Authentication

In order to configure the authentication for Compound Registration the following sections have to be overridden in the registry.properties file. This file can be placed in an arbitrary folder, that has to be referenced by the REGISTRYCXN_HOME environment variable.

The server and the client side of the application supports different authentication modes. On server side it is possible to authenticate against a local database and/or any LDAP/AD compatible authentication provider. Both of these options are referred as "local" authentication mode within the following parameters. The web client of the application also features a SAML compatible single sign-on solution, besides the previous mode, which is referred as "samlsso" in the parameter value.

Authentication mode configuration
#supported: local
RegAuthServiceMode=local
#supported: local, samlsso
RegAuthClientMode=local

The application features a solution against cross-site request forgery attacks, which can be switched on/off.

CSRF setting
#CSRF protection
RegAuthCsrfProtectionEnabled=true

The different authentication modes can be simply set to enabled or disabled. Whenever an authentication fails against one of them it is retried with the next enabled one. If none of them succeed then the authentication itself fails, otherwise it is successful. RegAuthDBEnabled, RegAuthLdapEnabled and RegAuthADEnabled are controlling the enabled state of the corresponding authentication modes. The other parameters define the usual LDAP/AD settings; for further details on their expected values please consult the LDAP configuration guide. RegAuthLdapReadGroupFromDB controls whether the group membership configuration of the users exists within LDAP or not. If it does exist, the given group membership information is used, otherwise all the users have to be registered in the local database as well, and the corresponding group membership information configured. As a side effect there would exist the same users defined in local database, therefore it is highly recommended to switch off the RegAuthDBEnabled setting to be able to authenticate against LDAP in these special cases.

Local and LDAP/AD settings
#DB Authentication
RegAuthDBEnabled=true
 
#LDAP authentication
RegAuthLdapEnabled=false
RegAuthLdapHost=ldaphost.local
RegAuthLdapPort=389
RegAuthLdapBaseDn=DC=test,DC=compary,DC=local
# Should read the groups from the registration db instead of LDAP?
RegAuthLdapReadGroupFromDB=false
# The LDAP user who has rights to search the tree
RegAuthLdapSearchUserDn=uid=ADMIN,ou=User,ou=Test,dc=test,dc=company,dc=local
RegAuthLdapSearchUserPass=password
# What search to execute to find the user who wants to log in. The substituted parameter is the login name.
RegAuthLdapUserDnPattern=uid={0},ou=User,ou=Test
# Defines the part of the directory tree under which group searches should be performed.
RegAuthLdapGroupSearchBase=ou=Group,ou=Test
# The filter which is used to search for group membership. Example: uniqueMember={0}, corresponding to the groupOfUniqueMembers LDAP class. In this case, the substituted parameter is the full distinguished name of the user. The parameter {1} can be used if you want to filter on the login name.
RegAuthLdapGroupSearchFilter=memberUid={1}
# The attribute which contains the name of the authority defined by the group entry. Defaults to cn
RegAuthLdapGroupAttribute=cn
# Convert LDAP group names to uppercase
RegAuthLdapConvertGroupsUppercase=false
# The attribute which contains the email address of the authority. Defaults to mail
RegAuthLdapEmailAttribute=mail
 
#AD authentication
RegAuthADEnabled=false
RegAuthADReadGroupFromDB=false
RegAuthADDomain=adhost.local
RegAuthADHost=10.0.0.100
RegAuthADPort=389
# The attribute which contains the email address of the authority. Defaults to mail
RegAuthADEmailAttribute=mail

In case of a SAML compatible single sign-on setup

SAML SSO settings
#SAMLSSO authentication
# Metadata settings. For more detailed documentations check the following URL: http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/htmlsingle/#configuration-metadata
RegAuthSAMLIdpMetadataFile=classpath:samlIdpMetadata.xml
# Entity ID of the Compound Registration service provide
RegAuthSAMLMetadataEntityId=com.chemaxon.registry.RegistryService
 
# Signature settings
RegAuthSAMLMetadataSignMetadata=false
RegAuthSAMLMetadataWantAssertionSigned=false
RegAuthSAMLMetadataRequestSigned=true
RegAuthSAMLMetadataRequireArtifactResolveSigned=false
RegAuthSAMLMetadataRequireLogoutRequestSigned=false
RegAuthSAMLMetadataRequireLogoutResponseSigned=false
RegAuthSAMLMetadataTrustCheck=false
 
# supported: Artifact, POST, PAOS
RegAuthSAMLMetadataBindingsSSO=Artifact
# http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/htmlsingle/#configuration-security-profiles
RegAuthSAMLMetadataSecurityProfile=metaiop
 
# Keystore settings
RegAuthSAMLKeystoreFile=classpath:samlKeystore.jks
RegAuthSAMLKeystorePassword=sysger123
RegAuthSAMLKeystoreAlias=regsys
RegAuthSAMLKeystoreAliasPassword=sysger123
 
# Attribute mappings
# Should read the groups from the registration db?
RegAuthSAMLReadGroupFromDB=false
# Use this SAML assertion attribute as user name for registration. If this is not empty, it uses this attribute instead of the SAML NameID.
RegAuthSAMLUserNameAttribute=upn
# Use this SAML assertion attribute as group for registration. For these groups the roles are read from the registration DB
RegAuthSAMLGroupAttribute=memberOf
# Use this SAML assertion attribute as role for registration
RegAuthSAMLRoleAttribute=
# Use this SAML assertion attribute as email address
RegAuthSAMLEmailAttribute=mail