Security Configuration
Reverse Proxy Authentication
Browser-based single sign-on (SSO) configurations allow a user to log into the system in a web browser without the need to log into any individual web applications. Any user navigation to further applications carries the authenticated username through to the application and the user is automatically logged in.
Typically this is implemented with a reverse proxy server and the username is supplied via a HTTP header field.
The IQ Server can be configured to accept this kind of SSO configuration, allowing you to specify the exact header field to be used.
This authentication method applies to all users, both IQ Server and LDAP users. Incoming usernames are matched first to IQ Server users, then to LDAP users, and then the configuration in the IQ Server determines the access level granted to the user.
When using reverse proxy authentication from integration points to IQ Server, Cross-Site Request Forgery (CSRF) protection is enabled by default. If an integration does not support CSRF protection, it should be updated to the latest version. Alternatively, CSRF protection can be disabled by setting csrfProtectionDisabled to true.
The
logoutUrl property of the
reverseProxyAuthentication
configuration is only supported from the IQ Server version 1.35.0 and higher.
In IQ Server release 138 or later
NEW IN RELEASE 138
This is configured via the REST API.
When upgrading to IQ Server release 138 or later any valid existing reverse proxy authentication configuration in the config.yml file will be migrated to the database.
After the migration any reverse proxy authentication configuration in the config.yml file will be ignored and considered obsolete.
In IQ Server release 137 or earlier
This is configured in config.yml file:
# Configures reverse proxy authentication for the web UI.
reverseProxyAuthentication:
# Set to true to activate authentication
enabled: true
# Name of the HTTP request header field that carries the username
usernameHeader: "REMOTE_USER"
# Set to true for backward compatibility with old client plugins
csrfProtectionDisabled: false
# The service URL that will be redirected to when a user requests logout.
logoutUrl: http://localhost/logout/index.htmlThe default config.yml contains a commented out section for this configuration with some further details.
Public Key Infrastructure (PKI) Authentication
In order to implement PKI authentication, a reverse proxy server is needed to translate PKI supplied credentials to users known by IQ Server.
Tools and plugins can be configured to use PKI authentication, which delegates authentication to the Java Virtual Machine (JVM). When delegated, the tool or plugin does not handle authentication and instead the JVM supplies PKI information to the reverse proxy for authentication.
For information on setting PKI authentication for a specific tool or plugin, review that tool/plugin's specific page.