Admin users authentication

There are two options for administrator users in the admin panel. You can use the local administrator users that are persisted in the database or use header authentication.

Local administrator users

These users are stored in the database and are managed on the Administrators tab in the UI. There is an initial administrator user that is created when the application first starts up and that user can create additional administrators.

Header authentication

Header authentication depends on an external system that authenticates the user. The username and roles are passed via request headers. Use of the local administrator users is still allowed as a fallback if header authentication is turned on. Header admin users are not allowed to manage local admin users.

Warning: It is essential that the external authentication system is set up correctly because the mechanism described above does NOT perform authentication. All the authentication protection is assumed to be provided externally. If request header authentication is enabled in a scenario that is incorrectly configured, it is possible to assume the identity of a user (impersonation) by simply setting the correct header name.

Configuration

Property Default value Description
IDP_​HEADER_​AUTH_​ENABLED false Flag to enable or disable the header authentication. By default it is disabled.
IDP_​HEADER_​AUTH_​PRINCIPAL_​HEADER remote-user The name of the header where the admin username is retrieved from.
IDP_​HEADER_​AUTH_​GROUP_​HEADER remote-groups The name of the header where the group memberships of the admin user are retrieved from.
IDP_​HEADER_​AUTH_​CLIENTIP_​HEADER x-forwarded-for The header to get the actual client ip from. We assume that the value is according to the (defacto) x-forwarded-for format: client, proxy1, proxy2
IDP_​HEADER_​AUTH_​FAIL_​IF_​HEADER_​MISSING false A flag indicating if the application should fail if a header with the username is missing. When this setting is enabled a missing (or empty) header value will result in authentication failure. If this setting is disabled, other authenticators can function as a fallback authentication mechanism.

Giving Administrator rights

In order to give administrator rights to a user, you should specify the value of the IDP_HEADER_AUTH_GROUP_HEADER to be administrator. This corresponds with the role defined for administrator users. You can see this being done in the example request below.

Example

Configuration

IDP_HEADER_AUTH_ENABLED=true
IDP_HEADER_AUTH_PRINCIPAL_HEADER=remote-user
IDP_HEADER_AUTH_GROUP_HEADER=remote-groups
IDP_HEADER_AUTH_CLIENTIP_HEADER=x-forwarded-for
IDP_HEADER_AUTH_FAIL_IF_HEADER_MISSING=false

Request

GET https://idp.admin.example.com
Content-Type: text/html
remote-user=header-user
remote-groups=administrator