Admin users authentication
There are two options for administrator users in the admin panel. You can use the local administrator users that are persisted in the database or use header authentication.
Local administrator users
These users are stored in the database and are managed on the Administrators tab in the UI. There is an initial administrator user that is created when the application first starts up and that user can create additional administrators.
Header authentication
Header authentication depends on an external system that authenticates the user. The username and roles are passed via request headers. Use of the local administrator users is still allowed as a fallback if header authentication is turned on. Header admin users are not allowed to manage local admin users.
Warning: It is essential that the external authentication system is set up correctly because the mechanism described above does NOT perform authentication. All the authentication protection is assumed to be provided externally. If request header authentication is enabled in a scenario that is incorrectly configured, it is possible to assume the identity of a user (impersonation) by simply setting the correct header name.
Configuration
Property | Default value | Description |
---|---|---|
IDP_HEADER_AUTH_ENABLED | false | Flag to enable or disable the header authentication. By default it is disabled. |
IDP_HEADER_AUTH_PRINCIPAL_HEADER | remote-user | The name of the header where the admin username is retrieved from. |
IDP_HEADER_AUTH_GROUP_HEADER | remote-groups | The name of the header where the group memberships of the admin user are retrieved from. |
IDP_HEADER_AUTH_CLIENTIP_HEADER | x-forwarded-for | The header to get the actual client ip from. We assume that the value is according to the (defacto) x-forwarded-for format: client, proxy1, proxy2 |
IDP_HEADER_AUTH_FAIL_IF_HEADER_MISSING | false | A flag indicating if the application should fail if a header with the username is missing. When this setting is enabled a missing (or empty) header value will result in authentication failure. If this setting is disabled, other authenticators can function as a fallback authentication mechanism. |
Giving Administrator rights
In order to give administrator rights to a user, you should specify the value of the IDP_HEADER_AUTH_GROUP_HEADER
to be administrator
. This corresponds
with the role defined for administrator users. You can see this being done in the example request below.
Example
Configuration
IDP_HEADER_AUTH_ENABLED=true
IDP_HEADER_AUTH_PRINCIPAL_HEADER=remote-user
IDP_HEADER_AUTH_GROUP_HEADER=remote-groups
IDP_HEADER_AUTH_CLIENTIP_HEADER=x-forwarded-for
IDP_HEADER_AUTH_FAIL_IF_HEADER_MISSING=false
Request
GET https://idp.admin.example.com
Content-Type: text/html
remote-user=header-user
remote-groups=administrator