auth, authentication
This command controls user authentication. Use it to configure an external authentication service, such as LDAP, SAML or Active Directory.
auth
and authentication
are the same command and can be used interchangeably.
Overview
By default, SuperSTAR is configured to use the built-in local authentication service (STRLocal
). Use the auth
command to configure SuperADMIN to connect instead to an external authentication service such as LDAP or Active Directory.
There are three steps involved in setting up external authentication:
-
Use the
auth
command to add a new authentication service. -
Configure the authentication service.
-
Activate the authentication service.
See below for the complete list of available commands, or see these instructions explaining how to configure authentication to an LDAP or Active Directory server and these instructions for configuring SAML authentication.
Usage
|
Displays details of all the available authentication providers.
|
| ||||
Creates a new authentication service based on one of the available authentication providers.
|
|
Displays details of all configured authentication services. |
|
Displays the current configuration settings for the specified authentication service. |
|
Activates ( |
|
Sets the priority for this authentication service. Each configured service has a priority: the service with the highest priority is tried first. If the login to the service fails, the next service is tried, and so on. The built-in STRLocal service has a priority of 100, so you should set your external service to have a priority greater than 100. If you are adding multiple authentication services you can use the priority of each one to control the order in which they will be tried. |
|
Changes the name of the specified service to the new specified name. |
|
Removes the specified authentication service. |
|
Sets the name of the group of users who should have administrator rights in SuperADMIN. If you are using an external authentication provider this will be a group from the external server (only the group name is required; you do not need a full Distinguished Name/DN). For SAML authentication modules, when using this setting you also need to ensure that the group specified as the |
|
Reload the configuration for the specified service. Use this command to force SuperADMIN to reload the configuration if you have changed one or more of the service's settings after it has already been activated. |
Configuring LDAP, Active Directory and eDirectory
The following commands apply to LDAP, Active Directory, and eDirectory services only.
|
Sets the fully qualified domain name of the LDAP, Active Directory or eDirectory server. |
|
Sets the port to use to connect to the LDAP, Active Directory or eDirectory server. This is only required if the server is using a non-standard port. |
|
Sets the default base location for LDAP searches. This will be used to search for users or groups if they do not have an explicit |
|
Sets the name of the attribute in the external authentication service that holds the descriptive name of the group. |
|
Sets the name of the attribute in the external authentication service that holds the unique ID of the group (the standard Active Directory value is |
|
Sets the default search location when searching for groups. This is optional. If it is not set then it will use the |
|
Adds the specified |
|
Removes the specified |
|
Sets the name of the attribute in the external authentication service that indicates which users are members of the group (the standard Active Directory value is |
|
Sets the class type that will be used to identify groups within the LDAP repository. |
|
Adds the specified group to the group filter. |
|
Removes the specified group from the group filter. |
|
Sets the name of the attribute in the external authentication service that holds the descriptive name of the user. |
|
Sets the name of the attribute in the external authentication service that holds the unique ID of the user (the standard Active Directory value is |
|
Sets the default search location when searching for users. This is optional. If it is not set then it will use the |
|
Adds the specified |
|
Removes the specified |
|
Sets the name of the attribute in the external authentication service that indicates which groups the user is a member of (the standard Active Directory value is |
|
Sets the class type that will be used to identify groups within the external repository. |
|
Enables or disables the use of a search login user, to find an initial context for logins. |
|
Sets the password to use for the context login. This setting only applies when |
|
Sets the DN for the context login. This setting only applies when |
|
Specifies whether the name entered when a user is attempting to login is a fully qualified DN or a name that must be matched against the You are recommended to leave this set to |
Configuring ExternalJAASModule
The following commands apply to services using the ExternalJAASModule only.
|
Sets the custom JAAS principal that stores the group name. |
|
Sets the custom JAAS principal that stores the user name. |
|
Sets the custom login class that implements JAAS Login module. |
|
Sets the implementation class for the AuthPlugin interface. |
|
Adds a custom parameter. |
|
Removes the specified custom parameter. |
Configuring SAML
The following commands apply to services using SAML authentication only. See SAML for more details on each setting, and examples.
|
Replace For example:
|
|
A unique identifier for this entity to be configured on the SAML identity provider, enclosed in double quotes. In most cases you should follow these general best practice guidelines for creating an entity ID. If the SAML identity provider is only used internally then you may have your own entity ID format, in which case you should use that instead (if the identity provider is only used for this service, then the entity ID can use any format you wish). |
|
The URL that the user will be redirected to after successful login via the SAML identity provider. Set this to the full URL of your SuperWEB2 instance, followed by For example, if your SuperWEB2 server is available at https://myserver.com/webapi/ then the callback URL would be configured as follows:
|
|
The type of attribute used on the SAML identity provider for managing collections of permissions, enclosed in double quotes. This will typically be either
In the next section, you will use the |
|
(Optional). A delimiter used to split the If you choose to specify a delimiter, then the string in the SAML ticket will be split into individual groups using the delimiter character. For example, if the SAML ticket contains the following value:
Then you can split this into the individual groups
|
|
---|
(Optional). Use a specific binding type ( If not specified, defaults to Supported values:
|
|
---|
(Optional). The attribute to use as the name ID (unique ID for the user). You will need to ensure you have configured the identity provider accordingly for whatever value you set in SuperADMIN. If not specified, defaults to For example:
|
|
A mapping between the roles or groups on the identity provider and the corresponding local groups defined in SuperADMIN. These mappings can be based on information provided by the identity provider, but you should take care about how explicitly you configure the mappings, depending on how much you trust or control the identity provider. If you have not already done so, you will need to use the SuperADMIN console to create local groups as appropriate and define permissions for those groups. Configure the mappings in the form:
You can use the wildcard Following are some examples in order of safety: Map All Users to a Specific SuperADMIN Group For example: This will map all users who are authenticated through this identity provider (including users who are not part of any group) to a SuperADMIN group named This is the safest mapping as the identity provider has no control over the groups that users are assigned to. Map Specific Groups/Roles to Specific SuperADMIN Groups For example: This will map:
This type of mapping is reasonably safe even if you do not fully trust or control the identity provider as it only applies to specific groups that you explicitly define. You should be careful about mapping any groups to SuperADMIN’s Pass Through all Groups/Roles Unchanged
This will map all groups or roles on the identity provider to the corresponding SuperADMIN groups of the same name. This should only ever be used if you fully trust or control the identity provider. |
|
---|
(Optional). A group of users from the identity provider who should have administrator-level permissions in SuperWEB2. If you choose to specify this setting, you must also ensure that the group is passed through to SuperADMIN using the If you do not set a value for Note that as SAML authentication is currently supported only for SuperWEB2 connections, the effect of designating users as administrators is currently limited to those users having access to all datasets in SuperWEB2. They will not be able to log in to the SuperADMIN console via the SAML-authenticated users. |
|
---|
(Optional). The attribute from the identity provider to use as the display name for the user. For example:
CODE
The display name appears in the logout option on the menu in the top-right of SuperWEB2. By default, SuperWEB2 will attempt to use the display name attribute sent by the identity provider. In most cases this will work automatically and you will not need to set a value for You do not need to set the You should avoid changing the display name settings after going into production with SAML authentication as future changes to this setting will affect the ability of users to access their previously saved tables. |