Authentication
In order to configure the authentication for Compound Registration the following sections have to be overridden in the registry.properties file. This file can be placed in an arbitrary folder, that has to be referenced by the REGISTRYCXN_HOME environment variable.
The server and the client side of the application supports different authentication modes. On server side it is possible to authenticate against a local database and/or any LDAP/AD compatible authentication provider. Both of these options are referred as "local" authentication mode within the following parameters. The web client of the application also features a SAML compatible single sign-on solution, besides the previous mode, which is referred as "samlsso" in the parameter value.
#supported: localRegAuthServiceMode=local#supported: local, samlssoRegAuthClientMode=localThe application features a solution against cross-site request forgery attacks, which can be switched on/off.
#CSRF protectionRegAuthCsrfProtectionEnabled=true
The different authentication modes can be simply set to enabled or disabled. Whenever an authentication fails against one of them it is retried with the next enabled one. If none of them succeed then the authentication itself fails, otherwise it is successful. RegAuthDBEnabled, RegAuthLdapEnabled and RegAuthADEnabled are controlling the enabled state of the corresponding authentication modes. The other parameters define the usual LDAP/AD settings; for further details on their expected values please consult the LDAP configuration guide. RegAuthLdapReadGroupFromDB controls whether the group membership configuration of the users exists within LDAP or not. If it does exist, the given group membership information is used, otherwise all the users have to be registered in the local database as well, and the corresponding group membership information configured. As a side effect there would exist the same users defined in local database, therefore it is highly recommended to switch off the RegAuthDBEnabled setting to be able to authenticate against LDAP in these special cases.
#DB AuthenticationRegAuthDBEnabled=true#LDAP authenticationRegAuthLdapEnabled=falseRegAuthLdapHost=ldaphost.localRegAuthLdapPort=389RegAuthLdapBaseDn=DC=test,DC=compary,DC=local# Should read the groups from the registration db instead of LDAP?RegAuthLdapReadGroupFromDB=false# The LDAP user who has rights to search the treeRegAuthLdapSearchUserDn=uid=ADMIN,ou=User,ou=Test,dc=test,dc=company,dc=localRegAuthLdapSearchUserPass=password# What search to execute to find the user who wants to log in. The substituted parameter is the login name.RegAuthLdapUserDnPattern=uid={0},ou=User,ou=Test# Defines the part of the directory tree under which group searches should be performed.RegAuthLdapGroupSearchBase=ou=Group,ou=Test# The filter which is used to search for group membership. Example: uniqueMember={0}, corresponding to the groupOfUniqueMembers LDAP class. In this case, the substituted parameter is the full distinguished name of the user. The parameter {1} can be used if you want to filter on the login name.RegAuthLdapGroupSearchFilter=memberUid={1}# The attribute which contains the name of the authority defined by the group entry. Defaults to cnRegAuthLdapGroupAttribute=cn# Convert LDAP group names to uppercaseRegAuthLdapConvertGroupsUppercase=false# The attribute which contains the email address of the authority. Defaults to mailRegAuthLdapEmailAttribute=mail#AD authenticationRegAuthADEnabled=falseRegAuthADReadGroupFromDB=falseRegAuthADDomain=adhost.localRegAuthADHost=10.0.0.100RegAuthADPort=389# The attribute which contains the email address of the authority. Defaults to mailRegAuthADEmailAttribute=mailIn case of a SAML compatible single sign-on setup
#SAMLSSO authentication# Metadata settings. For more detailed documentations check the following URL: http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/htmlsingle/#configuration-metadataRegAuthSAMLIdpMetadataFile=classpath:samlIdpMetadata.xml# Entity ID of the Compound Registration service provideRegAuthSAMLMetadataEntityId=com.chemaxon.registry.RegistryService# Signature settingsRegAuthSAMLMetadataSignMetadata=falseRegAuthSAMLMetadataWantAssertionSigned=falseRegAuthSAMLMetadataRequestSigned=trueRegAuthSAMLMetadataRequireArtifactResolveSigned=falseRegAuthSAMLMetadataRequireLogoutRequestSigned=falseRegAuthSAMLMetadataRequireLogoutResponseSigned=falseRegAuthSAMLMetadataTrustCheck=false# supported: Artifact, POST, PAOSRegAuthSAMLMetadataBindingsSSO=Artifact# http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/htmlsingle/#configuration-security-profilesRegAuthSAMLMetadataSecurityProfile=metaiop# Keystore settingsRegAuthSAMLKeystoreFile=classpath:samlKeystore.jksRegAuthSAMLKeystorePassword=sysger123RegAuthSAMLKeystoreAlias=regsysRegAuthSAMLKeystoreAliasPassword=sysger123# Attribute mappings# Should read the groups from the registration db?RegAuthSAMLReadGroupFromDB=false# Use this SAML assertion attribute as user name for registration. If this is not empty, it uses this attribute instead of the SAML NameID.RegAuthSAMLUserNameAttribute=upn# Use this SAML assertion attribute as group for registration. For these groups the roles are read from the registration DBRegAuthSAMLGroupAttribute=memberOf# Use this SAML assertion attribute as role for registrationRegAuthSAMLRoleAttribute=# Use this SAML assertion attribute as email addressRegAuthSAMLEmailAttribute=mail