COMSOL 6.2 - External Authentication

External Authentication

A Model Manager server uses the pluggable authentication framework Java authentication and authorization service (JAAS) to integrate with external authentication protocols. A login configuration is specified by listing vendor-supplied login modules that should be applied (in the order they are listed) when the user tries to log in.

Support for Windows® authentication and LDAP authentication as login modules is included with a Model Manager server installation. You may also specify a custom login module using a module class obtained from a third-party vendor.

A user that has authenticated via a login module can be automatically assigned membership to one or more groups in a Model Manager server database for the duration of their login session. This is useful if an administrator has already set up group memberships in the external credentials storage and wants to use the same groups for controlling access to items in a Model Manager server database.


	See Database Administration and the Model Manager Reference Manual for more information on user management and access control.

The page, opened by clicking in the navigation sidebar, shows all currently configured login modules in the field and all group membership mappings in the field. Both lists are empty for a new installation of a Model Manager server.

Click to edit the login modules and group membership mappings. Click to clear all login modules and group membership mappings.

You can test the validity of the configuration by clicking the button — see Testing an External Authentication Configuration.

Adding a Login Module

When editing the configuration for external authentication, click to add a new login module to the overall list of login modules.

Select the type of login module in the list. The available options are Windows Login, LDAP, and Custom — see below for their specific configuration settings.

Select how a successful or unsuccessful authentication attempt by the login module should be handled in relation to other login modules in the list. The available options are:

. The login module is required to succeed for the overall authentication to succeed. If it succeeds, the next login module in the list of modules will be applied. If it fails, no other login module is applied.

. The login module is not required to succeed for the overall authentication to succeed. Regardless if it succeeds or fails, the next login module in the list of modules will be applied.

. The login module is required to succeed for the overall authentication to succeed. Regardless if it succeeds or fails, the next login module in the list of modules will be applied.

. If the login module succeeds, no other login module is applied. If it fails, the next login module in the list of modules will be applied.

Click the button under to add custom options in the and fields. The supported options are vendor specific to each login module.

The overall external authentication is successful only if all applied login modules with and succeeded. Note that applied is important here — if a login module with succeeds, only login modules with and specified before that login module need to succeed. At least one login module with or must succeed if there are no login modules with or .


	The value set for the Control flag is irrelevant when only a single login module has been added. The overall authentication succeeds if, and only if, the login module is successful.

Windows Login

If you have installed the Model Manager server on the Windows® operating system, users can log in using Windows® authentication by adding a module.

Write the format to identify the user being authenticated in the list. Select for usernames of the form <domain>\<user>. Select to use security identifiers to identify users. Select to allow both fully qualified names and security identifiers.

Write the format for the returned principal role names of the authenticated user in the list. Select to return names of the form <domain>\<group>. Select to return security identifiers. Select to return both fully qualified names and security identifiers. Select if no principal role names should be returned.

LDAP

You can configure a login module to use LDAP to communicate with a credentials storage supporting that protocol — for example, Windows® Active Directory® (AD) or OpenLDAP.


	See the Java documentation for com.sun.security.auth.module. LdapLoginModule to learn more about the configuration settings for the LDAP login module.

Write the URL connection string used to connect to the LDAP server and directory containing the user to authenticate in the field. You can write several URL connection strings separated by spaces; each URL connection string will be attempted until a successful connection to the LDAP server is established.

Write an optional LDAP filter string in the field. This specifies a search filter used to locate the user in the LDAP directory by the user's distinguished name in LDAP. Use the special token {USERNAME} as a placeholder for the username provided on the page.

Write an LDAP distinguished name or some other string name in the field. The name is used to locate the user in the LDAP directory. The name must contain the token {USERNAME}, which acts as a placeholder for the username provided on the page. The field must be specified if the field does not contain a distinguished name.

Write a string name in the field that will be used to associate a principal name with a successfully authenticated user. You can write a single token of the form {<attribute-name>} as a placeholder for a user attribute value in LDAP that holds a principal name.

Select whether or not the connection to the LDAP server should use secure sockets layer (SSL) in the list.


	You are strongly recommended to enable SSL to avoid sending credentials in cleartext to the LDAP server.

A sample configuration for Windows® Active Directory® may look like:

: ldap://ldap.example.com:3268/DC=example,DC=com

: (&(sAMAccountName={USERNAME})(objectclass=user))

: {USERNAME}@example.com

: {MEMBEROF}

: Enabled

A sample configuration for OpenLDAP may look like:

: ldap://ldap.example.com/ou=People,dc=example

: (&(uid={USERNAME})(objectClass=inetOrgPerson))

: {MAIL}

: Enabled

with intentionally left blank.

Custom

You can configure a custom login module provided by a third-party vendor. Write the fully qualified Java class name of the login module in the field. Consult the documentation of the login module for the custom options that need to be provided.

Adding Group Mappings

You can map principal names returned by login modules to corresponding group names in a Model Manager server database. A successfully authenticated user will be considered a member of mapped groups for the duration of their login session.


	A principal is an umbrella term for a user, role, or group.

When editing the configuration for external authentication, click to add a new mapping.

Write the name of a principal returned by a login module in the field. This can be a username, role name, group name, or some other string name specific to the type of login module.

Under , click and write the name of a group in a Model Manager server database that the authenticated user should become a member of. The group will be automatically created in the database if it did not already exist when the user logged in. Repeat to map the principal to more groups.


	Successfully mapped group names are visible in the External Group Memberships field on the The My Account Page for the logged in account.

Testing an External Authentication Configuration

You can test the current configuration for external authentication. Click the button and write a username and password in the opened dialog box.

If the authentication succeeds, you will see the principal names returned by the login modules, including the name used to authenticate with, as well as the names of any groups these principal names would be mapped to. If the authentication fails, you will see the error messages returned by the login modules.