|Summary: This section describes how to configure user authentication for the CAST dashboards.|
The CAST dashboards have various authentication modes available for use:
|Default authentication||This mode is active by default and relies on simple username/password authentication defined in the application-security-default.xml configuration file within the web application.|
This mode is inactive by default and allows users to authenticate with a standard LDAP server. For example:
This mode is inactive by default and allows users to authenticate via SAML.
Authentication mode activation
The activation of the available authentication modes is governed by a .properties configuration file within the web application:
In the .properties configuration file, activation is handled by the following line. In the "out of the box" state, the default security mode is active as shown below. Only one mode can be active at a time:
To activate a mode, change the following line to the required security mode:
For example, to change from the Default authentication security mode to Standard LDAP:
Following any changes you make, save the .properties file and then restart the web application so that the changes are taken into account.
This mode is enabled by default "out of the box" with the following username and case sensitive password (usernames are NOT case sensitive):
If you would like to alter the password for this existing username, or you would like to add additional username/passwords, you need to modify the following file with a text editor:
This file contains the following line which defines the usernames that can access the Dashboard:
Adding a new user
To add a new user, add an additional line into the users.properties file. The following examples will add in a username "jhu" with the password "password" with no group configuration:
Removing an existing user
To remove an existing user, remove the corresponding line from the users.properties file. Following any changes you make, save the users.properties file and then restart your application server so that the changes are taken into account.
Editing an existing user
To edit an existing user, edit the corresponding line in the users.properties file. Following any changes you make, save the users.properties file and then restart your application server so that the changes are taken into account.
Disabling a user without removing it from the users.properties file
To disable a user, change the enabled parameter to disabled:
Users can be grouped together to facilitate authorization assignments (see Data authorization) - for example, a set of users can be assigned to a group and that group can then be authorized to view the required data instead of having to authorize individual users. Groups are defined in the following file:
Adding a new group
In this example we will add the group "CIO" and associate the existing user "jhu" to that group:
Replace the NoGroup entry with the name of the group "CIO", ensuring that enabled is always at the end of the line:
If other users should also be members of this group, add them in the same way:
A user can be a member of several groups. The following defines the existing user "jhu" as member of the "CIO" and "Users" groups - i.e. comma separated group names:
This mode is not enabled by default "out of the box". It may be used with any LDAP compatible corporate directory. It allows users to login to the dashboard with their corporate LDAP credentials. LDAP groups can also be used for authorization assignments and for role assignments. CAST has provided place holder parameters, so you must change these before authentication will work correctly. To do so, modify the following configuration file within the web application:
This file contains the following section which defines the required parameters:
You first need to change the following parameters marked in red to match the URL and the service account required to connect to your LDAP directory:
You then need to change the following parameters marked in red related to searching the users/groups in your directory - specifically if you are leveraging groups to manage data authorization:
Following any changes you make, save the .properties file and then restart your application server so that the changes are taken into account. Users should now be able to access the dashboard using their corporate LDAP login - authentication is therefore the responsibility of the corporate LDAP directory.
Using LDAPS (LDAP over SSL)
If your LDAP server requires that you use LDAPS (LDAP over SSL) then you must ensure that the following is done:
This mode is not enabled by default "out of the box".
Before you can configure your CAST AIP web applications to use SAML authentication, the following prerequisites must already be in place:
Supported versions of SAML
You must request the FederationMetadata.xml file from your IT administrators. When you have received the file, you should store it in a location that can be accessed from thew eb application, for example, within the Apache Tomcat installation location or within the unpacked ZIP. For example:
Key pair generation
A public/private key pair must be generated on the Apache Tomcat host server in a dedicated keystore to allow encrypted communication with the Active Directory Federation Server (ADFS). This keystore should be specific to the SAML configuration. To do so, you need to use the keytool command line utility (provided with the JRE - see https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html for more information) on the workstation on which the web application server is running. For example:
Activate and configure the authentication mode in the web application
Activation and configuration of the SAML authentication mode is governed by a .properties configuration file within the web application:
To activate the SAML authentication mode, change the following line. For example, to change from the Default authentication security mode to SAML, do as follows. Change:
Save the security.properties file.
Configure SAML authentication
Find the SAML parameters section in the .properties configuration file and modify each uncommented line to match the items you have already configured. Save the .properties file when complete.
Restart Apache Tomcat / ZIP file
Now restart your Apache Tomcat server or the web application ZIP file so that the changes you made are taken into account.
Modify application-security-saml.xml file - only required in 2.x releases
If you are using CAST Dashboards ≥ 2.0, please ensure that you modify the application-security-saml.xml file located here:
First you need to update the
Change the line
Next update the
Change the line
Save the file and restart your Apache Tomcat server or the web application ZIP file so that the changes you made are taken into account.
Now browse to the following URL to generate the spring_metadata:
This will download a file called spring_saml_metadata.xml. Send this file to your IT administrators who will then register it in the ADFS allowing users to login to the web application.
Notes about Groups