Skip to main content

Security Configuration

Reverse Proxy Authentication

Single sign-on (SSO) allows users to authenticate using external identity providers. This is implemented with a reverse proxy server supplying the user details via an HTTPS header field.

The IQ Server may be configured to accept these authentication headers, allowing you to specify the exact header field to be used.

This authentication method applies to both IQ Server and LDAP users. Incoming usernames are matched first to IQ Server users, then to LDAP users, and then the configuration in the IQ Server determines the access level granted to the user.

This is configured via Reverse Proxy Authentication Configuration REST API.

Proxy authentication configuration before release 137

When upgrading, the valid existing reverse proxy authentication configuration in the config.yml file is migrated to the database. After the migration, the reverse proxy authentication configuration in the config.yml file is ignored.

Reverse proxy authentication configuration in config.yml file

# Configures reverse proxy authentication for the web UI.
    # Set to true to activate authentication
    enabled: true
    # Name of the HTTP request header field that carries the username
    usernameHeader: "REMOTE_USER"
    # Set to true for backward compatibility with old client plugins
    csrfProtectionDisabled: false
    # The service URL that will be redirected to when a user requests logout.
    logoutUrl: http://localhost/logout/index.html

Public Key Infrastructure (PKI) Authentication

Integrations may use PKI authentication to delegate authentication to the Java Virtual Machine (JVM). When delegated, the tool or plugin does not handle authentication and instead, the JVM supplies PKI information to the reverse proxy for authentication.

To implement PKI authentication, a reverse proxy server is needed to translate PKI-supplied credentials to users known by IQ Server.

For information on setting PKI authentication, review that integration's documentation.