Security Configuration

Reverse Proxy Authentication

Browser-based single sign-on (SSO) configurations allow a user to log into the system in a web browser without the need to log into any individual web applications. Any user navigation to further applications carries the authenticated username through to the application and the user is automatically logged in.

Typically this is implemented with a reverse proxy server and the username is supplied via a HTTP header field.

The IQ Server can be configured to accept this kind of SSO configuration in the config.yml file, allowing you to specify the exact header field to be used:

# Configures reverse proxy authentication for the web UI.
    # Set to true to activate authentication
    enabled: true
    # Name of the HTTP request header field that carries the username
    usernameHeader: "REMOTE_USER"
    # Set to true for backward compatibility with old client plugins
    csrfProtectionDisabled: false
	# The service URL that will be redirected to when a user requests logout.
	logoutUrl: http://localhost/logout/index.html

When using reverse proxy authentication from integration points to IQ Server, Cross-Site Request Forgery (CSRF) protection is enabled by default. If an integration does not support CSRF protection, it should be updated to the latest version. Alternatively, CSRF protection can be disabled by setting csrfProtectionDisabled: true in the IQ Server configuration.

The logoutUrl property of the reverseProxyAuthentication configuration is only supported from the IQ Server version 1.35.0 and higher.

The default config.yml contains a commented out section for this configuration with some further details.

This authentication method applies to all users, both IQ Server and LDAP users. Incoming usernames are matched first to IQ Server users, then to LDAP users, and then the configuration in the IQ Server determines the access level granted to the user.

Public Key Infrastructure (PKI) Authentication

In order to implement PKI authentication, a reverse proxy server is needed to translate PKI supplied credentials to users known by IQ Server.

Tools and plugins can be configured to use PKI authentication, which delegates authentication to the Java Virtual Machine (JVM). When delegated, the tool or plugin does not handle authentication and instead the JVM supplies PKI information to the reverse proxy for authentication.

For information on setting PKI authentication for a specific tool or plugin, please see the appropriate page.