02a. Authentication
A number of authentication settings, designed to control secure access across a network, are fully configurable.
In a Windows environment, a single sign-on process is available. Users registered on the Windows Domain have a proxy CXAIR account automatically created the first time they connect to a server instance.
This provides an additional benefit in relation to file directory Indexes, as CXAIR can validate the user permissions based on the combined Windows/CXAIR account. This is achieved through the open source library, jCIFS.
For non-Windows environments, additional security implementations include J2EE, Kerberos, Client SSL, Silent, Anonymous and JDBC.
Using an external authentication mechanism to authenticate users as they access the solution provides greater control over access and removes the requirement for users to manually log in.
There are a number of authentication methods available for configuration. To access the Authentication screen, click Setup, Security then Authentication Methods.
In the Details tab select which authentication methods will be applicable to your CXAIR instance.
Summary of authentication methods
The table below gives a summary of authentication methods available to use with CXAir, whether that method can create CXAir users and the type of authentication available.
| Method | Create User | Password Authentication | Silent Authentication | Automatic Authentication |
|---|---|---|---|---|
| IMAnalytics | No | Yes | No | No |
| Silent | No | No | Yes | No |
| Windows | Yes | No | Yes | No |
| Microsoft Account | Yes | No | Yes | No |
| Yes | No | Yes | No | |
| OAuth2 | Yes | No | Yes | Yes |
| SAML | Yes | No | Yes | Yes |
| Anonymous | No | No | No | No |
Windows
Windows Authentication allows user access to be controlled using an existing Windows Authentication server to manage users and passwords.
When enabled, users will not be required to log in manually as Windows Authentication will determine the relevant access rights. This will override any passwords that have been created manually in the User Preferences settings.
CXAIR will only authenticate with the domain controller assigned to the Windows host machine.
The following URL is used when logging in:
http://<servername>:6453/cxair/windows.jsp
User permissions are taken from the default user.
Please note that Windows Authentication is only designed to work with the Internet Explorer web browser.
Enter the relevant server details in the Domain and Authentication Server text boxes to establish a connection to the required Windows Authentication network. If connections to multiple domains and authentication servers are required, enter the details as a comma separated list.
Enable the Show Link To Log Back Into Windows option to display a logout page with an option to log back in when users click the log out button. When disabled, the logout button will not work and users are advised to close the internet browser window to end their current session.
The New Users Initially Active option provides an additional layer of control over who can log into the CXAIR system. When enabled, every new Windows Authentication login will result in a new, active CXAIR user. With the option disabled, an inactive user is instead created who cannot immediately log in. Administrators can then, from the Users screen, set the new users as active, if required.
Microsoft Authentication (Azure)
Enter the Client ID, Authority and Secret Key. Click Modify Settings to complete the process.
CXAIR
Select CXAIR authentication to control user access using the options available in the solution.
Enter a value in the Number of Failed Login Attempts Allowed text box to specify how many failed loin attempts are allowed before a user is locked out. Specify how long they will be locked out for, in minutes, in the Failed Attempt Lock Out Period text box.
Specify, in minutes, how long a reset password link is valid for using the Reset Password Expire text box.
Kerberos
Selecting Kerberos allows an existing Kerberos authentication system to control access to the solution.
Enter the location of the Kerberos Key Distribution Centre in the Kerberos KDC text box. A Kerberos Realm requires the same information as a Windows Domain, but must be fully qualified and entered in uppercase.
Client SSL
Selecting Client SSL allows the use of client and server certificate authentication. When logging in, the client and server are both validated.
Silent
Silent authentication enables users to log into the solution without entering a username or password. This is accessed via a URL which can be bookmarked by the user.
The following URL is used:
<machine>:<port>/cxair/silent_login.jsp?username=<user to create>
A username must be added to the end of the URL specific for each user to ensure that multiple users are not logging into the solution using the same details.
Anonymous
Using Anonymous authentication, users are able to access the solution without login credentials via the following URL:
http://hostname:port/cxair/login/noauth/loggedin.jsp
Once accessed for the first time, a noauth user is displayed in the User Preferences, where permissions can be set for those accessing the tool without logging in.
SAML
Use the following property file structure for a SAML implementation. You will need to change the items in bold:
saml.misc.perform.global.logout=true
saml.misc.logout.url=http://www.connexica.com
saml.misc.role.mapping=true
saml.misc.role.attr.key.list.entry.1=roles
saml.misc.role.attr.key.list.entry.2=attr:cxairRole
saml.misc.role.attr.key.list.entry.3=attr:cxairRole2
saml.misc.role.attr.key.list.entry.4=attr:cxairRole3
saml.misc.role.attr.key.list.entry.5=attr:cxairRole4
saml.misc.role.attr.value.format=CSV
saml.misc.role.attr.value.delimiter=_
saml.misc.user.attr.key.list.entry.1=nameid
saml.misc.user.attr.key.list.entry.2=attr:nameid
saml.misc.user.attr.key.list.entry.3=attr:UserID
saml.misc.user.attr.key.list.entry.4=attr:UserId
saml.keystore.file.path=/Tomcat/Catalina/keystore
saml.keystore.file.name=.keystore
saml.keystore.password=changeit
saml.keystoremap.map.entry.1=cxair,changeit
saml.keystore.default.key=cxair
saml.sp.metadata.entity.baseurl=https://connexica.com:6454/cxair
saml.sp.metadata.entity.id=https://connexica.com:6454/cxair
saml.sp.metadata.id=
saml.sp.metadata.request.signed=false
saml.sp.metadata.wantassertion.signed=true
saml.sp.metadata.signature.algorithm=SHA256
saml.sp.metadata.assertion.consumer.idx=0
saml.idp.metadata.regex.1=username
saml.idp.metadata.provider.1=urlIdpMetadata
saml.idp.metadata.url.1=https://idp.ssocircle.com/
saml.idp.metadata.timeout.1=5000
saml.idp.metadata.file.path.1=/home/Downloads
saml.idp.metadata.file.name.1=exportmetadata.jsp.xml
saml.sp.metadata.signing.key=cxair
saml.sp.metadata.encryption.key=cxair
saml.sp.metadata.nameidlist.list.entry.1=UNSPECIFIED
saml.sp.metadata.nameidlist.list.entry.2=TRANSIENT
Click Modify Settings to save the changes.
JDBC
Using the JDBC checkbox in the Details tab, users are able to query Index created in the solution via a third-party SQL client and a provided .jar file.
Enable the JDBC checkbox and navigate to the following URL to download the required file:
http://<server name or IP address>:<port number>/cxair/jdbc/CXAIR-jdbc-client.jar