('/path/to/root_ca_cert.crt')
]
}
},
attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the user attribute in LDAP
_id: 'samaccountname',
account: 'samaccountname', // account is for roles and group expansion
email: 'mail',
firstName: 'givenName',
lastName: 'sn',
groups: 'groups'
}
}
}
},
.
.
.
}
} |
type - Indicate the type of authentication to use, by default is none. Currently Enterprise Search handles 3 authentications oauth2, smal2 and ldap.
Note If the type is none, allowGroups will not take effect, as well as permissions
- passport - Passport properties applicable for the session
- secret - secret key for the passport session
- secret - secret key for the passport session
- oauth2 (Type) - Authentication type to use
- provider - Choose the provider for the oauth2Provider configuration name to use for oauth2 (currently google or okta)
- callbackUrlDomain -
- calllbackUrlPort -
- google - Provider configuration works with the passport-google-oauth20 library
- okta - Provider configuration works works with the passport-okta-oauth library
- saml2 (Type) - Provider configuration name to use for saml2 (currently google and okta)
- provider - Choose the provider for the saml2
- (google | okta) - works with the passport-SMAL library
- ldap (Type) - Provider configuration name to use for ldap (currently ldap and active directory)
- provider - Choose the provider for the ldap
- (apacheds | ad) - works with the passport-ldapauth library
Common Property attributesMapping
The attributesMapping in the providers (the ones which have) maps the data collected to a common, the only required properties to map are _id and account, other properties are optional or replaced with a default value
Overview
Content Tools