Replace login for config UI

Default authentication for the web ui uses an internal user. It is possible to reconfigure the PhenixID server to use external datasource for authentication. This article will describe how to use an Active Directory as primary source using username & password.

Before performing steps below be sure to backup the server configuration.

PhenixID also support multifactor authentication. Contact PhenixID support if having any questions regarding multifactor authentication.

Connect to the AD

Add a connection by adding to the "CONNECTIONS" bucket (If planing to use an existing connection this step can be skipped).

In the modal window click "Advanced"

Modify the snippet below according to the environment and paste it into the dialog. Values within "<>" need to be changed. Do not keep "<>".

{
	"id": "<unique_id>",
	"type": "ldap",
	"name": "<logic_name>",
	"description": "<description>",
	"config": {
		"host": "<host_or_ip>",
		"port": "<port>",
		"bind_dn": "<DN>",
		"password": "<password>",
		"use_ssl": "<true/false>",
		"ssl_trust_all": "<true/false>",
		"follow_referrals": "false",
		"auto_reconnect": "true",
		"use_keep_alive": "true",
		"response_timeout_ms": "30000",
		"pool_initial_size": "1",
		"pool_max_size": "2"
	}
}

Stage and save the changes. Verify server logs for a sucessfull connection between server and  LDAP host.

Prepare the user validation

Add a new PIPE...

In the modal window click "Advanced"

 

Prepare the user validation

Modify the snippet below according to the environment and paste it into the dialog. Values within "<>" need to be changed. Do not keep "<>".

{
	"id": "<unique_id>",
	"description": "<description>",
	"valves": [
		{
			"name": "SessionLoadValve",
			"config": {
				"id": "{{request.session_id}}"
			}
		},
		{
			"name": "LDAPSearchValve",
			"config": {
				"connection_ref": "<id_of_ldap_connection>",
				"base_dn": "<>",
				"scope": "SUB",
				"size_limit": "0",
				"filter_template": "(&(objectclass=person)(memeberOf=<DN_of_group>)(uid={{request.username}}))"
				"attributes": "displayname"
			}
		},
		{
			"name": "LDAPBindValve",
			"config": {
				"connection_ref": "<id_of_ldap_connection>",
				"password_param_name": "password"
			}
		},
		{
			"name": "PropertyAddValve",
			"config": {
				"name": "roles",
				"value": "sysadmin"
			}
		},
		{
			"name": "SessionPropertyReplaceValve",
			"config": {
				"name": "display_name",
				"value": "{{item.displayname}}"
			}
		},
		{
			"name": "SessionPersistValve",
			"config": {}
		}
	]
}

Prepare the authenticator

In the modal window click "Advanced"

Prepare the authenticator

Modify the snippet below according to the environment and paste it into the dialog. Values within "<>" need to be changed. Do not keep "<>".

{
"id": "<unique_id>",
	"alias": "login",
	"name": "PostUidAndPassword",
	"configuration": {
		"pipeID": "<id_of_created_pipe>",
		"successURL": "/config/",
		"translationKey": "login.messages.information.body.enduser",
		"headingtranslationKey": "login.messages.information.header.enduser"
	}
}

Stage and save the changes.

Update boot.json

Locate the "auth_redirect_url" and change the value to "/config/authenticate/login". Save the file and restart server.