Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Removed space in the examples in Configure LDAP core object profile

This article describes authentication profiles in Nexus PRIME

and how to configure them. Authentication profiles are used to define how users can gain access to PRIME and what they gain access to

Authentication is done in two steps:

  1. Authentication: login in with a certain user credential. The user will be extracted from the credential depending on the authentication type.
  2. Authorization: after successful authentication the assigned roles for the user are determined depending on the authentication type.

The following authentication profiles are available: 

Authentication profile

Authentication / Login mechanism

User / Principal

Authorization / Roles / Permissions

Internal

In the runtime system (PRIME Explorer and PRIME Self-Service), this profile type is not recommended for production. Usually, the administrator of PRIME Designer has an internal account.

Login with username and password based on internal user table
UsernameRoles from internal roles table
LDAP

External login mechanism based on LDAP

DN from LDAP configurationGroup membership in LDAP directory is mapped to internal roles
LDAP Core ObjectExternal login mechanism based on LDAPDN from LDAP configurationInternal roles mapped to core objects

Client Certificate and LDAP

Client certificate login based on LDAPConfigured attribute in certificateGroup membership in LDAP directory is mapped to internal roles

Client Certificate Internal

In the runtime system (PRIME Explorer and PRIME Self-Service), this profile type is not recommended for production.  

Client certificate login based on internal userConfigured attribute in certificateRoles from internal roles table

Client Certificate Core Object

Client certificate login based on Core Objects
Configured attribute in certificate

Internal roles mapped to core objects

Smart Card and Core Object

This authentication profile is deprecated, but can still be used for older versions of PRIME. From PRIME 3.9, use Client Certificate Core Object.

Smart card certificateConfigured attribute in certificate

Internal roles mapped to core objects

Username and Password Core ObjectLogin with username and password based on core objectsUsername

Internal roles mapped to core objects

SAML SSO Core ObjectExternal login with SAML SSO based on core objectsConfigured attribute in SAML token

Internal roles mapped to core objects


Expandall

Prerequisites

Expand
titlePrerequisites

The following prerequisites apply:

  • Installed PRIME
  • You must have access to any required external systems, for example LDAP or SAML Identity provider (IDP).
  • For client certificate authentication, a working HTTPS configuration with client authentication on the Tomcat is required. See Configure https for Tomcat.

  • For SAML authentication, it is required to have an identity provider, such as Hybrid Access Gateway, with the correct configuration for PRIME authentication. For Hybrid Access Gateway, see Enable two-factor authentication to PRIME clients.

Step-by-step instruction

Expand
titleLog in to PRIME Designer as admin
  1. Log in to PRIME Designer as an admin user.


Expand
titleSet up authentication profile

To set up an authentication profile:

  1. Go to Home > Authentication Profiles.
  2. Click +New to add an authentication profile.
    1. Select a Profile type.

      Note

      The Internal profile is not available for selection, since it is created by default in any PRIME installation and only one internal profile is allowed.


    2. Enter a unique Priority number.
    3. Click Save + Edit.

      A new tab is displayed where the authentication profile is configured. See the following sections for how to configure the authentication profile you have selected.
  3. To edit an existing identity template, double-click on its name.

Configure profile types

The configuration of authentication profiles differs according to the different profile types.

Find your selected authentication profile type below and follow the instruction to set up the configuration.  

Expand
titleConfigure Internal profile

No further configuration required.


Expand
titleConfigure internal profile with client certificate
  1. In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:
    1. User Principal Name (UPN)
    2. SAN Email (RFC822Name)
    3. Subject CN
    4. Subject Email


Expand
titleConfigure LDAP profile
  1. In Connection settings:
    1. In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:

      Panel
      titleExample: Connection string

      Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local

      where

      ou = organizationalUnitName
      dc = domainComponent

      For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.

    2. In Username and Password, enter the Active Directory domain user name and password. 
  2. In User search:
    1. Select Direct binding or With password comparison. Direct binding attempts to bind to the LDAP with the user entered. With password comparison the data of the LDAP entry is retrieved and the password is compared with the entered password.
    2. Enter a Search pattern. Here are two examples:

      Panel
      titleExample: Search pattern

      Search pattern: (userPrincipalName = {0})


      Panel
      titleExample: Search pattern using Distinguished Name (DN) of user

      Search pattern: cn = {0}, ou = users


    3. If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.
  3. In Group search:
    1. In Basis for group search, enter the subpath to the group information in LDAP.
      For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:

      Panel
      titleExample: Basis for group search
      Basis for group search: ou = groups


    2. In Filter for group search, enter a filter expression, that defines the search starting with the subpath above.

      For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:

      Panel
      titleExample: Filter for group search

      Filter for group search: (member={0})


    3. In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system is assigned based on the assigned roles.

      For example, enter the following:

      Panel
      titleExample: Attribute for group

      Attribute for group: cn


  4. Group Permissions
    1. Go to the tab Group Permissions to map the LDAP groups to internal PRIME roles.
    2. Click + to add an LDAP group to the Groups list
    3. Select the roles that should be assigned to that LDAP group in the Roles list.


Expand
titleConfigure LDAP Core Object profile
  1. In Connection settings:
    1. In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:

      Panel
      titleExample: Connection string

      Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local

      where

      ou = organizationalUnitName
      dc = domainComponent

      For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.

    2. In Username and Password, enter the Active Directory domain user name and password. 
  2. In User search:
    1. Select Direct binding or With password comparison. Direct binding attempts to bind to the LDAP with the user entered. With password comparison the data of the LDAP entry is retrieved and the password is compared with the entered password.
    2. Enter a Search pattern. Here are two examples:

      Panel
      titleExample: Search pattern

      Search pattern: (userPrincipalName={0})


      Panel
      titleExample: Search pattern using Distinguished Name (DN) of user

      Search pattern: cn={0}, ou=users


    3. If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.
  3. In User identification: enter details to map the userPrincipalName to a core object. 
    1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.
    2. In User name field, select the core object field to match the user principal, for example UPN or Email. PRIME will use it to search the core object in the selected identity template.
    3. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in PRIME Explorer or PRIME Self-Service.


Expand
titleConfigure Client Certificate and LDAP profile
  1. In Connection settings:
    1. In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:

      Panel
      titleExample: Connection string

      Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local

      where

      ou = organizationalUnitName
      dc = domainComponent

      For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.

    2. In Username and Password, enter the Active Directory domain user name and password. 
  2. In User search:
    1. Enter a Search pattern. Here are two examples:

      Panel
      titleExample: Search pattern

      Search pattern: (userPrincipalName = {0})


      Panel
      titleExample: Search pattern using Distinguished Name (DN) of user

      Search pattern: cn = {0}, ou = users


    2. If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.
  3. In Group search:
    1. In Basis for group search, enter the subpath to the group information in LDAP.
      For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:

      Panel
      titleExample: Basis for group search
      Basis for group search: ou = groups


    2. In Filter for group search, enter a filter expression, that defines the search starting with the subpath above.

      For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:

      Panel
      titleExample: Filter for group search

      Filter for group search: (member={0})


    3. In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system is assigned based on the assigned roles.

      For example, enter the following:

      Panel
      titleExample: Attribute for group

      Attribute for group: cn


  4. In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:
    1. User Principal Name (UPN)
    2. SAN Email (RFC822Name)
    3. Subject CN
    4. Subject Email
  5. Group Permissions
    1. Go to the tab Group Permissions to map the LDAP groups to internal PRIME roles.
    2. Click + to add an LDAP group to the Groups list
    3. Select the roles that should be assigned to that LDAP group in the Roles list.



Expand
titleConfigure Client Certificate Core Object profile
  1. In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:
    1. User Principal Name (UPN)
    2. SAN Email (RFC822Name)
    3. Subject CN
    4. Subject Email
  2. In User identification: enter details to map the userPrincipalName to a core object.
    1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.
    2. In User name field, select the core object field to match the user, for example UPN or Email. PRIME will use it to search the core object in the selected identity template.
    3. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in PRIME Explorer or PRIME Self-Service.


Expand
titleConfigure Smart Card and Core Object profile


Note

This authentication profile is deprecated, but can still be used for older versions of PRIME. From PRIME 3.9, use the Client Certificate Core Object profil.

  1. In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:
    1. User Principal Name (UPN)
    2. SAN Email (RFC822Name)
    3. Subject CN
    4. Subject Email
  2. In User identification: enter details to map the userPrincipalName to a core object.
    1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.
    2. In User name field, select the core object field to match the user, for example UPN or Email. PRIME will use it to search the core object in the selected identity template.
    3. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in PRIME Explorer or PRIME Self-Service.


Expand
titleConfigure Username with Password Core Object profile
  1. In User identification: enter details to map the userPrincipalName to a core object.
    1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.
    2. In User name fieldselect the core object field to match the username, for example UPN or Email. PRIME will use it to search the core object in the selected identity template.
    3. In Password field, select the core object field holding the password, for example PasswordHash.
    4. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in PRIME Explorer or PRIME Self-Service.


Expand
titleConfigure SAML SSO Core Object profile
  1. Prepare the required SAML configuration files:
    1. Keystore file: the .jks file that includes the private keys for the communication between the service provider (SP) and identity provider (IDP). The public keys will be included in the SP metadata files for PRIME Explorer and PRIME Self-Service, see below.
    2. IDP metadata file: the xml files that is obtained from the IDP server.
    3. PRIME Explorer SP metadata file: the xml file that defines how the Explorer SP will communicate with the IDP, by specifying the application entry points for the SAML response from the IDP. See the example below.
      1. Replace CERTIFICATE in the example with the public key counterpart of the key stored in the keystore file.
      2. Replace localhost:8080 in the URLs with the correct application link. For example, replace http://localhost:8080/prime_explorer/saml/SSO with https://someServerName/prime_explorer/saml/SSO.
    4. PRIME Self-Service SP metadata file: the xml file that defines how the PRIME Self-Service SP will communicate with the IDP, similar to the Explorer metadata.
      1. Replace CERTIFICATE in the example with the public key counterpart of the key stored in the keystore file.
      2. Replace localhost:8080 in the URLs with the correct application link, and add /alias/ussp in the end. For example, replace http://localhost:8080/prime_explorer/saml/SSO with https://someServerName/prime_explorer/saml/SSO/alias/ussp.


        Code Block
        languagexml
        titleExample: PRIME Explorer metadata file
        <?xml version="1.0" encoding="UTF-8"?>
        <md:EntityDescriptor ID="prime.saml.sso" entityID="prime.saml.sso"
            xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
            <md:SPSSODescriptor AuthnRequestsSigned="true"
                WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                <md:KeyDescriptor use="signing">
                    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509Data>
                            <ds:X509Certificate>CERTIFICATE</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                </md:KeyDescriptor>
                <md:KeyDescriptor use="encryption">
                    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509Data>
                            <ds:X509Certificate>CERTIFICATE</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/prime_explorer/saml/SingleLogout" />
                <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/prime_explorer/saml/SingleLogout" />
                <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
                <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
                <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
                <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
                <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
                <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/prime_explorer/saml/SSO" index="0" isDefault="true" />
                <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:8080/prime_explorer/saml/SSO" index="1" />
            </md:SPSSODescriptor>
        </md:EntityDescriptor>


  2. In PRIME Designer, in the Authentication profile in User identification: enter details to map the user principal to a core object.
    1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.
    2. In User name field, select the core object field to match the user principal, for example UPN or Email. PRIME will use it to search the core object in the selected identity template.
    3. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in PRIME Explorer or PRIME Self-Service.
  3. Go to the tab SAML Configuration and do the following settings:
    1. Check Enable SAML Settings.
    2. Under SAML Configuration Files, click the Upload icon and upload the four prepared files that are described above.
    3. For each file, select the file and enter the following File properties:
      1. Keystore file:

        • defaultKey - the default key that is contained in the keystore.
        • storePass - the password for the keystore. Set Type to PASSWORD
        • passwords - a key/password mapping, for example {certKey,password} or with multiple values {{certKey1, passwd1}, {certKey2, passwd2}}.
      2. IDP metadata file: no file properties required.
      3. PRIME Explorer SP metadata file:

        • local: true
        • securityProfile: metaiop
        • sslSecurityProfile: pkix
        • sslHostnameVerification: default
        • signMetadata: false. This is a boolean that defines if the metadata is signed.
        • requireArtifactResolveSigned: false
        • requireLogoutRequestSigned: false
        • requireLogoutResponseSigned: false
        • signingKey: the key to be used for signing. This key must be available in the keystore.
        • encryptionKey: the key to be used for communication between SP and IDP. This key must be available in the keystore.
      4. PRIME Self-Service SP metadata file:
        • Enter all the same properties as for Explorer
        • alias: an identifier for the PRIME Self-Service service provider. This field is mandatory.

          Also enter the same alias in the config.xml file: Under the service element pre-auth-login, in the option saml_alias, enter the same value as for the alias specified in PRIME Designer:

          Code Block
          languagexml
          titleExample: config.xml for USSP
          <service name="pre-auth-login">
                      ...
                      <option name="rest-server-pre-auth-login-context" value="login/saml" />
                      <option name="saml_alias" value="ussp"/>
                      ...
          </service>


        If multiple PRIME Self-Service applications are used, provide one PRIME Self-Service SP metadata file for each application, and if the applications are for the same tenant, and give each one a unique alias, according to the description above. 


This article is valid from PRIME 3.10.

Related information