Teamwork Cloud 18.5 SP3 Documentation

Skip to end of metadata
Go to start of metadata

This section provides the configuration parameters of the authentication server. You can find the parameters in the authserver.properties file.

General parameters


ParameterDescriptionDefault value
server.portThe authentication server's instance post.8555
server.public.hostPublicly expose an authentication server's host.User-entered machine IP address or ${server.ip} in the case of no-install zip
authentication.token.expirityThe authentication ID token expiration time in seconds.900
authentication.sso.token.expirityThe single sign-on token expiration time in seconds.604800
authentication.code.token.expirityThe authentication code expiration time in seconds.15
authentication.implicit.token.expirityThe authentication ID token expiration time in seconds for the implicit authentication flow e.g., used for MagicDraw UML.86400
authentication.client.idsThe valid client IDs separated by commas.MAGICDRAW,CONSOLE_ID,webApplicationPlatform
authentication.client.implicitThe implicit authentication flow client IDs separated by commas.MAGICDRAW
authentication.redirect.uri.whitelistA list of allowed redirect URIs. The authentication server's client should pass a valid redirect URI to an authorize endpoint.
https://${twc.server.ip}:8111/twcloud_admin/,
https://md_redirect
authentication.client.secretA password that should be used by the authentication client to access /token endpoint. It is recommended that you change the password after installation. CHANGE_ME
logging.configA path and a filename of the login configuration../config/logback-spring.xml
authentication.default.localeA default locale for authentication page texts. This parameter will be used in case the client application does not provide a locale that should be used.en



TWCloud server parameters


ParameterDescriptionDefault value
twc.server.host The TWCloud's server IP address (IP address should be specified instead of template  ${twc.server.ip}).User-entered machine IP address or ${twc.server.ip} in the case of no-install zip
twc.server.portThe TWCloud's server port.8555
twc.server.protocolThe TWCloud's server protocol.https
twc.server.identity.check.api The TWCloud's endpoint to check a user's identity ./osmc/ping/user



HTTPS/SSL parameters


Parameter
Required
Description
Default value
server.ssl.enabledyes

This option enables or disables HTTPS. If enabled, the authentication server will only use a secure HTTPS protocol. It is highly recommended to enable HTTPS for production environments. Available values are true and false.

true
server.ssl.key-storeyesThe path to a keystore file in the file system. It can be relative to the authentication server directory or absolute.config/keystore.jks
server.ssl.key-store-typeyesA keystore type. Available type is JKS.JKS
server.ssl.key-store-passwordnoA keystore password (required if the keystore is password-protected). It should be changed for a production environment .secret
server.ssl.key-passwordnoA private key password (Required if the private key is password-protected). It should be changed for a production environment.secret
server.ssl.key-aliasyesA private key alias that is used to identify a key in the keystore.server



Data source parameters

ParameterDescriptionDefault value
cassandra.contactPointsCassandra hosts or IP addresses separated by commas.localhost
cassandra.portCassandra port for CQL clients.9042
cassandra.keyspace.replication.factorCassandra replication factor for “auth” keyspace which is used by authentication server.1
cassandra.connection.max.attemptsMaximum number of attempts to connect to Cassandra on server startup.10
cassandra.connection.sleep.before.attemptTime interval before connection attempts in milliseconds.2000



Authentication by certificate


Parameter
Required
Description

Default

value

server.ssl.trust-store

noThe path to a truststore file in the file system. It can be relative to the Authentication Server directory or absolute. The path is required if certificate authentication is enabled. 

config/truststore.

jks

server.ssl.trust-store-typenoA Truststore type, which is required if certificate authentication is enabled. Available type is JKS.JKS
server.ssl.trust-store-passwordnoA Truststore password, which is required if certificate authentication is enabled and the truststore is password-protected.secret
server.ssl.client-authnoA flag indicating if a client certificate is needed or wanted. This flag is required if certificate authentication is enabled. The value that is available is want.want
authentication.certificate.enabledno

An option that enables or disables certificate authentication. Available values are true and false.

false

authentication.certificate.username.

template

no

A template that is used to create a username from the subject DN (Distinguished Name) stored on the certificate. This template is required if the certificate authentication is enabled.

The template can contain ASCII characters as well as placeholders in round brackets that are replaced with a relative distinguished name (RDN) values from the DN. For example, when the subject DN on the certificate is CN=JohnDoe,O=MyCompany,C=GB:

  • Template: (CN), username: JohnDoe
  • Template: (O)-(CN), username: MyCompany-JohnDoe
  • Template: CERT_(CN), username: CERT_ JohnDoe
(CN)

authentication.certificate.displayname.

template

no

A template that is used to create a display of the subject DN (Distinguished Name) stored on a certificate. This template is required if the certificate authentication is enabled.

The template is specified the same way as a username template, except that the display name is used for display purposes only. The display name is shown on the authentication button, which authenticates the user using a selected certificate. For example, when the subject DN on the certificate is CN=JohnDoe,O=MyCompany,C=GB, and the display template is (CN) CERTIFICATE, the following authentication button will be displayed:

(CN)

authentication.certificate.revocation.

list.file

noAn absolute path to the certificate revocation list (CRL) file, if it is stored on the file system.-

authentication.certificate.revocation.

list.url

noA URL of the certificate revocation list (CRL) file, if it is available on the web. -


A configuration example
server.ssl.trust-store=config/truststore.jks
server.ssl.trust-store-password=YOUR_TRUSTSTORE_PASSWORD
server.ssl.trust-store-type=JKS
server.ssl.client-auth=want
authentication.certificate.enabled=true
authentication.certificate.username.template=(O)-(CN)
authentication.certificate.displayname.template=(CN)'s Smart Card

SAML Integration

To integrate the Authentication Server with any SAML Identity Provider, you need to add the Authentication Server configuration into the SAML Identity Provider (it should be registered as SAML v2 remote service provider). Next, you need to configure the following additional parameters in the authserver.properties file.


ParameterDescriptionDefault value
authentication.saml.enabledSets the value to  true .false
authentication.saml.entity.idSets an authentication server as a service provider ID if it is different than the default server.com.nomagic.authentication.server
authentication.saml.name.id.formatSpecifies the format of a username identifier urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
authentication.saml.idp.metadata.url Specifies an Identity Provider metadata URL address if SAML Identity Provider supports metadata retrieval from the URL (e.g., ForgeRock OpenAM).-
authentication.saml.idp.metadata.fileSpecifies the name of a metadata file, which should be added into the same config directory where the authserver.properties file exists. This metadata file is required by some Identity Providers instead of metadata URL (e.g., WSO2 Identity Service).-
authentication.saml.linkThe title of the button for SAML user login displayed on the login page.SAML User
authentication.saml.response.skewThe tolerance value in seconds between the SP and IDP machines clock.3600

OAuth support (Jazz integration)

ParameterDescriptionDefault value
authentication.request.token.expirityAuthentication Server's generated request token expiration time in seconds.7200
authentication.request.token.secret.expirityAuthentication server's generated request token secret expiration time in seconds.7200
authentication.access.token.expirityAuthentication server's generated access token expiration time in seconds.7200
oauth.register.valid.secretsValid consumer secrets separated by commas. While registering a friend in Jazz only a secret from the list of valid secrets can be used.CHANGE_ME
On this page

  • No labels