Versions Compared

Old Version 6

changes.mady.by.user Potter (Esteban Alvarado)

Saved on

compared with

New Version 7

changes.mady.by.user Potter (Esteban Alvarado)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

On the configuration file you can find the security section, in this section option like the encryptionKey, inactive timeout, roles and authentication can be found:

  • Parameter
    summaryEnables the server authentication, including login page (if need)
    default false
    nameenable
    typeboolean
    requiredtrue
  • Parameter
    summaryDefines the timeout for an inactive session, after the timeout is trigger, the session will expire and the user will need to login again
    default600
    nameinactiveInterval
    typeinteger
    • Every action perform by the user, restarts the timeout
  • Parameter
    summaryLocation of the file holding the encryption key, Saga server provides one by default
    default./bin/saga.ek
    nameencryptionKeyFile
    requiredtrue
    • Warning

      Change the encyptionKeyFile as soon as you start a working on a new project

  • Parameter
    summaryDefault role to be use in the users if no role is provided. At the moment Saga Server has 2 roles admin and editor
    defaultadmin
    namedefaultRole
  • Parameter
    summaryDefines the type of authentication to be use by the server
    defaultconfig
    nametype

    • Additional configuration is required depending on the type of security selected


Saga_json
"security": {
      "enable": true,
      "inactiveInterval": 600,
      "encryptionKeyFile" : "./bin/saga.ek",
      "defaultRole": "admin",

      "type": "<AUTHENTICATION_TYPE>",

.
.
.
}


Saga Server counts with 3 authentication types

  • Config - Uses usernames and passwords defined in the configuration file
  • LDAP - Uses the LDAP protocol to connect to a Directory Server
  • SAML - SSO login method offering more secure authentication. (Currently on development, available Microsoft SSO)

Authentication Type

Config

Config authentication is the most basic of all, ideal for demos, but not recommended for production environments, unless in a close environment. This authentication uses Users, Passwords and Roles defined in the same config file, under the users field, one entry per user.

Config will allow you to login via Form and Basic Authentication

Saga_json
"security": {
 	"enable": true,
    "inactiveInterval": 600,
    "encryptionKeyFile" : "./bin/saga.ek",
    "defaultRole": "admin",
    "type": "config",

    "users": [
     	{
         	"username": "admin",
         	"password": "password",
         	"roles": "admin"
        },
        {
         	"username": "user1",
         	"password": "p@ssword",
         	"roles": "editor"
        },
        {...}
        .
        .
        .
 	]
}

LDAP

LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers.

LDAP will allow you to login via Form and Basic Authentication

  • Parameter
    summaryUrl to the LDAP server
    nameserver
    requiredtrue
  • Parameter
    summaryField to use as the user account
    defaultcn
    nameuserAccountField
  • Parameter
    summaryLDAP distinguished name to the location of the users
    namebindDN
    requiredtrue
  • Parameter
    summaryField to use as the user ID
    defaultuid
    nameidField
  • Parameter
    summaryField to use as the user password
    defaultpassword
    namepasswordField
  • Parameter
    summaryNames of the attributes to return for the user profile
    nameattributes
    typestring array
    requiredtrue


Saga_json
"security": {
	"enable": true,
 	"inactiveInterval": 600,
    "encryptionKeyFile" : "./bin/saga.ek",
    "defaultRole": "admin",
    "type": "ldap",

    "ldap": {
     	"server": "ldap://localhost:10389",
        "userAccountField": "cn",
        "bindDN": "ou=Users,dc=example,dc=com",
        "idField": "uid",
        "passwordField": "userPassword",
        "attributes": [
         	"givenName",
            "mail"
    	]
	},
}

SAML

Security Assertion Markup Language (SAML) is a login standard that helps users access applications based on sessions in another context. It’s a single sign-on (SSO) login method offering more secure authentication (with a better user experience) than usernames and passwords.

SAML will redirect you to the provider login page, so no login page is required.

Note

Currently it is under development, but Microsoft SSO is supported


  • Parameter
    summaryPath to the keystore holding the certificates
    namekeystorePath
    requiredtrue
  • Parameter
    summarypassword to the keystore
    namekeystorePassword
    requiredtrue
  • Parameter
    summaryPassword to the keys in the keystore
    nameprivateKeyPassword
    requiredtrue
  • Parameter
    summaryPath to the identity provider, provided by the SAML Service
    nameidentityProviderMetadataPath
    requiredtrue
  • Parameter
    summaryServer url of the Saga Server. Called by the authentication provider
    nameserverURL
    requiredtrue
    • This will be used to generate the callback url which is form like this <Server_URL>/saga/auth/callback
    • Note

      You need to add the callback url (e.g. http://localhost:8080)/saga/auth/callback) to your Authentication provider

  • Parameter
    summaryAttribute to use as the user ID
    namenameIdAttribute


Saga_json
"security": {
 	"enable": true,
    "inactiveInterval": 600,
    "encryptionKeyFile" : "./bin/saga.ek",
    "defaultRole": "admin",
    "type": "saml",

    "saml": {
     	"keystorePath": "config/samlKeystore.jks",
        "keystorePassword": "samlKeystore-passwd",
        "privateKeyPassword": "samlKeystore-passwd",
        "identityProviderMetadataPath": "config/identityProvider.xml",
        "serverURL": "https://your_server_url_here",
        "nameIdAttribute": "http://schemas.microsoft.com/identity/claims/identityprovider"
    }
}

Login Methods

Currently Saga Server has 3 methods to login, (besides the login of SAML)

Form

The Form login , will enable the login page for the Saga Server, here you can user your username and password to access. This method uses a POST HTTP request.

Basic Authentication

When employing Basic Authentication, users include an encoded string in the Authorization header of each request they make. The string is used by the request’s recipient to verify user’s identity and rights to access a resource.

The Authorization header follows this format:

Authorization: Basic <credentials>

We then construct the credentials like this:

  1. The user’s username and password are combined with a colon.
  2. The resulting string is base64 encoded.


Code Block
curl --location --request GET 'http://localhost:8080/saga/api/client/process/units' \
--header 'Authorization: Basic <Base64(USERNAME:PASSWORD)>'


API Key

Info

This method is recommended when having communication between services without user interaction.

When employing API Keys, the service include an API Key string in the Authorization header of each request they make. The string is used by the request’s recipient to verify service’s identity and rights to access a resource.

The Authorization header follows this format:

Authorization: Saga <API_KEY>

This API Keys, must be created in the Credentials section inside the Tools Menu. This keys can only be created by an authenticated user


Code Block
curl --location --request GET 'http://localhost:8080/saga/api/client/process/units' \
--header 'Authorization: Saga <API_KEY>'