Reverse Proxy Authentication

Single sign-on (SSO) authenticates users through an external identity provider. Reverse Proxy Authentication is implementing a reverse proxy server that supplies the user details via an HTTPS header field while setting the IQ Server to accept those headers for authentication.

This authentication method applies to both IQ Server and LDAP users. Incoming usernames are matched first to IQ Server users, then to LDAP users, and then the configuration in the IQ Server determines the access level granted to the user.

Required Methods

For IQ Server to function properly, the following HTTP methods must be enabled through the reverse proxy: GET, POST, PUT, and DELETE.

This is configured via Reverse Proxy Authentication Configuration REST API.

Legacy configuration prior to release 137

The valid reverse proxy authentication configuration needs to be set in the config.yml file.

# Configures reverse proxy authentication for the web UI.
reverseProxyAuthentication:
    # Set to true to activate authentication
    enabled: true
    # Name of the HTTP request header field that carries the username
    usernameHeader: "REMOTE_USER"
    # Set to true for backward compatibility with old client plugins
    csrfProtectionDisabled: false
    # The service URL that will be redirected to when a user requests logout.
    logoutUrl: http://localhost/logout/index.html

Reverse Proxy Authentication

Legacy configuration prior to release 137

Search results