Wiki source code of 02a. Authentication
Last modified by Ian Covey on 06/11/2025, 14:23
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | {{box cssClass="floatinginfobox" title="**Contents**"}} | ||
| 2 | {{toc/}} | ||
| 3 | {{/box}} | ||
| 4 | |||
| 5 | A number of authentication settings, designed to control secure access across a network, are fully configurable. | ||
| 6 | |||
| 7 | In a Windows environment, a single sign-on process is available. Users registered on the Windows Domain have a proxy [[CXAIR>>doc:Technical Documentation.CXAIR.WebHome]] account automatically created the first time they connect to a server instance. | ||
| 8 | |||
| 9 | This provides an additional benefit in relation to file directory Indexes, as [[CXAIR>>doc:Technical Documentation.CXAIR.WebHome]] can validate the user permissions based on the combined Windows/CXAIR account. This is achieved through the open source library, jCIFS. | ||
| 10 | |||
| 11 | For non-Windows environments, additional security implementations include J2EE, Kerberos, Client SSL, Silent, Anonymous and JDBC. | ||
| 12 | |||
| 13 | Using an external authentication mechanism to authenticate users as they access the solution provides greater control over access and removes the requirement for users to manually log in. | ||
| 14 | |||
| 15 | There are a number of authentication methods available for configuration. To access the Authentication screen, click **Setup**, **Security** then **Authentication Methods**. | ||
| 16 | |||
| 17 | In the **Details** tab select which authentication methods will be applicable to your CXAIR instance. | ||
| 18 | |||
| 19 | |||
| 20 | = Summary of authentication methods = | ||
| 21 | |||
| 22 | The table below gives a summary of authentication methods available to use with CXAir, whether that method can create CXAir users and the type of authentication available. | ||
| 23 | |||
| 24 | (% border="0" cellpadding="0" cellspacing="0" style="margin-left:auto; margin-right:auto" %) | ||
| 25 | |=Method|=Create User|=Password Authentication|=Silent Authentication|=Automatic Authentication | ||
| 26 | |IMAnalytics|No|Yes|No|No | ||
| 27 | |Silent|No|No|Yes|No | ||
| 28 | |Windows|Yes|No|Yes|No | ||
| 29 | |Microsoft Account|Yes|No|Yes|No | ||
| 30 | |Google|Yes|No|Yes|No | ||
| 31 | |OAuth2|Yes|No|Yes|Yes | ||
| 32 | |SAML|Yes|No|Yes|Yes | ||
| 33 | |Anonymous|No|No|No|No | ||
| 34 | |||
| 35 | = Windows = | ||
| 36 | |||
| 37 | Windows Authentication allows user access to be controlled using an existing Windows Authentication server to manage users and passwords. | ||
| 38 | |||
| 39 | When enabled, users will not be required to log in manually as Windows Authentication will determine the relevant access rights. This will override any passwords that have been created manually in the [[User Preferences>>doc:Technical Documentation.CXAIR.User Guide.6\. User Preferences.WebHome]] settings. | ||
| 40 | |||
| 41 | CXAIR will only authenticate with the domain controller assigned to the Windows host machine. | ||
| 42 | |||
| 43 | The following URL is used when logging in: | ||
| 44 | |||
| 45 | **http:~/~/<servername>:6453/cxair/windows.jsp** | ||
| 46 | |||
| 47 | User permissions are taken from the **default** user. | ||
| 48 | |||
| 49 | Please note that Windows Authentication is only designed to work with the Internet Explorer web browser. | ||
| 50 | |||
| 51 | Enter the relevant server details in the **Domain** and **Authentication Server** text boxes to establish a connection to the required Windows Authentication network. If connections to multiple domains and authentication servers are required, enter the details as a comma separated list. | ||
| 52 | |||
| 53 | Enable the **Show Link To Log Back Into Windows** option to display a logout page with an option to log back in when users click the log out button. When disabled, the logout button will not work and users are advised to close the internet browser window to end their current session. | ||
| 54 | |||
| 55 | The **New Users Initially Active** option provides an additional layer of control over who can log into the CXAIR system. When enabled, every new Windows Authentication login will result in a new, active [[CXAIR>>doc:Technical Documentation.CXAIR.WebHome]] user. With the option disabled, an inactive user is instead created who cannot immediately log in. Administrators can then, from the [[Users>>doc:Technical Documentation.CXAIR.Administration Guide.Security.2b\. User Management.WebHome||anchor="Managing Created Users"]] screen, set the new users as active, if required. | ||
| 56 | |||
| 57 | = Microsoft Authentication (Azure) = | ||
| 58 | |||
| 59 | Enter the **Client ID**, **Authority** and **Secret Key**. Click **Modify Settings** to complete the process. | ||
| 60 | |||
| 61 | = {{id name="J2EE"/}}CXAIR = | ||
| 62 | |||
| 63 | Select CXAIR authentication to control user access using the options available in the solution. | ||
| 64 | |||
| 65 | Enter a value in the **Number of Failed Login Attempts Allowed** text box to specify how many failed loin attempts are allowed before a user is locked out. Specify how long they will be locked out for, in minutes, in the **Failed Attempt Lock Out Period** text box. | ||
| 66 | |||
| 67 | Specify, in minutes, how long a reset password link is valid for using the **Reset Password Expire** text box. | ||
| 68 | |||
| 69 | = Kerberos = | ||
| 70 | |||
| 71 | Selecting Kerberos allows an existing Kerberos authentication system to control access to the solution. | ||
| 72 | |||
| 73 | Enter the location of the Kerberos Key Distribution Centre in the **Kerberos KDC** text box. A **Kerberos Realm** requires the same information as a Windows Domain, but must be fully qualified and entered in uppercase. | ||
| 74 | |||
| 75 | = Client SSL = | ||
| 76 | |||
| 77 | Selecting Client SSL allows the use of client and server certificate authentication. When logging in, the client and server are both validated. | ||
| 78 | |||
| 79 | = Silent = | ||
| 80 | |||
| 81 | Silent authentication enables users to log into the solution without entering a username or password. This is accessed via a URL which can be bookmarked by the user. | ||
| 82 | |||
| 83 | The following URL is used: | ||
| 84 | |||
| 85 | **<machine>:<port>/cxair/silent_login.jsp?username=<user to create>** | ||
| 86 | |||
| 87 | A username must be added to the end of the URL specific for each user to ensure that multiple users are not logging into the solution using the same details. | ||
| 88 | |||
| 89 | = Anonymous = | ||
| 90 | |||
| 91 | Using Anonymous authentication, users are able to access the solution without login credentials via the following URL: | ||
| 92 | |||
| 93 | **http:~/~/hostname:port/cxair/login/noauth/loggedin.jsp** | ||
| 94 | |||
| 95 | Once accessed for the first time, a **noauth** user is displayed in the [[User Preferences>>doc:Technical Documentation.CXAIR.User Guide.6\. User Preferences.WebHome]], where permissions can be set for those accessing the tool without logging in. | ||
| 96 | |||
| 97 | = SAML = | ||
| 98 | |||
| 99 | Use the following property file structure for a SAML implementation. You will need to change the items in **bold**: | ||
| 100 | |||
| 101 | saml.misc.perform.global.logout=true | ||
| 102 | saml.misc.logout.url=**http:~/~/www.connexica.com** | ||
| 103 | saml.misc.role.mapping=true | ||
| 104 | saml.misc.role.attr.key.list.entry.1=roles | ||
| 105 | saml.misc.role.attr.key.list.entry.2=attr:cxairRole | ||
| 106 | saml.misc.role.attr.key.list.entry.3=attr:cxairRole2 | ||
| 107 | saml.misc.role.attr.key.list.entry.4=attr:cxairRole3 | ||
| 108 | saml.misc.role.attr.key.list.entry.5=attr:cxairRole4 | ||
| 109 | saml.misc.role.attr.value.format=CSV | ||
| 110 | saml.misc.role.attr.value.delimiter=_ | ||
| 111 | saml.misc.user.attr.key.list.entry.1=nameid | ||
| 112 | saml.misc.user.attr.key.list.entry.2=attr:nameid | ||
| 113 | saml.misc.user.attr.key.list.entry.3=attr:UserID | ||
| 114 | saml.misc.user.attr.key.list.entry.4=attr:UserId | ||
| 115 | |||
| 116 | saml.keystore.file.path=**/Tomcat/Catalina/keystore** | ||
| 117 | saml.keystore.file.name=.keystore | ||
| 118 | saml.keystore.password=changeit | ||
| 119 | saml.keystoremap.map.entry.1=cxair,changeit | ||
| 120 | saml.keystore.default.key=cxair | ||
| 121 | |||
| 122 | saml.sp.metadata.entity.baseurl=**https:~/~/connexica.com:6454/cxair** | ||
| 123 | saml.sp.metadata.entity.id=**https:~/~/connexica.com:6454/cxair** | ||
| 124 | saml.sp.metadata.id= | ||
| 125 | saml.sp.metadata.request.signed=false | ||
| 126 | saml.sp.metadata.wantassertion.signed=true | ||
| 127 | saml.sp.metadata.signature.algorithm=SHA256 | ||
| 128 | |||
| 129 | saml.sp.metadata.assertion.consumer.idx=0 | ||
| 130 | |||
| 131 | saml.idp.metadata.regex.1=**username** | ||
| 132 | saml.idp.metadata.provider.1=urlIdpMetadata | ||
| 133 | saml.idp.metadata.url.1=https:~/~/idp.ssocircle.com/ | ||
| 134 | saml.idp.metadata.timeout.1=5000 | ||
| 135 | saml.idp.metadata.file.path.1=**/home/Downloads** | ||
| 136 | saml.idp.metadata.file.name.1=exportmetadata.jsp.xml | ||
| 137 | |||
| 138 | saml.sp.metadata.signing.key=cxair | ||
| 139 | saml.sp.metadata.encryption.key=cxair | ||
| 140 | saml.sp.metadata.nameidlist.list.entry.1=UNSPECIFIED | ||
| 141 | saml.sp.metadata.nameidlist.list.entry.2=TRANSIENT | ||
| 142 | |||
| 143 | Click **Modify Settings** to save the changes. | ||
| 144 | |||
| 145 | = JDBC = | ||
| 146 | |||
| 147 | Using the **JDBC** checkbox in the **Details** tab, users are able to query Index created in the solution via a third-party SQL client and a provided .jar file. | ||
| 148 | |||
| 149 | Enable the **JDBC** checkbox and navigate to the following URL to download the required file: | ||
| 150 | |||
| 151 | **http:~/~/<server name or IP address>:<port number>/cxair/jdbc/CXAIR-jdbc-client.jar** | ||
| 152 | |||
| 153 |