Security configuration (tia® Connect)
- Armin Franke
- Fabian Nola
Overview
Up to three application service principals are involved in securing the communication of the tia® Connect SharePoint process:
tia® Connect Authentication (App Registration M2M, Client Credentials Flow) → General authentication for all request against tia® Connect
tia® Connect SharedLink Authentication (App Registration U2M, Authorization Code Flow) → Needed if OIDC authentication is configured for the SharedLink requests
tia® Connect to tia® Core CMIS (App Registration M2M, Interprocess Communication) → Used for interprocess communication authentication between tia® Connect and tia® Core CMIS
tia® Connect Authentication
Parent | Parameter | Description | Supported values | Default |
|---|---|---|---|---|
|
| Type of the authentication |
|
|
|
| Name of the configured SSL bundle. Only needed if | <user> |
|
|
| Issuer URI of the authorization server | <user> |
|
|
| Expected audience in the | <user> |
|
|
| Expected tenant ID in the | <user> |
|
To ensure correct authentication functionality tia® Connect needs to be configured with tia.security.oidc.type=authorization_code .
The main authentication will be client credentials flow, but to ensure the authorization code flow for shared links this configuration needs to be done.
For an example see the https://kgs-software.atlassian.net/wiki/x/CgDf0
tia:
security:
oidc:
type: authorization_code
sslBundleName: selfsignedcertificate
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://login.microsoftonline.com/<tenant id>/v2.0
audience: <audience>
master-tenant-id: <tenant id>
tia® Connect SharedLink Authentication
Parent | Parameter | Description | Required |
|---|---|---|---|
|
| Issuer URI of the authorization server | yes |
|
| The name of the attribute in the token that references the Name or Identifier of the end-user | no |
|
| Name of the configured provider | yes |
|
| The client identifier | yes |
|
| The client secret | yes |
|
| A credential representing the resource owner's authorization used by the client to obtain an access token | yes |
|
| The scope(s) requested by the client during the authorization request | yes |
spring:
security:
oauth2:
client:
provider:
azure:
issuer-uri: https://login.microsoftonline.com/<tenant id>/v2.0
user-name-attribute: name
registration:
sharedlinkauth:
provider: azure
client-id: <client id>
client-secret: <client secret>
authorization-grant-type: authorization_code
scope:
- openid
- email
- profile
tia® Connect to tia®Core CMIS
There are two options
Authentication via client_secret
Authentication via certificate
For client_secret authentication, only a client ID and a client secret need to be configured.
For certificate authentication, a keystore containing the key pair must be provided. A certificate must be generated from this and imported into the app registration.
The client-authentication-method tls_client_auth or self_signed_tls_client_auth needs to get configured. The name of the configured SSL bundle needs to get configured into the tia.security.oidc.sslBundleName property.
How exactly this is configured is described as follows
Parent | Parameter | Description | Required |
|---|---|---|---|
|
| Issuer URI of the authorization server | yes |
|
| The name of the attribute in the token that references the Name or Identifier of the end-user | no |
|
| Name of the configured provider | yes |
|
| The client identifier | yes |
|
| The client secret | yes |
|
| A credential representing the resource owner's authorization used by the client to obtain an access token | yes |
|
| The scope(s) requested by the client during the authorization request | yes |
|
| The authentication method used when authenticating the client with the authorization server. Only needs to get overwritten with | no |
|
| Key alias | no |
|
| Key password | no |
|
| Path to the keystore | no |
|
| Keystore password | no |
|
| Type of the keystore, e.g. | no |
spring:
security:
oauth2:
client:
provider:
azure:
issuer-uri: https://login.microsoftonline.com/<tenant id>/v2.0
user-name-attribute: name
registration:
cmisauth:
provider: azure
client-id: <client id>
client-secret: <client secret>
authorization-grant-type: client_credentials
scope: <client id>/.default
cmisauthwithcert:
provider: azure
client-id: <client id>
client-authentication-method: self_signed_tls_client_auth
authorization-grant-type: client_credentials
scope: <client id>/.default
ssl:
bundle:
jks:
selfsignedcertificate:
key:
alias: <key alias>
password: <key password>
keystore:
location: <path to>\<keystore>.p12
password: <keystore password>
type: PKCS12