Security Configuration Reference
This is a reference for security configuration in Moogsoft Onprem. You can edit the following file to configure security features and properties for LDAP and SAML:
$MOOGSOFT_HOME/config/security.conf
DB Realm
You can configure the following DB Realm properties:
passwordPolicy
The DB Realm password policy is disabled by default. To enable it, edit $MOOGSOFT_HOME/config/security.conf and add or uncomment the block under DB realm
as shown:
"DB realm" : { "realmType": "DB" , "passwordPolicy" : { "regex" : "^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=])(?=\\S+$).{12,}$", "validationMessage" : "Must be at least 12 characters and contain at least one uppercase letter, special character, and number. No whitespace allowed." } },
You must restart apache-tomcat after enabling or disabling the policy.
LDAP connection properties
You can configure the LDAP connection using the following properties.
url
The protocol (LDAP or LDAPS) and the host and port of your LDAP server. For example ldap://172.16.124.169:389.
Type | String |
Required | Yes |
Default | N/A |
connectionTimeout
The connection timeout in milliseconds.
Type | Integer |
Required | Yes |
Default | 30000 |
readTimeout
The read timeout in milliseconds.
Type | Integer |
Required | Yes |
Default | 30000 |
predefinedUser
If enabled, the user account information must exist in the local database as well as the LDAP server and predefined user details are used to populate created or updated user accounts.
If disabled, Moogsoft Onprem creates or updates user accounts with the LDAP information.
Type | Boolean |
Required | Yes |
Default | False |
LDAP attribute search properties
You can configure the authentication bind, DN resolution method and attribute search with the following properties.
resolutionType
The method used to look up the DN (Distinguished Name), a unique path to any object in the active directory.
Type | String |
Required | Yes |
One of |
|
Default | N/A |
The two methods are:
direct: The user DN is created using the
usernameAttribute
anduserDnPostfix
properties. These properties are required. For example:"userDnResolution": { "resolutionType": "direct", "direct": { "use=nameAttribute": "uid", "userDnPostfix": "ou=People,dc=moogsoft,dc=com" } }
For a user named John Smith, the user DN is:
uid=john.smith,ou=People,dc=moogsoft,dc=com
lookup: Moogsoft Onprem searches for the user in the LDAP server using a combination of
usernameAttribute
anduserBaseSearchFilter
as a filter anduserBaseDn
as a base to find the DN. These properties are required. For example:"userDnResolution": { "resolutionType": "lookup", "lookup": { "usernameAttribute": "sAMAccountName", "userBaseDn": "ou=People,dc=moogsoft,dc=com", "userBaseSearchFilter": "(objectclass=person)" } }
Optionally for both direct and lookup methods, you can use the userDnLookupUser
, userDnLookupPassword
and encryptedUserDnLookupPassword
properties to define the user to look up each DN in your directory. See Moog Encryptor for more information if you want to use password encryption.
attributeSearchFilter
An optional LDAP attribute filter to search for user attributes.
Type | String |
Required | No |
Default |
|
attributeMap
An attribute map between the LDAP user attributes and the user attributes in the Moogsoft Onprem database.
Type | String |
Required | No |
Default | N/A |
This property uses the following format:
"attributeMap": { "db_column_5": "ldap_attribute_1", "db_column_2": "ldap_attribute_8", "db_column_3": "ldap_attribute_8" }
LDAP group search and mapping properties
You can configure the following properties in the LDAP group search section.
systemUser
Username of the system user to bind and search for user group information. LDAP uses this user if you leave the userDnLookupUser
property empty. The system sends two bind requests and two search requests with LDAP. If you do not configure a system user, the user bind chosen for authentication is also used for the LDAP group search.
Type | String |
Required | No |
Default | N/A |
systemPassword
Password of the system user to bind and search for user group information.
Type | String |
Required | No |
Default | N/A |
encryptedSystemPassword
Encrypted password of the system user to bind and search for user group information. See Moog Encryptor for more information. When using encryptedSystemPassword
, comment out or remove the systemPassword
property.
Type | String |
Required | No |
Default | N/A |
groupBaseDn
DN for the part of the LDAP structure that contains the user groups. This is used in conjunction with the memberAttribute
to find any LDAP groups the user belongs to. These groups are then mapped to a local role using the roleMap
property.
Type | String |
Required | No |
Default | N/A |
memberAttribute
Attribute used to look for group members.
Type | String |
Required | No |
Default |
|
groupNameAttribute
Attribute used to look for group name.
Type | String |
Required | No |
Default |
|
roleMap
Defines the role mappings between the user directory and Moogsoft Onprem.
Type | String |
Required | No |
Default | N/A |
LDAP assignTeams properties
You can configure the following sub-properties of assignTeams
to synchronize team assignment between the user directory and the teams in Moogsoft Onprem.
assignTeams
Sychronizes team assignment between the user directory and the teams in Moogsoft Onprem.
Type | String |
Required | No |
Default | N/A |
teamMap
Defines the LDAP attribute or custom attribute that maps to team names in Moogsoft Onprem. You can provide the mapping as a JSON object. For example:
Type | JSON Object |
Required | No |
Default | N/A |
Example:
{ "LDAP Team" : "My Team", "Another LDAP Team" : "My second team" }
useGroupName
Enable to use the LDAP group name as the team name in Moogsoft Onprem.
Type | Boolean |
Required | No |
Default |
|
createNewTeams
Creates a team or teams if they do not exist in Moogsoft Onprem. If you leave teamMap
empty, the teams adopt their LDAP teams names.
Type | Boolean |
Required | No |
Default |
|
LDAP SSL properties
You can optionally configure SSL to enable TLS authentication, using the following properties.
ssl_protocol
The SSL protocol you want to use.
Type | String |
Required | No |
Default |
|
server_cert_file
Location of the SSL server certificate.
Type | String |
Required | No |
Default | N/A |
client_cert_file
Location of the SSL client certificate.
Type | String |
Required | No |
Default | N/A |
client_key_file
Location of the client key file.
Type | String |
Required | No |
Default | N/A |
SAML service provider properties
You can configure a SAML realm by giving it a name and editing the following properties.
idpMetadataFile
Location of the identity provider's metadata file. The metadata file provides information on how to connect to the IdP. Moogsoft Onprem requires the file to be in .xml format.
Type | String |
Required | Yes |
Default |
|
idpMetadataUrl
Location of the identity provider's metadata URL. The metadata file provides information on how to connect to the IdP. Moogsoft Onprem requires the file to be in .xml format.
Type | String |
Required | Yes |
Default |
|
idpMetadata
Location of the identity provider's metadata. The metadata file provides information on how to connect to the IdP. Moogsoft Onprem requires the file to be in .xml format.
Type | String |
Required | Yes |
Default |
|
spMetadataFile
Location of the service provider's metadata file. Moogsoft Onprem writes the SP metadata information to this file. This location must be accessible and editable by the Apache Tomcat user. Moogsoft Onprem requires the file to be in .xml format. If your IdP does not have an SP metadata file generator, you can create one manually. See Build a Service Provider Metadata File for instructions.
Type | String |
Required | Yes |
Default |
|
defaultRoles
Default roles that Moogsoft Onprem assigns to new users upon first login using SAML. If the user already has a role mapping, Moogsoft Onprem uses that instead.
Type | Array |
Required | Yes |
Default |
|
defaultTeams
Default teams that Moogsoft Onprem assigns to new users upon first login using SAML. You can create an empty list if you do not want to assign new users to a team.
Type | Array |
Required | Yes |
Default |
|
defaultGroup
Default primary group that Moogsoft Onprem assigns to new users upon first login using SAML.
Type | Array |
Required | Yes |
Default |
|
SAML user mapping properties
You can configure how to map IdP user fields to existing Moogsoft Onprem users and how to map user fields for new users. All mappings are case sensitive. Each mapping follows the format:
"MoogsoftAttribute" : "IdPAttribute"
existingUserMappingField
The field that Moogsoft Onprem uses to map existing users to your IdP users.
Type | String |
Required | No |
One of |
|
Default |
|
username
The IdP attribute that maps to username in Moogsoft Onprem.
Type | String |
Required | Yes |
Default |
|
The IdP attribute that maps to email in Moogsoft Onprem.
Type | String |
Required | Yes |
Default |
|
fullName
The IdP attributes that map to full name in Moogsoft Onprem.
Type | String |
Required | Yes |
Default |
|
SAML assignTeams properties
You can configure the following sub-properties of assignTeams
to synchronize team assignment between the SAML user directory and the teams in Moogsoft Onprem.
teamAttribute
The IdP attribute that maps to teams in Moogsoft Onprem.
Type | String |
Required | No |
Default |
|
teamMap
The IdP attribute or custom attribute that maps to team names in Moogsoft Onprem.
Type | JSON Object |
Required | No |
Default |
|
createNewTeams
Creates a team or teams if they do not exist in Moogsoft Onprem. If you leave teamMap
empty, the teams adopt their IdP teams names.
Type | Boolean |
Required | No |
Default |
|
SAML assignRoles properties
You can configure the following sub-properties of assignRoles
to synchronize team assignment between the SAML user directory and the roles in Moogsoft Onprem.
roleAttribute
The IdP attribute containing role information.
Type | String |
Required | No |
Default |
|
roleMap
The IdP attribute that maps to Moogsoft Onprem roles.
Type | JSON Object |
Required | No |
Default |
|
SAML security properties
You can configure the following SAML security properties.
keystorePassword
Your unencrypted keystore password. Any whitespace in the name is replaced with an underscore.
Type | String |
Required | No |
Default | N/A |
encryptedKeystorePassword
Your encrypted keystore password. Any whitespace in the name is replaced with an underscore.
Type | String |
Required | No |
Default | N/A |
forceAuth
Enabling forceAuth prevents users from having to enter their credentials more than once.
Type | Boolean |
Required | No |
Default | Defaults to |
privateKeyPassword
Your private key password. Any whitespace in the name is replaced with an underscore.
Type | String |
Required | No |
Default | N/A |
maximumAuthenticationLifetime
Maximum time in seconds for Moogsoft Onprem to receive an IdP's SAML assertion before it becomes invalid.
Type | Integer |
Required | No |
Default |
|
serviceProviderEntityId
Service Provider Entity ID assertion number. Some IdPs require this ID.
Type | String |
Required | No |
Default |
|
SAML optional properties
You can customize your SAML realm with a number of optional properties
contactNumber
The IdP attribute that maps to contact number in Moogsoft Onprem.
Type | String |
Required | No |
Default | N/A |
department
The IdP attribute that maps to department in Moogsoft Onprem.
Type | String |
Required | No |
Default | N/A |
primaryGroup
The IdP attribute that maps to primary group inMoogsoft Onprem.
Type | String |
Required | No |
Default | N/A |
timezone
The IdP attribute that maps to timezone in Moogsoft Onprem.
Type | String |
Required | No |
Default | N/A |