Security configuration (tia® Connect)
- Armin Franke
- Stefan Franz
- Fabian Nola
- Maik Wodarz
Overview
Up to four application service principals are involved in securing the communication of the tia® Connect SharePoint process:
tia® Connect SharedLink Authentication: This secures the request from the browser of a SharePoint user that got a ShareLink or open an archived document from SharePointUI
tia® Connect Authentication: General authentication for all request from SharePoint (CustomConnector) against tia® Connect
tia® Connect to tia® Core CMIS: Used for interprocess communication authentication between tia® Connect and tia® Core CMIS
tia® Connect to Graph API: tia connect fetches document from SharePoint and uses this to secure and authenticate against Microsoft Graph.
1. tia® Connect SharedLink Authentication
This secures browser calls from user that got a share link or that try to open from SharePoint a archived document via direct access to the archive. The required permissions are: Required App Registrations | App Registrations for communication with tia® Connect via Browser/ Custom Conne...
Parent | Parameter | Description | Required | Default |
|---|---|---|---|---|
|
| Type of the authentication |
|
|
|
| Issuer URI of the authorization server | yes |
|
|
| The name of the attribute in the token that references the Name or Identifier of the end-user | no |
|
|
| Name of the configured provider | yes |
|
|
| The client identifier | yes |
|
|
| The client secret | yes |
|
|
| A credential representing the resource owner's authorization used by the client to obtain an access token | yes |
|
|
| The scope(s) requested by the client during the authorization request | yes |
|
spring:
security:
oauth2:
client:
provider:
azure:
issuer-uri: https://login.microsoftonline.com/<tenant id>/v2.0
user-name-attribute: name
registration:
sharedlinkauth:
provider: azure
client-id: <client id>
client-secret: <client secret>
authorization-grant-type: authorization_code
scope:
- openid
- email
- profile
2. tia® Connect Authentication
This is an app registration that will be used to secure the connection between the custom connector and tia Connect. tia Connect will only validate token. The token requests are performed by the custom connector. The required permissions are Required App Registrations | App Registrations for communication with tia® Connect via Browser/ Custom Conne... .
Parent | Parameter | Description | Supported values | Default |
|---|---|---|---|---|
|
| Type of the authentication, usually |
|
|
|
| Issuer URI of the authorization server | <user> |
|
|
| Expected audience in the | <user> |
|
|
| Expected tenant ID in the | <user> |
|
To ensure correct authentication functionality tia® Connect needs to be configured with tia.security.oidc.type=authorization_code .
The main authentication will be client credentials flow, but to ensure the authorization code flow for shared links this configuration needs to be done.
For an example see the https://kgs-software.atlassian.net/wiki/x/CgDf0
tia:
security:
oidc:
type: authorization_code
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://login.microsoftonline.com/<tenant id>/v2.0
audience: <audience>
master-tenant-id: <tenant id>
3. tia® Connect to tia®Core CMIS
There are two options
Authentication via client_secret
Authentication via certificate
For client_secret authentication, only a client ID and a client secret need to be configured.
For certificate authentication, a keystore containing the key pair must be provided. A certificate must be generated from this and imported into the app registration.
The client-authentication-method tls_client_auth or self_signed_tls_client_auth needs to get configured. The name of the configured SSL bundle needs to get configured into the tia.security.oidc.sslBundleName property.
How exactly this is configured is described as follows
You can use spring.security.oauth2.client.registration.cmisauth.cmisauthwithcert or spring.security.oauth2.client.registration.cmisauth never both.
Parent | Parameter | Description | Required |
|---|---|---|---|
|
| Issuer URI of the authorization server | yes |
|
| The name of the attribute in the token that references the Name or Identifier of the end-user | no |
|
| Name of the configured provider | yes |
|
| The client identifier | yes |
|
| The client secret | yes |
|
|
| yes |
|
|
| yes |
|
| The authentication method used when authenticating the client with the authorization server. Only needs to get overwritten with | no |
|
| Key alias | no |
|
| Key password | no |
|
| Path to the keystore | no |
|
| Keystore password | no |
|
| Type of the keystore, e.g. | no |
|
| Name of the configured SSL bundle. Only needed if | <user> |
|
| Name of the configured provider | yes |
|
| The client identifier | yes |
|
| The authentication method used when authenticating the client with the authorization server. Only needs to get overwritten with | yes |
|
| A credential representing the resource owner's authorization used by the client to obtain an access token | yes |
|
| The scope(s) requested by the client during the authorization request | yes |
Client secret:
spring:
security:
oauth2:
client:
provider:
azure:
issuer-uri: https://login.microsoftonline.com/<tenant id>/v2.0
user-name-attribute: name
registration:
cmisauth:
provider: azure
client-id: <client id>
client-secret: <client secret>
authorization-grant-type: client_credentials
scope: <client id>/.default
tia:
instances:
default:
cmis:
url: <cmis-URL>/browser
repositoryid: <repoid>
auth:
type: oauth2
oauth2:
clientRegistrationId: cmisauthCertificates:
spring:
security:
oauth2:
client:
provider:
azure:
issuer-uri: https://login.microsoftonline.com/<tenant id>/v2.0
user-name-attribute: name
registration:
cmisauthwithcert:
provider: azure
client-id: <client id>
client-authentication-method: self_signed_tls_client_auth
authorization-grant-type: client_credentials
scope: <client id>/.default
ssl:
bundle:
jks:
selfsignedcertificate:
key:
alias: <key alias>
password: <key password>
keystore:
location: <path to>\<keystore>.p12
password: <keystore password>
type: PKCS12
tia:
instances:
default:
cmis:
url: <cmis-URL>/browser
repositoryid: <repoid>
auth:
type: oauth2
oauth2:
clientRegistrationId: cmisauthwithcert4. tia® Connect to Graph API
After the inital request from Power Automate through the Custom Connector, tia connect get the file itself from Microsoft Graph Api. Required permissions are minimum: Required App Registrations | App Registrations for metadata and file content (sites) .
There are several configuration options available:
4.1 Connection via client id and client secret
tia connect has credentials to direct authenticate against azure:
Parent | Parameter | Description | Supported values | Default |
|---|---|---|---|---|
|
| ID of the Azure app registration | <user> |
|
|
| Client Secret for the app registration | <user> |
|
|
| The tentantId of the app registration, only required when SharePoint Tentant and app registration tenant are different | <user> |
|
tia:
instances:
default:
sharepoint:
graph:
clientSecret: <clientSecret>
clientId: <appregistrationURL>4.2 Connection via PFX Certificate local stored
The Certificate must be inside an PFX store, which have to contain the private and public key (public certificate). see Create a self-signed public certificate to authenticate your application - Microsoft identity platform in general and for the export: https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-self-signed-certificate#optional-export-your-public-certificate-with-its-private-key
Parent | Parameter | Description | Supported values | Default |
|---|---|---|---|---|
|
| ID of the Azure app registration | <user> |
|
|
| Location of a PFX certificate with private and public key (public certificate). Full path is required with filename. | <user> |
|
|
| pfx keystore password | <user> |
|
|
| The tentantId of the app registration, only required when SharePoint Tentant and app registration tenant is different | <user> |
|
tia:
instances:
default:
sharepoint:
graph:
certificatePassword: <password>
certificatePath: <fullPathToFileWithFilename>
clientId: <appregistrationURL>4.3 Connection via PFX Certificate in Azure Key Vault
After the inital request from Power Automate through the Custom Connector, tia connect get the file itself from Microsoft Graph Api. Required permissions are minimum: Required App Registrations | App Registrations for metadata and file content (sites) .
The Certificate must be in PFX Format and have contain the private and public key (public certificate). see Create a self-signed public certificate to authenticate your application - Microsoft identity platform.
An Azure Key Vault with certificate need to be prepared.
Parent | Parameter | Description | Supported values | Default |
|---|---|---|---|---|
|
| ID of the Azure app registration | <user> |
|
|
| Name that was used in Azure Key Vault to import the certificate | <user> |
|
|
| URI for the Azure Key Vault in format | <user> |
|
|
| The tentantId of the app registration, only required when SharePoint Tentant and app registration tenant is different | <user> |
|
The certificate is getting fetched from Azure Key Vault. There are two possible authentication ways available:
4.3.1 Authentication by client id and secret
The App registration need to have “Get“ Permissions for Certificates and Secrets in the access Policies of the Keystore.
Parent | Description | Supported values | Default |
|---|---|---|---|
| Environment Variable for ID of the Azure app registration | <user> |
|
| Environment Variable for Client Secret for the app registration | <user> |
|
| Environment Variable for tenantid where the key vault is located in | <user> |
|
tia:
instances:
default:
sharepoint:
graph:
certificateName: tiash
certificateUri: <keyvaultURL>
clientId: <appregistrationURL>
4.3.2 Authentication by managed identity
see https://learn.microsoft.com/en-us/azure/frontdoor/managed-identity
Parent | Parameter | Description | Supported values | Default |
|---|---|---|---|---|
no configuration required | ||||
tia:
instances:
default:
sharepoint:
graph:
certificateName: tiash
certificateUri: <keyvaultURL>
clientId: <appregistrationURL>