Configure user authentication
Unomaly supports configuring multiple authentication providers: Local, Basic, LDAP, and SAML.
Authentication configuration is done in Settings > Authentication. This topic discusses the configuration options for each of the different providers. You can also refer to the sample configurations for OpenLdap, AD LDAP, and SAML in the Settings page.
Important: Applying the changes to the configuration will restart the authentication service. This means that you will be logged out of the instance.
| Option | Description |
|---|---|
| Signup allowed domains* | A comma separated list of allowed email domains. Use * to allow any domain. |
| Signup default role* | The default role assigned to users that sign up on the login page. Can be Limited, Standard, or Admin. |
| Option | Description |
|---|---|
| Username* | The username to access the REST API. |
| Password* | The password to access the REST API. |
| Role* | The basic authentication user only supports the Administrator role. |
| Option | Description |
|---|---|
| Session expiration | Duration (in minutes) that the user authentication session is valid for. |
| Assertion Consumer Service (ACS)* | Generated callback URL that you provide to the Identity Provider. |
| Service Provider Entity ID (Issuer)* | Issuer field used in authentication request. |
| Single sign-on service* | SSO login service for the identity provider. |
| Certificate* | Identity Provider's public signing certificate used to validate authentication response. |
| Default role | Role assigned to users that do not have a mapped role. |
| Profile property name to define role | Specify what user property from the Identity Provider should be used to assign their role. Given user profile containing key-value properties, define what key to use for mapping a property value to a role. |
| Administrator role | Property value to map to the Administrator role. |
| Standard role | Property value to map to the Standard role. |
| Limited role | Property value to map to the Limited role. |
| Enable trace logs | If true, will write additional log messages to the server log. Useful for debugging. (See "Viewing trace output" below.) |
| Option | Description |
|---|---|
| Session expiration | Duration (in minutes) that the user authentication session is valid for. |
| Realm* | For Active Directory logins, this is the domain name without the @ symbol. Otherwise, this field will be used to set the default email address for the user. |
| URL* | Endpoint to use for the LDAP server, for example ldap://myserver.com:389 |
| bindDN* | Distinguished Name (DN) for user lookup, usually an admin or dedicated search user. |
| bindCredentials* | The password to use with the bindDN. |
| bindProperty | Property of the LDAP user object to use when binding to verify the password, such as name and email. |
| searchBase* | The base of the directory when searching for the user. |
| searchFilter* | Search filter used while finding user directory entries by object properties. You can have the username replaced using {{username}}. |
| searchScope* | One of base, one, or sub. |
| Username property* | The name of the directory property that contains the username that maps to the Unomaly username. If this field is incorrectly configured then logins will not work. |
| User email property | The name of the directory property that contains the email that maps to the Unomaly user's email. |
| groupSearchFilter | You may place the literal {{dn}} in the filed to have it replaced with the "groupDnProperty". |
| groupDnProperty | The value that will be filled in whenever {{dn}} is used in groupSearchFilter. |
| groupSearchScope | One of base, one, or sub. |
| Default role | Role assigned to users that do not have a mapped role. (Administrator, Standard, or Limited) |
| Attribute that maps to role (AD) | Specify what user property in LDAP that should be used to assign their role. An example would be "member" or "memberOf". This value is normally only needed for AD authentication. |
| Group DN for Administrator role | The DN of the group in LDAP that should grant the user the "admin" role in Unomaly. It is possible to define many groups by separating them with the | symbol |
| Group DN for Standard role | The DN of the group in LDAP that should grant the user the "standard" role in Unomaly. It is possible to define many groups by separating them with the | symbol. |
| Group DN for Limited role | The DN of the group in LDAP that should grant the user the "limited" role in Unomaly. It is possible to define many groups by separating them with the | symbol. |
| TLS CA certificate | LDAP server's signing certificate used to validate authentication response. If this is omitted, standard root CAs will be used, such as VeriSign. |
| TLS validate server identity | Enable this flag to ensure that the server's hostname is validated against the certificate. |
| TLS validate certificate | If false, ignore unauthorized certificates that do not validate against the CA, such as self-signed certificates. |
| TLS minimum protocol version | Optionally set the minimum TLS version to allow. It is recommended to use TLSv1.2, but earlier versions may be required for interoperability. |
| TLS maximum protocol version | Optionally set the maximum TLS version to allow. |
| Enable trace | If true, will write additional log messages to the server log. Useful for debugging. (See "Viewing trace output" below.) |
Viewing trace output
For both SAML and LDAP configurations you have the option of enabling trace to output log messages for debugging. Follow these steps to view the trace logs on the Unomaly instance.
1. SSH into the Unomaly instance. This will take you to the console menu.
2. Select option 7 to Exit to system shell.
3. At the prompt, run the following command:
unomaly logs api
(Optional) Run the command with -f to tail the output.
Here's a sample SAML trace output:
Apr 03 11:30:48 deploy-8 api[22299]: saml verify...
Apr 03 11:30:48 deploy-8 api[22299]: saml profile: {
Apr 03 11:30:48 deploy-8 api[22299]: "issuer":
"https://accounts.google.com/o/saml2?idpid=XXXXXXX",
Apr 03 11:30:48 deploy-8 api[22299]: "sessionIndex": "_484f0e51967e7fbd3afe9aXXXXXXX",
Apr 03 11:30:48 deploy-8 api[22299]: "nameID": "[email protected]",
Apr 03 11:30:48 deploy-8 api[22299]: "nameIDFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
Apr 03 11:30:48 deploy-8 api[22299]: }
Apr 03 11:30:48 deploy-8 api[22299]: saml pick email from profile
Apr 03 11:30:48 deploy-8 api[22299]: saml pick group from profile, default="Administrator"
Apr 03 11:30:48 deploy-8 api[22299]: saml find user by [email protected]
Apr 03 11:30:48 deploy-8 api[22299]: saml updating last sign-in time for user id=24