Authentication

Many authentication methods can be configured in Squore, by using authentication modules and providers.

Authentication is configured in <SQUORE_HOME>/server/standalone/configuration/standalone.xml file, in urn:com:vector:squore subsystem.

Here is a simple example of a configuration that uses LDAP and local database authentication modules:

<subsystem xmlns="urn:com:vector:squore:1.0" >
	<security>
		<authentication name="default">
			<auth-module name="ldap" provider="ldapAuth" flag="required"/>
			<auth-module name="database" type="local"/>
		</authentication>
		<providers>
			<provider name="ldapAuth" type="ldap">
				<property name="url" value="ldaps://hostname:port/"/>
				<property name="principal" value="cn=admin,dc=domain,dc=com"/>
				<property name="password" value="password"/>
				<property name="usersCtxDN" value="ou=people,dc=example,dc=com"/>
				<property name="usersFilter" value="(objectClass=person)"/>
				<property name="userLoginAttribute" value="login"/>
				<property name="userDisplayNameAttribute" value="displayName"/>
				<property name="userMailAttribute" value="mail"/>
			</provider>
		</providers>
	</security>
</subsystem>

Authentication modules

Authentication modules are defined inside the authentication element with auth-module sub-elements. Accepted attributes are the following:

  • name (mandatory), to define the unique identifier for the authentication module.

  • type (optional), to define the authentication module type (mandatory if no provider attribute is defined). Accepted values are the following:

    • local

    • ldap

    • saml

  • provider (optional), to define the provider name where the properties will be found.

  • enabled (optional, default: true), to enable or disable the authentication module.

  • flag (optional, default: sufficient), to configure the behavior of the authentication module in the login sequence. Accepted values are the following:

    • sufficient, the user is not required to pass the authentication test of the module.

    • optional, the user is not required to pass the authentication test of the module. Regardless of whether authentication succeeds or fails, authentication continues down the list of modules.

    • requisite, the authentication module is always called, and the user is required to pass its authentication test. If authentication succeeds, none of the next modules are executed. If it fails, authentication continues down the list of modules.

    • required, the authentication module is always called, and the user is required to pass its authentication test. Regardless of whether authentication succeeds or fails, authentication continues down the list of modules.

Only one saml authentication module can be enabled at a time.

Providers

Providers are defined inside the providers element with provider sub-elements. Accepted attributes are the following:

  • name (mandatory), to define the unique identifier for the provider.

  • type (mandatory), to define the provider type. Accepted values are the following:

    • ldap, to define LDAP protocol properties.

    • saml, to define SAML protocol properties.

Each provider element accepts an unlimited number of property sub-elements used to define the necessary properties for the module as pairs of key/value. Accepted attributes are:

  • name (mandatory), to define the name of the property.

  • value (mandatory), to define the value of the property.

Properties can also be defined inside the auth-module element, but a good practice is to defined them in providers. If the same property is defined in both the referenced provider and in the auth-module then the latter take precedence over the former.