We have now come to the end of this series of three articles dedicated to authentication. To conclude, we will look at how to configure the various authentication services available on Nudgis.
Table of content
1/ LOCAL
2/ LTI
3/ CAS
4/ SAML
5/ LDAP
6/ OPENID CONNECT AND SOCIAL AUTHENTICATION
Local
Local authentication is the default authentication for Nudgis. If the connection page is redirected to an external service, the local connection remains available at https://my.nudgis.url/login-local/.
The first parameter on the page is used to force the use of a strong password :
- Minimum 12 characters.
- At least three different types of characters are used, including lower case letters, upper case letters, numbers and special characters.
- No commonly used passwords (such as "qwerty").
- No similarity with any of the user attributes (more than 30% of the characters must be different from the user name, first name, last name and email address).
Local accounts can be created manually by an administrator, but it is also possible to authorise users to create their accounts autonomously via subscription or email collection.
Activate the "Allow subscription" option to allow users to register on the site. If you want to add a validation step by an administrator, tick the account validation option. You can specify email address domains that do not require validation in the next field. The email list for local account creation is used to send an email notification to the addresses entered when a user creates an account via the subscription form.
There is another option for authorising users to create an account on their own: email collection. This feature makes access to a medium conditional on the provision of personal information. This is what users will see when they try to access the media :
Start by activating the functionality by ticking the "Authorise email collection" box. You can customise the label indicating acceptance of the terms of use and associated the help text.
You can also modify the validation email that will be sent to the user and the expiry time (in hours) of the access link contained in the email.
Finally, you can add additional fields to be collected, including the user's first name, last name, company, position and country. These can be optional or mandatory.
Let's now look at how to apply email collection to media. To do this, go to the media permissions management page and tick the "Enable email collection" box. If you wish, you can also impose acceptance of the use of personal information.
Remember to save the changes, and email collection is now activated for this media.
LTI
The configuration and use of LTI is covered in a dedicated article, which we invite you to consult to learn more about the subject.
CAS
Prerequisites : The Nudgis server and the CAS authentication server must be able to communicate on port HTTPS/443, the domain of the authentication server must be valid from the point of view of the Nudgis server, and the authentication server must be accessible by users (valid domain and open port).
To configure the CAS service, start by enabling it, and choose the name that will be displayed on the authentication page.
Enter the URL of the authentication server in the following field and select the version.
The SSL certificate verification option should be disabled if your CAS authentication server uses a self-signed certificate.
The full disconnect option allows you to disconnect from the CAS server when you disconnect from Nudgis.
If you wish to use the service as default authentication, users will be redirected to your CAS by clicking on the "Connect" button (the classic authentication page remains accessible with the /login-local/ suffix).
Finally, the last parameter allows you to authorise the opening of your CAS server authentication page in iframes.
SAML
Prerequisites : In the SAML nomenclature, Nudgis is a "Service provider (SP)" and the authentication server is an "Identity provider (IdP)". The SP and the IdP must be accessible in HTTPS by users and between each other. The metadata on each server must be readable by the other server.
You can also activate a debugging option that will display details of requests in log files.
You can then change the name of the authentication service, which will be the name displayed on the login page.
If your IdP requires access to Nudgis metadata, check the option to allow this. For configuration on the Nudgis side, you can use a metadata file or a URL. Using a file improves performance, but needs to be replaced if it changes on the IdP.
The following parameters concern cases where several IdPs are present in the metadata file, as well as parameters specific to certain suppliers.
Next come the parameters for attributes and field mapping between the IdP and Nudgis:
Finally, the last parameters allow you to define the service as default authentication (which results in a redirect when accessing the login page), and to adjust various security options.
Note that if the LDAP service is activated simultaneously with SAML, LDAP will be used to retrieve user attributes and SAML for authentication.
LDAP
Prerequisites : The LDAP server must be accessible via the Nudgis frontends, the domain must be valid and the port must be open (it is possible to use an IP instead of a domain for the LDAP server). The default LDAP ports are 389 for LDAP and 636 for LDAPS.
This first frame shows a summary of the service configuration. A tool for testing authentication is also available behind the "Test settings" button, which also shows the attributes returned by the LDAP server.
Now let's look at configuring the service. Start by activating the service, then specify the server URL (Nudgis supports LDAP and LDAPS). Activate TLS initialisation if you want to encrypt requests to the server. You can also choose whether you want to check the validity of the certificate if you enable TLS, or provide a certificate in CRT format if the certificate is not signed by a recognised authority.
The next parameter enables or disables SASL.
The maximum waiting time and the number of elements per page can be used to manage performance problems.
Finally, specify a user name (in DN format) and password, which will be used to carry out search requests on the LDAP server.
Next come the parameters relating to the attributes, and the correspondence to be established between the attributes returned and the user's fields in Nudgis.
The last parameter above allows LDAP searches in the Nudgis API. This is particularly relevant if you want users to be able to search for and add accounts from the channel and media permissions pages.
Following this, you can configure the parameters and filters for the LDAP search. We won't go into detail here, as the tooltips already provide ample information and example values. Don't hesitate to consult them if you're not sure.
Finally, the last block of the page is used to configure daily synchronisation. This takes place at night and enables users, and possibly their groups, to be imported automatically. If you wish, groups and users that no longer exist in the LDAP directory will be deleted automatically.
You can also create channels for groups imported via synchronisation. Users in the groups will have access rights to the corresponding channel.
OpenID Connect et authentification sociale
The servers must be able to communicate with each other (valid domain and open port).
Let's start by looking at how to configure OpenID Connect.
Here too you will have the option of enabling or disabling the service, changing the name of the service that will be displayed on the login page, or setting it as the default authentication to automate the redirection when accessing the login page.
Provide the URL, the key and the secret. By default OpenID Connect checks for the presence of a "preferred_username" key, but you can override this key in the "Username key" field.
The default application fields are "openid", "profile" and "email"; you can ignore these by ticking the last box on the page and add additional fields in "Scopes" (values must be separated by commas).
Finally, social authentication services (authentication based on social network accounts) each require a key (or ID) and a secret.
- Facebook : https://developers.facebook.com/
- Google : https://developers.google.com/identity/oauth2/web/guides/get-google-api-clientid?hl=fr
- Twitter : https://developer.x.com/en/docs/apps/overview
- Microsoft Azure AD : https://learn.microsoft.com/fr-fr/entra/identity-platform/quickstart-register-app#add-credentials
Users, groups and authentication services now hold no secrets for you! Once you've configured the services of your choice, your users can easily connect to Nudgis.
Comments
0 comments
Please sign in to leave a comment.