Close
Tutorials    
Snapshot   
Deploying Hyperon

Authentication in Hyperon Studio

Standard

Standard authentication using standard Spring authentication mechanism. No extra actions needed to use it, it is available by default.

Default authentication using a standard Spring authentication mechanism. No extra actions are needed to use it, it is available by default. You can choose from the following password encoder security algorithms:

  • bcrypt (default)
  • pbkdf2

To select a pbkdf2 algorithms, you must set hyperon.security.passwordEncoder property in the application.properties file as follows:

    hyperon.security.passwordEncoder=Pbkdf2

What's more, you can choose the complexity of bcrypt algorithm. In order to do that, a hyperon.security.bcrypt.complexity property in the application.properties must be set. Values between 4 and 31 are accepted, 5 is used by default. The bigger the value the safer algorithm is, but the performance impact is also increasing.

Active Directory

authType environment variable must be set to "ad"

To use Active Directory authentication, 3 properties must be specified in application.properties file:

  • hyperon.ad.domain Active Directory main root (usually server domain, for example: domain.local).
  • hyperon.ad.url Active Directory server url, for example: ldap://192.168.0.156:389/
  • hyperon.ad.rootDn (optional) DN root.

Requirements for AD user:

  • Login - not empty, min size: 1, max size: 200
  • First name - not empty, min size: 1
  • Last name - not empty, min size: 1
  • E-mail address - if empty Hyperon generates default e-mail consistent with schema: 'login@local.com'
  • Roles - min one role consistent with Hyperon role

Hyperon supports role management. Roles defined in Active Directory must be compatible with roles in Hyperon structure.

Hierarchy of roles in Hyperon:

  • MPP_ADMIN - Hyperon Administrator
  • MPP_USER - Hyperon User
  • MPP_USER_READONLY - Readonly Hyperon User
  • HYPERON_SUPERPACK_IMPORT - Readonly Hyperon User with grant to import Superpack

It is possible to create own roles in AD but remember to create same roles in Hyperon structure. It's necessary to proper authentication process.

CAS Integration

In bin/setenv.sh set flag for Java Virtual Machine:

Authentication in Hyperon Studio can be set by environment variable authType.

    JAVA_OPTS="$JAVA_OPTS -DauthType=cas"       (LINUX)
    set JAVA_OPTS=%JAVA_OPTS% -DauthType=cas    (WINDOWS)

In conf/application.properties set properties:

    cas.server.name=https://cas_server_adress
    server.cas=${cas.server.name}/cas
    server.cas.login=${server.cas}/login
    server.cas.logout=${server.cas}/logout?service=${server.cas.loggedout}
    server.cas.loggedout=${mpp.url}/loggedOut

    mpp.url=https://hyperon_server_adress/hyperon/app

SAML

1. Configure Tomcat to use HTTPS.

2. Set authType environment variable to "saml".

3. Fill properties:

  • hyperon.saml.baseUrl=https://localhost:8080/hyperon
  • hyperon.saml.entityId=urn:hyperon:saf:sp:hyperon:spring
  • hyperon.saml.idpMetadataFilePath= #Path to identity provider metadata file
  • hyperon.saml.responseSkew=60 #Maximum difference between local time and time of the assertion creation in seconds which still allows message to be processed. Basically determines maximum difference between clocks of the identity provider and Hyperon Studio machines.
  • hyperon.saml.keyStore.path=
  • hyperon.saml.keyStore.pass=
  • hyperon.saml.keyStore.alias=
  • hyperon.saml.keyStore.keyPass=
  • hyperon.saml.roles.origin=  ##internal or saml

4. Generate metadata from Hyperon Studio .

https://localhost:8080/hyperon/saml/metadata

5. Import generated metadata into Identity Provider.

6. Configure Identity Provider to send attributes with assertion response.

Required attributes:
  • NAME_ID (this is used as user login)
  • firstname
  • surname
  • mail
Optional attributes:
  • roles (if hyperon.saml.roles.origin=saml is specified roles are taken from assertion response therefore identity provider must be configured to send it with response)

If you choose to set hyperon.saml.roles.origin to "internal" Hyperon will be taking roles from database instead of saml assertion response in order to authorize user. In that case role for first admin user need to be specified through sql insert.


More tutorials

Deploying Hyperon