Proxy Authentication
You may find it useful to delegate all authentication to a trusted reverse proxy placed in front of the Model Manager server. To do this, configure the reverse proxy for authenticating clients using any authentication scheme you want. The Model Manager server itself can then identify the externally authenticated user by a HTTP header set by the reverse proxy. The reverse proxy can, for example, use the Basic HTTP authentication scheme and set the Authorization HTTP header with the username of the user and an empty password.
The Proxy Authentication page, opened by clicking Proxy Authentication in the System navigation sidebar, shows the current configuration for such a proxy authentication scheme. A new installation of a Model Manager server is not configured to use a proxy authentication scheme, as indicated in the Use proxy authentication field.
Click Edit to edit the current configuration. Click Clear to clear the configuration in its entirety.
When editing the proxy authentication configuration:
1
Select the Use proxy authentication check box to enable proxy authentication. Clear the check box to disable.
You may prefer disabling instead of clicking the Clear button if you later want to enable the proxy authentication again using previously set configuration settings.
2
Under Trusted proxy connections, select the From loopback address check box to trust proxies running on the same computer as the Model Manager server. Write any other host to be trusted under From hosts and click the Add button. Repeat this with all other trusted hosts.
The Model Manager server will trust that connections made from these hosts have already been successfully authenticated if the hosts supply a username in the request — see below.
3
Select Basic auth username in the Username source list if the authenticated user's username is set in the Authorization HTTP header (using an empty password) by the reverse proxy. Select HTTP header if the username is set in a custom HTTP header. Write the name of the custom header in the Username field.
4
Write the name of an optional HTTP header containing the user's display name in the User display name field. Leave empty to let the display name be the same as the username.
5
Write the name of an optional HTTP header containing the name of a group that the user is a member of in the Group name field.
6
Write the name of an optional HTTP header containing a display name for a group that the user is a member of in the Group display name field. Leave empty to let the display name be the same as the group name.
7
Select whether or not the Model Manager server should write detailed log messages when a user tries to authenticate using proxy authentication in the Detailed logging check box. This is useful during initial setup of proxy authentication but afterward should be left cleared to not fill up log files.
You may add as many group mappings as you want — group names and display names will be paired in the order they are encountered as headers in the request. An authenticated user will be set as a member of these groups for the duration of their login session. A group will be automatically created in the database if it did not already exist.
Successfully mapped group names are visible in the External Group Memberships field on the The My Account Page for the logged in account.