Versions Compared

Old Version 7

changes.mady.by.user Olivier Grenet

Saved on

compared with

New Version 8

changes.mady.by.user Olivier Grenet

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Once the different authentication domains have been configured, it is sufficient to activate the authentication system and specify the domain to be used in the Wedia CrossMedia basic settings page as a default, like illustrated below.

...

Connection via internal user object

This connection is the traditional method of authentication. It consists of to authenticate a user using a database object via a couple login/password.

...

Info

The Wedia object used for authenfication must have a login property and password property.

Passwords are stored in hashe (SHA) and salty (salt common to the server), and it is therefore not possible to return your password to a user, but only to ask him to create a new one.

Validation of passwords

When using the system’s standard authentication system (based on the WEDIA/NOHETO identification engine and therefore incompatible with LDAP systems or other external authentication systems) it is possible to set the following options place rules for password validation.

...

When modified, a rule does not affect existing passwords. In the same way, the rules also do not impact the authorities.

Install a local LDAP to test the connection via LDAP

This article is not intended to be a substitute for the literature on setting up an LDAP connection. It gives a procedure for:

...

  • From the menu, Start > Connect or connect icon

  • Click to create a connection

  • Give it a name

  • Fill in the host, and the port (initially localhost and 389)

  • Click Fetch DNS to help you enter the database

  • Test the connection

  • Uncheck Anonymous login to fill in the Username and the Password. To determine the username, the simplest way to determine the username is to use a user with the maximum of rights. If you did not change anything during the installation of openLDAP, this connection string is:

    cn=Manager, dc=maxcrc, dc=com

    Indeed, it must be possible to identify the user with which you want to connect by specifying its position in the tree. In the case of the Manager, it is identified via his name (Manager) and the base of our tree. If you don’t have nothing changed during the installation, his password is secret.

  • Click OK

  • The connection is available, you can open a connection at your tree as a Manager

  • Once logged in, you can create groups and users. Here is an example of a tree created by filling in forms for each type.

Direct LDAP connection

The direct LDAP connection consists of using the username/word pair of user’s password to connect to the LDAP server and possibly validate its membership in one or more groups. For reasons of access rights to the LDAP server, the connection in two passes is used more frequently.

...

  1. Login with login / password of the user. The login is injected into the dn model to create the real ldap connection identifier (parameters 6 and 11).

  2. If the validation of the user group is enabled, these groups are searched by injecting the user’s dn into the search criteria (parameters 2,3,4 and 5).

  3. Then search for the NOHETO pivot object whose property corresponds to the corresponding LDAP user attribute (parameters 7,8 and 9).

  4. We initialize the surfer from this object.

...

2-step LDAP authentication with automatic creation of the local user

Once your LDAP is installed and operational, it is very simple to use it directly in Wedia CrossMedia.

...

  • Recursive search of the user: set to true if all users do not use it or are not on the same level

  • User’s root: at this level we specify from where we search users, which avoids having to go through the entire tree. In our case, we decide to search from the Wedia group. In this LDAP, the group is named or. Our request is therefore or=Wedia, dc=maxcrc, dc=com

  • Don’t forget that you must always specify full access to the branch.

  • User search criteria: We chose to log in using the login or uid. The chain is therefore positioned so that WXM can build it: uid={0}

    This is then linked to the local structure:

  • We define our pivot object (to be used)

  • The pivot LDAP attribute: it is the attribute that will allow us to find the following attributes the user. Here the mail, but could be the login (guided in our tree)

  • the pivot wedia property. the mail in the user structure is stored in the field email. If we had chosen the login, we would write login

  • Is it necessary to create the user locally

    • If false, it means that in order to be able to connect, the user must already be integrated in our local database.

    • If true, it is possible to create it if you can’t find it

  • Filling Properties: A JSON that gives LDAP mapping of WXM and allows you to fill in static data.
    This JSON is an array, each value an object with 2 properties:

    • fieldNoheto (required): the name of the property in the user structure to be fed.

    • attLdap: the name of the LDAP attribute to be used to fill this value

      or

      static: a static value

SAML2 authentication

Preamble

This documentation briefly explains SAML2 authentication to configure WXM to connect via a provider of SAML2 identities. It is not intended to be used as documentation on SAML2. Please refer to the official documentation.

...

Site used to authenticate a user.

Authentication principle SAML2 in WXM

First of all, SAML2 authentication does not change the object model about users / groups in WXM but is grafted on top. This means that it is not necessary to integrate SAML2 authentication early in the life of a project. It can be grafted at the end of it.

...

  1. Deploy your webapp with the same context as the target machine: traditionally ROOT.

  2. Edit your hosts file to point the URL of the target server at your development environment by adding a line of the type: 127.0.0.0.1 monserverdeprod

  3. Access the login URL as if you were going to the production server (remember to switch to https if necessary). E.g.: https://monserveurdeprod/wcm.jspz

  4. Remember to delete the modification of the hosts file at the end of your tests to access the production server again.

SAML2 authentication via Shibboleth Identity Provider

This article is not intended to explain the installation of the application Shibboleth Identity Provider but to present the key points to enable authentication via this identity provider from a WEDIA application.

...

The configuration of SAML2 is complete, your users will be able to connect to the WEDIA application by clicking on the button provided for this purpose on the WEDIA application login page.

The Google Apps connection

A plugin allows to connect in SSO via the system proposed by Google Apps.

...

View file
nameconnexion_google_apps.pdf

OAUTH2 Connection

The content of this article is only valid from version 11.5.3 onwards.

...

It is possible to use a subproperty of the JSON profile as a value of mapping by specifying its full path in the form:
Prop. under_prop. under_sub_prop.

Ex: address. city

SSO connection with SAML or OAuth: how to manage a validation step of new users?

The content of this article is valid since WEDIA 11.5.3

...