You are viewing the documentation for Blueriq 13. Documentation for other versions is available in our documentation directory.
Table of contents
Introduction
The Studio can be configured to authenticate using NTLM and Kerberos such that users may login using their Active Directory (AD) credentials. Authorization is achieved using roles, for which it's possible to use groups as assigned in AD or alternatively register the set of roles associated with an username.
Configuration
Studio Server
NTLM/Kerberos authentication and authorization
With this security mode, both authentication and authorization is managed using Active Directory. First, go to [Blueriq Installation directory]\Studio\Services\StudioService.exe.config and search for <security>
. Disable any active security providers by setting enabled
attribute to false
and enable the ntlm
element:
<ntlm enabled="true"> <rolemappingdao class="Aquima.Studio.Server.UserAccess.Xml.XmlRoleMappingDao, UserAccess"> <parameters> <parameter value="../Configuration/Security/RoleMappings"/> </parameters> </rolemappingdao> </ntlm>
Alternatively for Kerberos, add the following snippet inside <security>
:
<kerberos enabled="true"> <rolemappingdao class="Aquima.Studio.Server.UserAccess.Xml.XmlRoleMappingDao, UserAccess"> <parameters> <parameter value="../Configuration/Security/RoleMappings"/> </parameters> </rolemappingdao> </kerberos>
The group of an Active Directory user has to be mapped to one of Blueriq's roles. This can be accomplished using a custom role mapping configuration in [Blueriq Installation directory]\Configuration\Security\RoleMappings\RoleMappings.xml.
In the group section, you have to add the group name with the following syntax: <domainName>\<groupName>
Example:
BlueriqUserGroup from domain BlueriqDomain
<RoleMappings> <RoleMapping> <Group>BlueriqDomain\BlueriqUserGroup</Group> <UserRole>Administrator</UserRole> </RoleMapping> </RoleMappings>
NTLM/Kerberos authentication and custom authorization
With this security mode, only authentication is managed using Active Directory; authorization has to be configured manually per Active Directory user that wants to login to Blueriq Studio. First, go to [Blueriq Installation directory]\Studio\Services\StudioService.exe.config and search for <security>
. Disable any active security providers by setting enabled
attribute to false
and enable the ntlmcustom
element:
<ntlmcustom enabled="true"> <useraccesdao class="Aquima.Studio.Server.UserAccess.Xml.XmlUserAccessDao, UserAccess"> <parameters> <parameter value="../Configuration/Security/UserAccess"/> </parameters> </useraccesdao> </ntlmcustom>
Alternatively for Kerberos, add the following snippet inside <security>
:
<kerberoscustom enabled="true"> <useraccesdao class="Aquima.Studio.Server.UserAccess.Xml.XmlUserAccessDao, UserAccess"> <parameters> <parameter value="../Configuration/Security/UserAccess"/> </parameters> </useraccesdao> </kerberoscustom>
You then have to map active directory users to Blueriq roles. To do this, go to [Blueriq Installation directory]\Studio\Configuration\Security\UserAccess\UserAccess.xml.
<?xml version="1.0"?> <Users> <User Name="Admin"> <Role>Administrator</Role> </User> </Users>
The file contains a user Admin. This user is not an active directory user. In this security mode you can only use active directory users. You have to change the name in an active directory username with the syntax <domainname>\<username>.
For example: The domain name is BlueriqDomain and the username of the user that needs full access to Blueriq Studio is BlueriqUser, you have to change Admin into Blueriq\Test. You can insert more users with the same role. This example results in the follow text:
<?xml version="1.0"?> <Users> <User Name="BlueriqDomain\BlueriqUser"> <Role>Administrator</Role> </User> </Users>
Studio Web Client
The web client will deduce the StudioService identity from the connection URL as "HTTP/hostname". No additional configuration is required.
Administration Page
The Studio Administration Page uses the Management Service.
The domain, user and password attributes specify the identity of the client (the administration page).
The settings file for the Administration Page can be found on the following location: [BlueriqInstalationDirectory]\Studio\wwwroot\Administration\Web.config
<managementservice> <connection url="http://studio-pc:90/Studio/Server/Services/ManagementService" user="domain\user" password="password"/> </managementservice>
IIS Configuration
Depending on the version of Windows and IIS, it may be necessary to adjust the configuration of IIS before it's possible to login using NTLM. The Studio Server is responsible for authenticating a request with the Active Directory, so authentication should not be performed from within the IIS reverse proxy.
First, open Internet Information Services (IIS) Manager and expand the Server > Sites > Blueriq# >Studio > Server item in the left sidebar, then open the Authentication panel:
Once opened, select Windows Authentication and then click Disable in the right sidebar:
Finally, open the server view in the left sidebar and then choose Restart to restart the IIS services. A restart is required to properly apply the authentication changes, as otherwise authentication may fail.
Credentials
To login when NTLM authentication is enabled, users have to include the domain name of the Active Directory as a prefix to their username, separated by a backward slash: <domainname>\<username>.
Studio projects in the Runtime Dashboard
To establish a connection from the Runtime dashboard to the Studio server, authentication needs to be configured here: [BlueriqInstalationDirectory]\Runtime\conf\application-development-tools.properties
For NTLM authentication you'll need to configure an active directory user. We recommend to use an encrypted password.