Authentication
Overview
The authentication is designed to provide a secure way to authenticate users against an existing.
The authentication system serves the purpose of signing-in and identification of users. It is possible to configure any number of authentication providers, but only one of these will typically be used for sign-in.
To implement your desired authentication system, you need to configure:
- the authentication provider, which will perform the sign-in requests.
- the organization provider, which will provide the users and groups information.
What happens is that Witboost will fetch all the configured groups and users from the organization provider. Then, when a user performs the login using the authentication provider, Witboost will check if the user is part of the fetched groups and if the user is allowed to access the system.
In the following sections, we will provide an overview of how to configure every supported provider, by configuring both the authentication and organization providers.
You can configure every Authentication Provider to display a custom title and message in the login page. To do so, you can add the title
and message
fields to the provider configuration.
The title
field will be displayed as the title of the login page, while the message
field will be displayed as a message in the login page.
For example, you can customize the Microsoft provider configuration as follows:
auth:
providers:
microsoft:
development:
clientId: <clientId>
clientSecret: <clientSecret>
tenantId: <tenantId>
signIn:
resolvers:
- resolver: emailMatchingUserEntityAnnotation
title: 'Microsoft Login'
message: 'Please login with your Microsoft account'
Microsoft
This section will guide you through the configuration of the Microsoft authentication provider.
Basically, this provider will use:
- An App Registration in Microsoft Entra ID to authenticate users.
- The Microsoft Graph API to fetch the users and groups information.
Authentication Provider
First of all, we need an App Registration to be created in the Azure Portal. Depending on how locked down your company is, you may need a directory administrator to do some or all of these instructions.
Go to Azure Portal > App registrations and find your existing app registration, or create a new one.
On your App Registration's overview page, add a new Web platform configuration, with the configuration:
- Redirect URI: https://your-witboost.com/api/auth/microsoft/handler/frame (this will be the URL of your Witboost instance)
- Front-channel logout Url: blank
- Implicit grant and hybrid flows: All unchecked
On the API permissions tab, click on Add Permission, then add the following (not Delegated) permissions (they will be needed for for Microsoft Graph):
- GroupMember.Read.All
- User.Read.All
Then, in the API permissions tab, click on Add Permission, then add the following Delegated permission for the Microsoft Graph API.
- offline_access
- openid
- profile
- User.Read
Your company may require you to grant admin consent for these permissions. Even if your company doesn't require admin consent, you may wish to do so as it means users don't need to individually consent the first time they access Witboost. To grant admin consent, a directory admin will need to come to this page and click on the Grant admin consent for COMPANY NAME button.
Then, to configure the Microsoft authentication provider, you need to provide the following configuration:
auth:
providers:
microsoft:
development:
clientId: <clientId>
clientSecret: <clientSecret>
tenantId: <tenantId>
signIn:
resolvers:
- resolver: emailMatchingUserEntityAnnotation
where the clientId
, clientSecret
, and tenantId
are the App Registration ones.
Organization Provider
The Microsoft Graph API will be used to fetch the users and groups information. You can use the App Registration defined in the azure portal to access the Microsoft Graph API.
By default the graph plugin requires the following Application permissions (not Delegated) for Microsoft Graph (we already defined them in the section above):
- GroupMember.Read.All
- User.Read.All
If your organization required Admin Consent for these permissions, that will need to be granted.
To configure the Microsoft organization provider, you need to provide the following configuration:
catalog:
providers:
microsoftGraphOrg:
default:
target: https://graph.microsoft.com/v1.0
authority: https://login.microsoftonline.com
# If you don't know you tenantId, you can use Microsoft Graph Explorer
# to query it
tenantId: <tenantId>
# Client Id and Secret can be created under Certificates & secrets in
# the App registration in the Microsoft Azure Portal.
clientId: <clientId>
clientSecret: <clientSecret>
userGroupMember:
filter: "displayName eq 'witboost'"
group:
filter: "displayName eq 'witboost'"
schedule:
frequency: { hours: 5 }
timeout: { minutes: 30 }
where the clientId
, clientSecret
, and tenantId
are the App Registration ones.
In the example above, the userGroupMember
and group
filters are used to fetch the users and groups, belonging only to groups with certain properties (here you can use ).
The schedule
configuration is used to define the frequency and timeout of the fetching process. The frequency represents the time between two fetches, while the timeout represents the maximum time the fetching process can take.
By default, the plugin will import all users and groups from your directory. This can be customized through filters and search queries. Keep in mind that if you omit filters and search queries for the user or group properties, the plugin will automatically import all available users or groups.
LDAP
This section will guide you through the configuration of the LDAP authentication provider.
The provider will use the LDAP endpoint to authenticate users and fetch the users and groups information.
Authentication Provider
To configure the LDAP authentication provider, you need to provide the following configuration:
auth:
environment: development
providers:
simple_ldap:
development:
url: ldap://my.ldap.host.com
bindDN: cn=admin,dc=my-company,dc=com
bindCredentials: StrongAdminPassword
searchBase: ou=users,dc=my-company,dc=com
searchFilter: (uid={{username}})
where:
url
is the LDAP server URL.bindDN
is the distinguished name of the user that will be used to bind to the LDAP server.bindCredentials
is the password of the user that will be used to bind to the LDAP server.searchBase
is the base DN for the search.searchFilter
is the filter to use when searching for users.environment
is the name of the environment to enable. It will default todevelopment
if not provided.
In addition, you can also add the tlsOptions
in case you want to use a secure connection to the LDAP server (ldaps
). The configuration will look like this:
auth:
providers:
simple_ldap:
development:
...
tlsOptions:
host: my.ldap.host.com
port: 636
minDHSize: 1024
servername: my.ldap.host.com
timeout: 30000
Organization Provider
To configure the LDAP organization provider, you need to provide the following configuration:
catalog:
providers:
ldapOrg:
default:
target: ldap://my.ldap.host.com
bind:
dn: cn=admin,dc=my-company,dc=com
secret: StrongAdminPassword
users:
dn: ou=users,dc=my-company,dc=com
map:
name: uid
displayName: displayName
email: mail
groups:
dn: ou=groups,dc=my-company,dc=com
map:
name: cn
displayName: cn
userMembers: memberUid
schedule:
frequency: { hours: 5 }
timeout: { minutes: 30 }
where:
target
is the LDAP server URL.bind
is the distinguished name of the user that will be used to bind to the LDAP server and its password.users
is the base DN for the users search and the mapping of the user properties.groups
is the base DN for the groups search and the mapping of the group properties.
The schedule
configuration is used to define the frequency and timeout of the fetching process. The frequency represents the time between two fetches, while the timeout represents the maximum time the fetching process can take.
Oauth2
This section will guide you through the configuration of a generic Oauth2 authentication provider, using OpenID Connect.
The provider will use the Oauth2 endpoint to authenticate users; users and groups must exist, and can be fetched using one of the other integrations proposed.
Authentication Provider
To configure the Oauth2 authentication provider, you need to provide the following configuration:
auth:
session:
secret: <secret>
providers:
oidc:
development:
clientId: <clientId>
clientSecret: <clientSecret>
metadataUrl: <metadataUrl>
scope: openid #Optional
prompt: auto
signIn:
resolvers:
- resolver: emailMatchingUserEntityProfileEmail
where:
secret
is a unique string that will act as a session secret. There are no constraint on this value, but using a secret that cannot be guessed will reduce the ability to hijack a session to only guessing the session ID. You can configure this as an environment variable or reading it from a secret manager.clientId
is the client ID of the Oauth2 application.clientSecret
is the client secret of the Oauth2 application.metadataUrl
is the URL of the OpenID Connect metadata, usually it should point to the published .well-known endpoint.callbackUrl
(Optional) is the URL where the Oauth2 provider will redirect the user after the authentication process.scope
(Optional) is a list of scopes requested to the application. It is a string with space-separated values.prompt
should always be set toauto
to show the end user the login window.
Okta
This section will guide you through the configuration of the Okta authentication provider.
The provider will use the Okta endpoint to authenticate users; users and groups must exist, and can be fetched using one of the other integrations proposed.
Authentication Provider
First of all, to add Okta authentication, you must create an Application from Okta:
- Log into Okta (e.g.
company.okta.com
) - Navigate to Menu >> Applications >> Applications >> Create App Integration
- Fill out the Create a new app integration form:
- Sign-in method:
OIDC - OpenID Connect
- Application type:
Web Application
- Click Next
- Fill out the New Web App Integration form:
- App integration name:
Witboost
(or your custom app name) - Grant type:
Authorization Code & Refresh Token
- Sign-in redirect URIs:
https://your-witboost.com/api/auth/okta/handler/frame
(this will be the URL of your Witboost instance) - Sign-out redirect URIs:
https://your-witboost.com
(this will be the URL of your Witboost instance) - Controlled access: (select as appropriate)
- Click Save
Then, to configure the Okta authentication provider, you need to provide the following configuration:
auth:
environment: development
providers:
okta:
development:
clientId: <clientId>
clientSecret: <clientSecret>
audience: <audience>
authServerId: <authServerId> # Optional
idp: <idp> # Optional
additionalScopes: <additionalScopes> # Optional
signIn:
resolvers:
- resolver: emailMatchingUserEntityProfileEmail
where:
clientId
is the client ID that you generated on Okta, e.g. 3abe134ejxzF21HU74c1clientSecret
is the client secret shown for the Application.audience
is The Okta domain shown for the Application, e.g. https://company.okta.com. If you are using custom domains, you can find the current domain by clicking on your name in the top right corner of the Okta top bar.authServerId
(Optional) is the authorization server ID for the Applicationidp
(Optional) is the identity provider for the application, e.g. 0oaulob4BFVa4zQvt0g3additionalScopes
(Optional) is a string of space separated scopes, that will be combined with the default scope value of openid profile email offline_access to adjust the scope sent to Okta during OAuth. This will have an impact on the dependent claims returned. For example, setting the additionalScopes value to groups will result in the claim returning a list of the groups that the user is a member of that also match the ID token group filter of the client app.
All the values referenced above are found on the Application page on your Okta site.
Organization Provider
This integration will be used to fetch the users and groups information.
To enable this type of integration, you will need to grant your application at least the okta.groups.read
and okta.users.read
scopes.
To do so, you will need to go to the Okta Admin Console, navigate to the Applications section, and edit the application you created for Witboost. Then, go to the Okta API Scopes
tab, and assign the okta.groups.read
and okta.users.read
scopes to the application.
Then, you will need to create an API token to be used by Witboost:
- In the Admin Console, go to Security > API
- Click the Tokens tab.
- Click Create token.
- In the What do you want your token to be named? field, enter a token name (like "Witboost")
- From the API calls made with this token must originate from dropdown list, select an option to specify where you allow connections to come from.
- Click Create token.
- Click Copy to clipboard (Copy token) and paste the token in a secure location, such as a password manager. The only time you can view and copy the token is during the creation process. After the token is created, it's stored as a hash for your protection.
Then you can configure the Okta organization provider, by providing the following configuration:
catalog:
providers:
okta:
default:
orgUrl: <orgUrl>
token: <apiToken>
userFilter: profile.department eq "engineering" # Optional
groupFilter: profile.name eq "Everyone" # Optional
hierarchyConfig: # Optional
key: profile.orgId
parentKey: profile.parentOrgId
schedule:
frequency: { hours: 5 }
timeout: { minutes: 10 }
initialDelay: { minutes: 1 }
where:
orgUrl
is the URL of your Okta organization, e.g.https://company.okta.com
apiToken
is the API token you created in the previous stepsuserFilter
(Optional) is a filter to apply to the users fetched from OktagroupFilter
(Optional) is a filter to apply to the groups fetched from OktahierarchyConfig
(Optional) is a configuration to define the hierarchy of the groups. Thekey
is the property that will be used as the group ID, while theparentKey
is the property that will be used as the parent group ID.schedule
is used to define the frequency and timeout of the fetching process. The frequency represents the time between two fetches, while the timeout represents the maximum time the fetching process can take.
Try to keep the initialDelay
value around 1 minute to avoid any issues with the initial fetch, since the Okta service may take some time to setup to the first interaction.