Purpose

Describes an external authentication service. Properties depend on whether the object describes a Java plugin, LDAP, OIDC, or a SAML service.

Java plugin service

The authDefinition object for a Java plugin service consists of the className and attributes properties.

{
   "className": "java_plugin_classname",
   "attributes": {
      "attribute_name": "attribute_value",
      "attribute_name": "attribute_value",
      ...
}
Property Description Valid Values
"className" The class name that implements the Java authentication plugin interface. The name of the class that the Java plugin developer created to implement the Java authentication plugin interface.
"attributes" A JSON object comprised of named attribute values that are passed to the init method of the Java plugin. These attributes can provide useful values for initialization, such as an authentication server name, and can be used to configure the plugin for use by multiple authentication servers. A valid JSON object
"grantedPermissions" A list of additional permissions that the user is assigned. Required
"revokedPermissions" A list of permissions that the user is denied. Required

LDAP service

The authDefinition object for an LDAP service must include an attributes object consisting of the targetUrl, securityAuthentication, securityPrincipal, and securityCredentials attributes.

{
    "attributes": {
        "targetUrl": "LDAP_URL",
        "securityAuthentication": "LDAP_auth_mechanism",
        "securityPrincipal": "LDAP_principal",
        "securityCredentials": "LDAP_credentials"
    }
}
Attributes Description Valid Values
"targetUrl" The URL used to access the LDAP server. A string that specifies the URL for the LDAP server.
"securityAuthentication" The authentication mechanism required by the LDAP server. none | simple | sasl_mech

If none, an authentication mechanism is not used to authenticate against the LDAP server.

If simple, a clear text password is used to authenticate against the LDAP server.

If sasl_mech, the specified SASL authentication mechanism is used to authenticate against the LDAP server. For details, refer to Authentication Mechanisms in The Java Tutorials.
"securityPrincipal" The principal used to authenticate against the LDAP server. The principal information required will differ based on the authentication mechanism specified per the securityAuthentication attribute.

If none, this property is ignored.

If simple, the fully qualified domain name.

If sasl_mech, the SASL authorization identity. The authorization identity is the identity of the entity for which access control checks should be made if the authentication succeeds.

Note: The username token %LOGINNAME% is supported to permit the replacement of the actual username. For example, CN=%LOGINNAME%,OU=TestRuns,DC=testdomain,DC=local.
"securityCredentials" The credentials required to authenticate against the LDAP server. The credential information required will differ based on the authentication mechanism specified per the securityAuthentication attribute.

If none, this property is ignored.

If simple, the password must be specified.

If sasl_mech, the authorization credential key or password must be specified.
"grantedPermissions" A list of additional permissions that the user is assigned. Required
"revokedPermissions" A list of permissions that the user is denied. Required

SAML service

The authDefinition object for an SAML service includes an attributes object consisting of the assertingPartySSOUrl, assertingPartyEntityId, assertingPartyCertLoc, relyingPartyEntityId, assertionConsumerServicePath, and hdpUsernameIdentifier attributes.

{
    "attributes": {
        "assertingPartySSOUrl": "SSO_server_url",
        "assertingPartyEntityId": "client_entity_id",
        "assertingPartyCertLoc": "client_certificate_location",
        "relyingPartyEntityId": "relyingparty_entity_id",
        "assertionConsumerServicePath": "SAML_service_path",
        "hdpUsernameIdentifier": "SAML_authenticated_user"
    }
}
Attributes Description Valid Values
"assertingPartySSOUrl" The SAML server URL of the identity provider. A string that specifies the URL used to access the SAML server of the identity provider.
"assertingPartyEntityId" The entity ID of the identity provider. A string that specifies the entity ID of the identity provider.
"assertingPartyCertLoc" The location of the identity provider's certificate required to authenticate against the SAML server. A string that specifies the URL for the certificate location of the identity provider required to authenticate against the SAML server of the identity provider.
"relyingPartyEntityId" The service provider's entity ID for accessing metadata. A string that specifies the URL identifying the entity ID of the Hybrid Data Pipeline server.
"assertionConsumerServicePath" The Hybrid Data Pipeline URL service path. A string that specifies the URL for the identity provider's service path at the SAML server, which the identity provider redirects to after authentication.
"hdpUsernameIdentifier" A valid SAML attribute containing the authenticated user name. A string or URL that specifies the attribute containing the authenticated user name.

By default, Hybrid Data Pipeline uses the values in the subject attribute of the SAML response to authenticate users. However, you can set a new parameter for authenticating users by defining it in the hdpUsernameIdentifier attribute.

OIDC service

The authDefinition object for an OIDC service must include IssuerURL and HdpUsernameIdentifier attributes in addition to an attrValidation object consisting of the type, introspectAuthMethod, clientid, clientSecret, and claimsToValidate attributes.

{
    "issuerUrl": "The URL used to access the OIDC server of the OpenID provider"
    "hdpUsernameIdentifier": "The specific key in the token containing the authenticated user name"
      "attrValidation": {
        "type": "token_validation_method",
        "introspectAuthMethod": "authentication method_name",
        "clientid": "client_id",
        "clientSecret": "client_secret",
        "claimsToValidate": "A JSON object containing the claims in key-value pairs",
    }
}
Attributes Description Valid Values
"issuerUrl" The OpenID provider URL used to access and validate the token. A string that specifies the URL used to access the OIDC server of the OpenID provider.
"hdpUsernameIdentifier" The specific key in the token containing the authenticated user name. A string that contains the authenticated user name. For example, an email ID.
"type" The method to validate a token. The valid values are JWT and Introspect.
"introspectAuthMethod" The authentication method that calls the introspect endpoint. client_secret_post | client_secret_basic

This attribute is applicable when the type is introspect.
"clientid" The client ID key for your application. A string that specifies the client ID key of your registered application. This attribute is applicable when the type is introspect.
"clientSecret" The client secret for your application. A string that specifies the client secret of your registered application. This attribute is applicable when the type is introspect.
"claimsToValidate" A list of claims that must be validated against the token. A JSON object where each claim is specified as a key-value pair. For example, aud, alg, iss, name, oid, rh, scp, sub, tid, etc.