Authentication in Hyperon Studio

Standard

Standard authentication using standard Spring authentication mechanism. No extra actions needed to use it, it is available by default.

Default authentication using a standard Spring authentication mechanism. No extra actions are needed to use it, it is available by default. You can choose from the following password encoder security algorithms:

• bcrypt (default)
• pbkdf2

To select a pbkdf2 algorithms, you must set hyperon.security.basic.password-encoder property in the application.properties file as follows:

hyperon.security.basic.password-encoder=Pbkdf2

What's more, you can choose the complexity of bcrypt algorithm. In order to do that, a hyperon.security.basic.bcrypt.complexity property in the application.properties must be set. Values between 4 and 31 are accepted, 5 is used by default. The bigger the value the safer algorithm is, but the performance impact is also increasing.

‍

Active Directory

hyperon.studio.security.type environment variable must be set to "ad"

To use Active Directory authentication, 3 properties must be specified in application.properties file:

• hyperon.studio.security.type=active-directory
• hyperon.security.active-directory.domain Active Directory main root (usually server domain, for example: domain.local).
• hyperon.security.active-directory.url Active Directory server url, for example: ldap://10.222.20.156:389/
• hyperon.security.active-directory.root-dn for example DC=domain,DC=local

Requirements for AD user:

• Login - not empty, min size: 1, max size: 200
• First name - not empty, min size: 1
• Last name - not empty, min size: 1
• E-mail address - if empty Hyperon generates default e-mail consistent with schema: 'login@local.com'
• Roles - min one role consistent with Hyperon role

Hyperon supports role management. Roles defined in Active Directory must be compatible with roles in Hyperon structure.

Hierarchy of roles in Hyperon:

• MPP_ADMIN - Hyperon Administrator
• MPP_USER - Hyperon User
• MPP_USER_READONLY - Readonly Hyperon User
• HYPERON_SUPERPACK_IMPORT - Readonly Hyperon User with grant to import Superpack

It is possible to create own roles in AD but remember to create same roles in Hyperon structure. It's necessary to proper authentication process.

CAS Integration

In bin/setenv.sh set flag for Java Virtual Machine:

Authentication in Hyperon Studio can be set by environment variable hyperon.studio.security.type.

JAVA_OPTS="$JAVA_OPTS -hyperon.studio.security.type=cas"       (LINUX)
set JAVA_OPTS=%JAVA_OPTS% -hyperon.studio.security.type=cas    (WINDOWS)

In conf/application.properties set properties:

hyperon.studio.url=https://hyperon_server_adress/hyperon/app
hyperon.studio.security.type=cas
hyperon.studio.security.cas.server-url=https://cas_server_adress
server.cas=${cas.server.name}/cas
hyperon.studio.security.cas.login-url=${server.cas}/login
hyperon.studio.security.cas.logout-url=${server.cas}/logout?service=${server.cas.loggedout}
hyperon.studio.security.cas.logged-out-url=${mpp.url}/loggedOut  

‍

SAML

1. Configure Tomcat to use HTTPS.

2. Set hyperon.studio.security.type environment variable to "saml".

3. Fill properties:

• hyperon.studio.security.saml.base-url=
• hyperon.studio.security.saml.entity-id=
• hyperon.studio.security.saml.idp-metadata-file-path= #Path to identity provider metadata file
• hyperon.studio.security.saml.response-skew=60 #Maximum difference between local time and time of the assertion creation in seconds which still allows message to be processed. Basically determines maximum difference between clocks of the identity provider and Hyperon Studio machines.
• hyperon.studio.security.saml.key-store.path=
• hyperon.studio.security.saml.key-store.pass=
• hyperon.studio.security.saml.key-store.alias=
• hyperon.studio.security.saml.key-store.keyPass= ‍
• hyperon.studio.security.saml.roles-origin=  ##internal or saml

4. Generate metadata from Hyperon Studio .

https://localhost:8080/hyperon/saml/metadata

5. Import generated metadata into Identity Provider.

6. Configure Identity Provider to send attributes with assertion response.

Required attributes:

• NAME_ID (this is used as user login)
• firstname
• surname
• mail

Optional attributes:

• roles (if hyperon.saml.roles.origin=saml is specified roles are taken from assertion response therefore identity provider must be configured to send it with response)

If you choose to set hyperon.saml.roles.origin to "internal" Hyperon will be taking roles from database instead of saml assertion response in order to authorize user. In that case role for first admin user need to be specified through sql insert.

‍

Examples of defining roles and attributes in ADFS.

‍

BASIC ATTRIBUTES:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("mail", "firstname", "surname"), query = ";mail,givenName,sn;{0}", param = c.Value);‍

ROLES:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-1861533720-3376411538-4102833532-1113", Issuer == "AD AUTHORITY"]

=> issue(Type = "roles", Value = "MPP_USER", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

‍

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-1861533720-3376411538-4102833532-1114", Issuer == "AD AUTHORITY"]

=> issue(Type = "roles", Value = "MPP_ADMIN", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);‍

‍

AZURE ACTIVE DIRECTORY

1. Go to Azure Active Directory tab in Azure console

2. Register Hyperon app under "App registrations".

3. Select registered app

4. Add redirect url under "Hyperon" → "Authentication":

- Choose "Add a platform" → "Web",

- Paste url *http://{hyperon_context_url}/login/oauth2/code/* for example; *http://localhost:8080/hyperon/login/oauth2/code/*,

- no need to check any checkbox related to auth tokens

5. Add Hyperon role (e.g. MPP_ADMIN) under "Hyperon" → "App roles" (User & Groups).

6. Generate secret for the app under "Hyperon" → "Certificates & Secrets".

7. Go back to Active Directory tab

8. Go to "Enterprise applications" and choose the newly added app.

9. From "Enterprise applications" go to "Users and groups" and add a user. Select previously created role while adding a new user.

10. Go back to Active Directory tab

11. Go to "App registration" → "Hyperon" → "Token Configuration" and add an optional claim. "Token Type" → "ID" and choose email. Check "Turn on the Microsoft Graph profile permission (required for claims to appear in token)." from the popup.

In properties fill following:

hyperon.studio.security.azure-active-directory.client-id=
hyperon.studio.security.azure-active-directory.tenant-id=
hyperon.studio.security.azure-active-directory.client-secret=
hyperon.studio.security.azure-active-directory.base-url= http://localhost:8080/hyperon 
hyperon.studio.security.azure-active-directory.username-attribute-name= preferred_username 
hyperon.studio.security.azure-active-directory.roles-origin= azuread 

Set environment variable hyperon.studio.security.type to azuread and deploy Hyperon Studio.

JWT Token auth

Type environment variable must be set to "jwt"

To use JWT Token authentication, a hyperon.security.jwt.secret-key property must be set in Hyperon Studio's application.properties file as well as Hyperon Runtime REST. What's more, it must be the same key in both places.

You can generate a new token in Hyperon Studio. A view to see all existing tokens as well as a button to generate a new one can be found in Menu's Tools tab. When creating a new token, you can specify the expiry date. Admin users may also specify a user that a newly generated token will be assigned to.

To use generated token in REST API calls, you need to add an Authorization header with the following format:

Authorization: Bearer your_jwt_token

for example:

Authorization: Bearer eyJhbGciOiJIUzI1N

‍