Replace login for config UI

Default authentication for the web ui uses an internal user. It is possible to reconfigure the PhenixID server to use external datasource for authentication. This article will describe how to use an Active Directory as primary source using username & password.

In order to allow user to log in the user in the configuration manager an attribute, "role", must be present on the user logging in. Value of this attribute is expected to be "sysadmin". If no such attribute exists either create it in the directory or add it to the users attribute list when login in at runtime.

Before performing steps below be sure to backup the server configuration.

PhenixID also support multifactor authentication. Contact PhenixID support if having any questions regarding multifactor authentication.

Prepare the connection

Perform scenario adding the LDAP/AD connection. Follow these steps.

Prepare the user validation

Locate the id of the created LDAP connection:

 

Prepare the user validation

Create three new valves.

Under the Advanced tab in configuration manager. Locate and expand "Pipe valves" .

{
	"name": "LDAPSearchValve",
	"enabled": "true",
	"config": {
		"connection_ref": "<id of the connection>",
		"base_dn": "<FQDN to the search start>",
		"scope": "SUB",
		"size_limit": "0",
		"filter_template": "<attribute name holding the username often samaccoutname/uid>={{request.username}}" //extend the ldap search filter to restrict only allowing "true" admins.  
	},"id":"<unique_id>"
}

 

{
	"name": "LDAPBindValve",
	"alias": "auth_pipe_bind",
	"enabled": "true",
	"config": {
		"connection_ref": "<id of the connection>",
		"password_param_name": "password"
	},
	"id": "<unique_id>"
}

 Optional valve for adding the sysadmin role if not delivered through LDAP

{
         "name": "PropertyAddValve",
         "config": {
                 "name": "roles",
                 "value": "sysadmin",
                 "enable_multi_value": "true"
         },
         "id": "<unique_id>"
}

Creating a pipe

In the Advanced locate Pipes. Expand and add a Pipe:

{
	"name": "Config auth pipe",
	"description": "Pipe to authenticate user from remote AD",
	"enabled": "true",
	"id": "<unique_id>",
	"config": {
		"valve_refs": "<valve_id from earlier (LDAPSearch)>,<valve_id from earlier (LDAPBind)>,<valve_ID from earlier (propertyAdd)>"
	}
}

Prepare the authenticator

In the modal window click "Advanced"

Prepare the authenticator

Modify the snippet below according to the environment and paste it into the dialog. Values within "<>" need to be changed. Do not keep "<>".

{
"id": "<unique_id>",
	"alias": "login",
	"name": "PostUidAndPassword",
	"configuration": {
		"pipeID": "<id_of_created_pipe>",
		"successURL": "/config/",
		"translationKey": "login.messages.information.body.enduser",
		"headingtranslationKey": "login.messages.information.header.enduser"
	}
}

Stage and save the changes.

Update boot.json

Locate the "auth_redirect_url" and change the value to "/config/authenticate/login". Save the file and restart server.