.png)
Authentication Modules
Definition
An Authentication Module defines an authentication method and its parameters. Authentication modules are used in authentication mechanisms.
Several types of authentication modules can be configured :
Active Directory
Kerberos
LDAP
Memority Multi-Factor Authentication (MyMFA)
OATH
OTP by mail
OTP by SMS
Memority Password
WebAuthn
Configuration
You can access the Authentication modules configuration :
by clicking on "Authentication" → “Authentication Modules”
by clicking on "System" → "Configurations" → "Access Service" and perform an import/export.
Properties
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
identifier |
| YES | The identifier is the unique identifier of each Authentication module. Identifier is case sensitive and no special characters (except - or _) are allowed. | - |
name |
| YES | The Authentication module name. The name may be different from the identifier. Specifying the name first allows to define automatically the identifier. | - |
description |
| NO | The purpose of the Authentication module. | - |
configuration | - | YES | Indicates the type of authentication module. | - |
Kerberos configuration properties
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
kerberosDomain |
| YES | The name of the Kerberos (Active Directory) domain. | - |
keyDistributionCenter |
| YES | The fully qualified domain name (FQDN) of the Kerberos (Active Directory) server. | - |
principalName |
| YES | The principal name for Kerberos authentication in the following format : HTTP/<memority_tenant_hostname>@<AD_DOMAIN> This principal name must match the one used in the keytab file created from the Active Directory server. | - |
Keytab file properties
A Setting must be configured to upload the Keytab file generated on the Active Directory :
Setting name | Type | Description |
|---|---|---|
amcp.authenticationModule.<auth_module_id>.kerberos.keytab |
| The Keytab File generated on the Active Directory by using the following command :
CODE
Service account should have been previously created with the following characteristics :
|
Ldap/AD configuration properties
The use of an AD/LDAP authentication module required a secured connection between Memority and the AD/LDAP client infrastructure. Contact the PS team to configure this type of authentication module.
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
ldapServers |
| YES | List of LDAP servers that will be used to authenticate users. Two LDAP servers can be declared to ensure high availability if one LDAP server is down. | - |
searchAttributes |
| YES | List of user attributes returned by the LDAP directory and used to search for the user to be authenticated in Memority. | - |
baseDn |
| YES | DN from which the user search starts. | - |
bindDn |
| YES | DN of an admin user used to authenticate to the LDAP directory. | - |
connectionMode |
| YES | Type of connection used to connect to the LDAP server. | - |
retrievalAttribute |
| YES | Name of the user attribute used to perform the user search in the LDAP directory. | - |
searchFilter |
| YES | Search filter used to search the user in the LDAP directory. | - |
ldapServers properties
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
ldapServer |
| YES | Host or IP address and port of the ldap server in the following format : <host_or_IP_address:port> IP addresses or hosts must be whitelisted in Memority side. Contact the PS team. | - |
searchAttributes properties
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
searchAttribute |
| YES | User attribute returned by the LDAP directory after performing the user search. | - |
MyMFA (Memority Multi-Factor Authentication) configuration properties
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
mode |
| YES | The authentication mode used for this authentication module. | MOBILE : user authenticates with an enrolled mobile BROWSER_EMBEDDED : user authenticates with an enrolled browser |
enablePush |
| NO | If enabled, users can use push authentication sent to his enrolled mobile to authenticate. Can only be enabled if mode is MOBILE. | true, false |
myMFAAccountPolicyId |
| YES | Identifier of the MyMFA policy defining settings and application scope. | - |
OtpMail/OtpSms configuration properties
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
maxRegistrations |
| YES | Maximum number of devices a user can enroll. | 1 |
otpLength |
| YES | Length of the generated OTP sent to the user (by email or sms). | 4 |
otpLifetime |
| YES | Lifetime of the generated OTP. | 1 minute |
notificationId |
| YES | Identifier of the notification to be sent to the user (by email or sms). See Notifications | - |
Example
Example of an Active Directory (AD) authentication module :
<maiaamcp:AuthenticationModule id="MyAD">
<name>MyAD</name>
<description></description>
<configuration xsi:type="maiaamcp:ActiveDirectoryAuthenticationModuleConfigurationType">
<ldapServers>
<ldapServer>x.x.x.x:636</ldapServer>
<ldapServer>x.x.x.x:636</ldapServer>
</ldapServers>
<searchAttributes>
<searchAttribute>userPrincipalName</searchAttribute>
<searchAttribute>sAMAccountName</searchAttribute>
</searchAttributes>
<baseDn>CN=Users,DC=test,DC=fr</baseDn>
<bindDn>CN=Admin,DC=test,DC=fr</bindDn>
<connectionMode>LDAPS</connectionMode>
<retrievalAttribute>userPrincipalName</retrievalAttribute>
<searchFilter>(objectclass=person)</searchFilter>
</configuration>
</maiaamcp:AuthenticationModule>