You are viewing the documentation for Blueriq 13. Documentation for other versions is available in our documentation directory.

Defining a Kerberos authentication provider

In the application.properties file, these properties are expected for a Kerberos authentication provider:

application.properties

# Global configuration
blueriq.security.login-type = kerberos

# Connection
blueriq.security.auth-providers.kerberos01.type = kerberos
blueriq.security.auth-providers.kerberos01.service-principal-name = HTTP/blueriq.mycompany.com@MYCOMPANY.COM
blueriq.security.auth-providers.kerberos01.keytab-location = C:/folder/blueriq.keytab

# LDAP
blueriq.security.auth-providers.kerberos01.connectionUrl = ldap://something.mycompany.com
blueriq.security.auth-providers.kerberos01.userDn = cn=admin,ou=sysadmin,dc=mycompany,dc=com
blueriq.security.auth-providers.kerberos01.password = <encryptedvalue_password>
blueriq.security.auth-providers.kerberos01.useTls = true

# Connection protection (if 'useTls' is true)
blueriq.security.auth-providers.kerberos01.tls.trustStoreUrl = file:///D:/location/to/your/certifactions.jks
blueriq.security.auth-providers.kerberos01.tls.trustStorePassword = changeit
blueriq.security.auth-providers.kerberos01.tls.trustStoreType = jks
 
# Search
blueriq.security.auth-providers.kerberos01.referralStrategy = follow
blueriq.security.auth-providers.kerberos01.searchSubtree = true
# Search user
blueriq.security.auth-providers.kerberos01.userSearchBaseDn = OU=users,DC=mycompany,DC=com
blueriq.security.auth-providers.kerberos01.userSearchAttribute = userPrincipalName
# Search group
blueriq.security.auth-providers.kerberos01.groupSearchBaseDn = OU=groups,DC=mycompany,DC=com
blueriq.security.auth-providers.kerberos01.groupSearchFilterAttribute = cn
blueriq.security.auth-providers.kerberos01.groupSearchFilterPattern = BQ_*, EVE_*,PRO - *,PRO -*
# role mapping
blueriq.security.auth-providers.kerberos01.role-mapping.ldapGroup1=BlueriqRole1,BlueriqRole2
blueriq.security.auth-providers.kerberos01.role-mapping.ldapGroup2=BlueriqRole3,BlueriqRole4


# Add the kerberos authentication provider to the chain
blueriq.security.auth-providers-chain = kerberos01


A great deal of these properties above handle the connection with an LDAP server to retrieve the roles for a user. For a detailed explanation of these properties, please refer to LDAP authentication provider.

Setting up Kerberos

The first three properties defined in the example above are required for Kerberos authentication.
The property service-principal-name should contain the SPN that was created for the Blueriq Runtime service user in the AD.
The property keytab-location should point to the keytab file for the SPN that was configured in the previous property.

On the machine running the runtime, a krb5.ini file should be placed in C:\Windows:

[libdefaults]
default_realm = MYCOMPANY.COM

[realms]
MYCOMPANY.COM = {
  kdc = dc.mycompany.com
}

LDAP

Whenever a user is successfully authenticated using Kerberos, its roles are acquired from LDAP. The properties used for the LDAP connection are local to the Kerberos Authentication Provider, and the definitions are the same as the properties for the LDAP Authentication Provider.

When a user is authenticated with Kerberos, its form is test.user@MYCOMPANY.COM. Make sure that the userSearchAttribute points to an attribute that has the @MYCOMPANY.COM suffix attached to the value.

Limitations

  • Currently, when using Kerberos as an authentication provider, no other authentication provider on the chain will work.
  • Kerberos authentication happens for all URLs in the /server path.
  • When a user doesn't have the appropriate roles to start a flow, a 404 error will appear in the browser.
  • In browsers, you need to enable Kerberos authentication for the domain or host name where the Blueriq Runtime runs on.
  • As always, we advise to use the latest version of Java 8. In Java 8 versions below update 162, Java Cryptographic Extensions (JCE) is not enabled by default. As it is required for some more secure encryption schemes used in Kerberos, you should either use Java 8 update 162 or newer, or manually enable JCE for your installation.
  • No labels