Security configuration (tia® Connect)
- Armin Franke
Overview
Up to three application service principals are involved in securing the communication of the tia® Connect SharePoint process:
tia® Connect Authentication (App Registration M2M, Client Credentials Flow) → General authentication for all request against tia® Connect
tia® Connect SharedLink Authentication (App Registration U2M, Authorization Code Flow) → Needed if OIDC authentication is configured for the SharedLink requests
tia® Connect to tia® Core CMIS (App Registration M2M, Interprocess Communication) → Used for interprocess communication authentication between tia® Connect and tia® Core CMIS
tia® Connect Authentication
Parent | Parameter | Description | Supported values | Default |
|---|---|---|---|---|
|
| Type of the authentication |
|
|
|
| Issuer URI of the authorization server | <user> |
|
|
| Expected audience in the | <user> |
|
|
| Expected tenant ID in the | <user> |
|
To ensure correct authentication functionality tia® Connect needs to be configured with tia.security.oidc.type=authorization_code .
The main authentication will be client credentials flow, but to ensure the authorization code flow for shared links this configuration needs to be done.
For an example see the https://kgs-software.atlassian.net/wiki/x/CgDf0
tia:
security:
oidc:
type: authorization_code
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://login.microsoftonline.com/<tenant id>/v2.0
audience: <audience>
master-tenant-id: <tenant id>
tia® Connect SharedLink Authentication
Parent | Parameter | Description | Required |
|---|---|---|---|
|
| Issuer URI of the authorization server | yes |
|
| The name of the attribute in the token that references the Name or Identifier of the end-user | no |
|
| Name of the configured provider | yes |
|
| The client identifier | yes |
|
| The client secret | yes |
|
| A credential representing the resource owner's authorization used by the client to obtain an access token | yes |
|
| The scope(s) requested by the client during the authorization request | yes |
spring:
security:
oauth2:
client:
provider:
azure:
issuer-uri: https://login.microsoftonline.com/<tenant id>/v2.0
user-name-attribute: name
registration:
sharedlinkauth:
provider: azure
client-id: <client id>
client-secret: <client secret>
authorization-grant-type: authorization_code
scope:
- openid
- email
- profile
tia® Connect to tia®Core CMIS
Parent | Parameter | Description | Required |
|---|---|---|---|
|
| Issuer URI of the authorization server | yes |
|
| The name of the attribute in the token that references the Name or Identifier of the end-user | no |
|
| Name of the configured provider | yes |
|
| The client identifier | yes |
|
| The client secret | yes |
|
| A credential representing the resource owner's authorization used by the client to obtain an access token | yes |
|
| The scope(s) requested by the client during the authorization request | yes |
spring:
security:
oauth2:
client:
provider:
azure:
issuer-uri: https://login.microsoftonline.com/<tenant id>/v2.0
user-name-attribute: name
registration:
cmisauth:
provider: azure
client-id: <client id>
client-secret: <client secret>
authorization-grant-type: client_credentials
scope: <client id>/.default