Authentication methods

Authentication and permissions

To ensure secure access to the portal data via OData services, user authentication is carried out using the portal server's login methods. The following section describes what kinds of authentication methods are supported and how they are configured. This can be done either by defining a global method for all services or by defining a specific method for each service. The data group permissions of a user are checked by the Intrexx Portal Server for OData requests the same as in the portal. If a user does not possess sufficient permission to read or change data records, the OData service will either reply with an empty results set or with a permissions error.

Intrexx authentication

With Intrexx authentication, login is accomplished by using a user name and password, where the password is transferred in encrypted format using a challenge key provided by the server. This is the recommended method to use an Intrexx portal to access an OData service on another Intrexx portal.

Plain text authentication

Plain text authentication corresponds to the HTTP basic authentication method. This can be used to log in to the service directly from the browser. However, the password will be transferred in unencrypted format, meaning that this method should only be implemented when SSL encryption is active at the same time.

Combined Intrexx and Plain text authentication

Usually, a combination of Intrexx and Plain text authentication is used for OData services. The client tries to log in using Intrexx authentication first. If this is unsuccessful, a Plain text authentication is performed. If this is unsuccessful as well, the request of the client will be denied.

Integrated Windows Authentication

With Integrated Windows Authentication, users are determined via the Active Directory/LDAP and logged in via the Kerberos protocol. This allows single sign-on to be realized in Windows environments. This method is only available with Microsoft Windows Servers and a domain environment. As soon as integrated Windows authentication is activated for a portal, OData users must log in to an OData service with their Windows user name (domain/user) and password.

To authenticate OData requests directly with the logged on Windows user and thereby avoid an additional login, further steps are required. First, a third-party library is required that is added to the installation directory \lib. To do this, copy the file waffle-jna-1.6-with-dependencies.jar from the installation directory \adapter\odata\kerberos, Restart the portal server service afterwards. In addition, the login method for the OData server must be changed to integrated Windows authentication. To do this, open the file om.cfg in the portal directory \internal\cfg in a text editor. Within it, find the line that starts with

<binding scope="odataservice" auth-type="IntegratedAuthClient"/>

and change the value in the "auth-type" attribute to IntegratedAuth:

<binding scope="odataservice" auth-type="IntegratedAuth"/>

Repeat this step for all other OData service entries that need to be activated for Kerberos authentication. After saving the file, you must restart the portal service to make the changes active.

Edge / Chrome configuration for integrated Windows authentication - SSO

Since Edge and Chrome do not perform Windows authentication by default, the URL of the portal or portals must be added to the "Local intranet". This can be done via a group policy of the domain or manually on the respective client.

Example:

  • Open the Control Panel.

  • Click on Network and Internet / Internet Options.

  • In the "Internet properties" window, select the "Security" tab.

  • Select "Local intranet" and click on "Sites".

  • Click on "Advanced".

  • Enter the address of the portal, e.g. "https://myportal.local".

  • Confirm with "Add".

Trusted authentication

When using trusted authentication, a user can be logged on simply via the user's GUID. In doing so, it will be expected that the HTTP request sends the user GUID as the user name. This is the least secure method and should only be implemented in trusted environments.

Configuration of the authentication method

The global or service-specific authentication method is defined in the file om.cfg. By default, Intrexx defines the IntrexxAuth method for all OData services. To use another method or to overwrite the method for a specific service, open the file om.cfg in the portal directory \internal\cfg in a text editor.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<authentication anonymous="05CE8CE3035924F7D3088895F1D87DADD65CFAE4">
		<binding scope="web" auth-type="IntrexxAuth"/>
		<binding scope="client" auth-type="IntrexxAuth"/>
		...
		<binding scope="odataservice" auth-type="ODataAuth"/>
		...
	</authentication>
/configuration>

The entry "scope=odataservice" defines the global method for all OData services. The authentication method is saved in the auth-type attribute. The following methods are available:

  • ODataAuth

  • IntrexxAuth

  • PlainTextAuth

  • IntegratedAuth

  • IntegratedAuthClient

  • TrustedAuth

To override the global method for a single service, copy the entry and change the scope attribute as follows:

<binding scope="odataservice:MyService" auth-type="PlainTextAuth"/>

After the colon, specify the name of the OData services from the service configuration. After saving the configuration file and restarting the portal service, the service-specific configuration will be used.

More information

General

System requirements

Consume data

Provide data

Integration in applications

Use in processes

Expert settings

Appendix