Skip to main content
Skip table of contents

Authentication Modules

Definition

An Authentication Module defines an authentication method and its parameters. Authentication modules are used in authentication mechanisms.

Several types of authentication modules can be configured :

  • Active Directory

  • Kerberos

  • LDAP

  • Memority Multi-Factor Authentication (MyMFA)

  • OATH

  • OAuth2/OpenID Provider

  • SAML2 Provider

  • OTP by mail

  • OTP by SMS

  • Memority Password

  • WebAuthn

Configuration

You can access the Authentication modules configuration :

  • by clicking on "Authentication" â†’ “Authentication Modules”

  • by clicking on "System" â†’ "Configurations" → "Access Service" and perform an import/export.

Properties

Property name

Type

Mandatory

Description

Values (default value in bold)

identifier

String

YES

The identifier is the unique identifier of each Authentication module.

Identifier is case sensitive and no special characters (except - or _) are allowed.

-

name

String

YES

The Authentication module name.

The name may be different from the identifier. Specifying the name first allows to define automatically the identifier.
Must be at least 4 characters long.

-

description

String

NO

The purpose of the Authentication module.

-

configuration

-

YES

Indicates the type of authentication module.

-

Kerberos configuration properties

Property name

Type

Mandatory

Description

Values (default value in bold)

kerberosDomain

String

YES

The name of the Kerberos (Active Directory) domain.

-

keyDistributionCenter

String

YES

The fully qualified domain name (FQDN) of the Kerberos (Active Directory) server.

-

principalName

String

YES

The principal name for Kerberos authentication in the following format : HTTP/<memority_tenant_hostname>@<AD_DOMAIN>

This principal name must match the one used in the keytab file created from the Active Directory server.

-

Keytab file properties

A Setting must be configured to upload the Keytab file generated on the Active Directory :

Setting name

Type

Description

amcp.authenticationModule.<auth_module_id>.kerberos.keytab

BinarySecret

The Keytab File generated on the Active Directory by using the following command :

CODE 
ktpass -princ HTTP/<memority_am_hostname>@<AD_DOMAIN_IN_UPPERCASE> -mapuser <service_account>@<AD_DOMAIN_IN_UPPERCASE> -pass <service_account_pwd> -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out C:\kerberos\<ad_domain>.keytab

Service account should have been previously created with the following characteristics :

  • No specific rights

  • Ucheck box “User must change  password at next logon”

  • Check box “Kerberos pre-authentication is not needed”

  • Check the box “Password never expires”

Ldap/AD configuration properties

The use of an AD/LDAP authentication module required a secured connection between Memority and the AD/LDAP client infrastructure. Contact the PS team to configure this type of authentication module.

Property name

Type

Mandatory

Description

Values (default value in bold)

ldapServers

List<String>

YES

List of LDAP servers that will be used to authenticate users.

Two LDAP servers can be declared to ensure high availability if one LDAP server is down.

-

searchAttributes

List<String>

YES

List of user attributes returned by the LDAP directory and used to search for the user to be authenticated in Memority.

-

baseDn

String

YES

DN from which the user search starts.

-

bindDn

String

YES

DN of an admin user used to authenticate to the LDAP directory.

-

connectionMode

Enum

YES

Type of connection used to connect to the LDAP server.

-

retrievalAttribute

String

YES

Name of the user attribute used to perform the user search in the LDAP directory.

-

searchFilter

String

YES

Search filter used to search the user in the LDAP directory.

-

ldapServers properties

Property name

Type

Mandatory

Description

Values (default value in bold)

ldapServer

String

YES

Host or IP address and port of the ldap server in the following format : <host_or_IP_address:port>

IP addresses or hosts must be whitelisted in Memority side. Contact the PS team.

-

searchAttributes properties

Property name

Type

Mandatory

Description

Values (default value in bold)

searchAttribute

String

YES

User attribute returned by the LDAP directory after performing the user search.

-

MyMFA (Memority Multi-Factor Authentication) configuration properties

Property name

Type

Mandatory

Description

Values (default value in bold)

mode

Enum

YES

The authentication mode used for this authentication module.

MOBILE : user authenticates with an enrolled mobile

BROWSER_EMBEDDED : user authenticates with an enrolled browser

enablePush

Boolean

NO

If enabled, users can use push authentication sent to his enrolled mobile to authenticate.

Can only be enabled if mode is MOBILE.

true, false

myMFAAccountPolicyId

String

YES

Identifier of the MyMFA policy defining settings and application scope.

See Memority MFA Account Policies.

-

OtpMail/OtpSms configuration properties

Property name

Type

Mandatory

Description

Values (default value in bold)

maxRegistrations

Integer

YES

Maximum number of devices a user can enroll.

1

otpLength

Integer

YES

Length of the generated OTP sent to the user (by email or sms).

4

otpLifetime

String

YES

Lifetime of the generated OTP.

1 minute

notificationId

String

YES

Identifier of the notification to be sent to the user (by email or sms).

See Notifications

-

OAuth2/OpenID Provider configuration properties

Property name

Type

Mandatory

Description

Values (default value in bold)

accountMapping

ProviderAttributeMappingType

YES

Mapping between the account of the authenticated user on the provider and the user account in Memority.

-

authorizationEndpoint

String

YES

URL of the authorization endpoint at the OAuth2 Provider.

-

clientId

String

YES

Unique identifier of the OAuth2/OIDC Provider.

-

logoutEndpoint

String

NO

Logout URL of the OAuth2 Provider.

-

oidcIssuer

String

YES

Identifier of the OpenID Provider.

-

oidcProvider

Boolean

NO

Indicate if the Provider is using OAuth2 or OpenID Connect protocol.

true, false

pkceEnabled

Boolean

NO

Indicate if a code challenge and a code verifier must be sent in corresponding requests of Authorization Code grant type.

true, false

scopes

List<String>

NO

List of scopes returned by the OAuth2 Provider.

“openid” scope is automatically added when “OpenID Connect Provider” is enabled.

-

tokenEndpoint

String

YES

URL of the token endpoint at the OAuth2 Provider.

-

userInfoEndpoint

String

YES

URL of the endpoint at the OAuth2 Provider allowing to obtain claims about the authenticated user.

-

SAML2 Provider configuration properties

Property name

Type

Mandatory

Description

Values (default value in bold)

federationId

String

YES

The unique technical identifier of the federation used in Memority Service Provider URLs

This identifier should not be provided, it is generated by the system at the creation of the SAML2 Provider configuration.

-

idpEntityId

String

YES

The entity ID of the SAML Identity Provider.

-

idpSigningCertificate

String

YES

The certificate of the SAML Identity Provider used to verify the SAML response signing.

-

idpSsoUrl

String

YES

The sign-on URL of the SAML Identity Provider.

-

mappedAttribute

Enum

YES

Mapping between the account of the authenticated user on the provider and the user account in Memority.

-

nameIDFormat

Enum

YES

The Name Identifier format to use in SAML messages.

UNSPECIFIED, PERSISTENT, TRANSIENT

requestBinding

Enum

YES

The SAML binding Memority will use to communicate with the SAML Identity Provider.

REDIRECT, POST

Note that after importing a SAML2 Provider configuration using XML import, you need then to add the IdP certificate via the “Authentication modules” feature of the “Authentication” menu in the Memority administration portal.

Example

Example of an Active Directory (AD) authentication module :

XML 
<maiaamcp:AuthenticationModule id="MyAD">    
      <name>MyAD</name>
      <description></description>
      <configuration xsi:type="maiaamcp:ActiveDirectoryAuthenticationModuleConfigurationType">
         <ldapServers>
            <ldapServer>x.x.x.x:636</ldapServer>
            <ldapServer>x.x.x.x:636</ldapServer>
         </ldapServers>
         <searchAttributes>
            <searchAttribute>userPrincipalName</searchAttribute>
            <searchAttribute>sAMAccountName</searchAttribute>
         </searchAttributes>
         <baseDn>CN=Users,DC=test,DC=fr</baseDn>
         <bindDn>CN=Admin,DC=test,DC=fr</bindDn>
         <connectionMode>LDAPS</connectionMode>
         <retrievalAttribute>userPrincipalName</retrievalAttribute>
         <searchFilter>(objectclass=person)</searchFilter>
      </configuration>
</maiaamcp:AuthenticationModule>

Read Next

Authentication Mechanisms — An Authentication Mechanism is the implementation of a set of technical AM artifacts in order to provide a fully functional authentication service.
Authentication Modules — An Authentication Module defines an authentication method and its parameters.
WebAuthn — WebAuthn configuration allows to define which authenticator type will be allowed for WebAuthn authentication.
Authentication customization — Allows to configure options related to authentication.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close