3.8 How to configure UAA :

TABLE OF CONTENTS

1. Root element and types
2. LDAP integration configuration
3. External authentication configuration

1. Root element and types

The UAA configuration file starts with the --- and then contains different configuration elements:

---
...
…

2. LDAP integration configuration

ldap - a container for UAA integration configuration with Domain Controller over LDAP.
- domain - a part of user login which follows after "@".
- providerUrl - LDAP connection URL.
- type - supported values: OPEN_LDAP, ACTIVE_DIRECTORY. Optional parameter. By default: OPEN_LDAP
- systemUser - system LDAP user which used for searching user groups (must have read permissions)
- systemPassword - system LDAP user password
- groupSearchBase - the base DN from which the search for group membership should be performed.
- groupSearchSubtree - enable searching of the entire tree below the groupSearchBase.
- userDnPattern - pattern which are used as potential DN matches.
- attribute - LDAP user attribute mapping container
  - key - XM UserDTO field, value - LDAP attribute name
- role - a container for roles configuration.
  - defaultRole - default role which will be assigned if no one role is matched
  - mapping - LDAP role mapping to the XM roles.

key - LDAP CN of the group, value - XM role.

Example:

ldap:
- domain: xm.com
  providerUrl: ldap://localhost:1389
  systemUser: uid=test@xm.com,ou=Users,dc=xm,dc=com
  systemPassword: test
  groupSearchBase: ou=Groups,dc=xm,dc=com
  groupSearchSubtree: true
  userDnPattern: uid={0},ou=Users,dc=xm,dc=com
  attribute:
  firstName: givenName
  lastName: sn
  role:
  defaultRole: ROLE-DEFAULT-USER
  mapping:
  role-user: ROLE-USER
  role-admin: SUPER-ADMIN

3. External authentification configuration

XME.digital is going to integrate any social login providers with oAuth 2.0 support via configuration. First of all, you need to get security settings from the social provider and then apply it into the XME.digital external authentication configuration.

social - a container with array of integration configuration for each authentication over oAuth 2.0.
providerId - a provider identification, it can be the name of the provider (facebook, google etc).
clientId- a client ID from the external system.
clientSecret - a client secret from the external system.
authorizeUrl - a external system URL for the authorization initialization.
useParametersForClientAuthentication - if true then clientId and clientSecret will be placed in URL, else in headers. By default: true.
accessTokenUrl - a external system URL for exchanging a code to the token.
scope - defines the specific actions applications can be allowed to do on a user's behalf.
userInfoUri - a external system URL to fetch user information.
tokenStrategy - defines the way to pass token to fetch user information. It could has values: AUTHORIZATION_HEADER or ACCESS_TOKEN_PARAMETER or OAUTH_TOKEN_PARAMETER. By default: AUTHORIZATION_HEADER
createAccountAutomatically - allows create new account in the UAA. By default:true.
baseUrl - defines UAA callback prefix.
userInfoMapping - a container with external user infromation mapping to use the UAA account. It's path field like response.user_info.first_name or simple family_name.
- id - mapping for the account ID. It is required for authentication detection.
- name - mapping for the account name.
- firstName - mapping for the account first name.
- lastName - mapping for the account last name.
- email - mapping for the account email.
- username - if set, UAA will try to use it as nickname, and it should be unique.
- profileUrl - mapping for the account profile URL.
- imageUrl - mapping for the account avatar URL.
- phoneNumber - mapping for the account phone number.
- langKey - mapping for the account preferred language.

Example:

social:

- providerId: google

clientId: <clientId>

clientSecret: <clientSecret>

authorizeUrl: https://accounts.google.com/o/oauth2/v2/auth

accessTokenUrl: https://www.googleapis.com/oauth2/v4/token

scope: 'https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email'

userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo

userInfoMapping:

id: sub

name: name

firstName: given_name

lastName: family_name

email: email

username:

profileUrl: link

imageUrl: picture

phoneNumber:

langKey: locale

Mobile ID authentication is possible to integration via configuration into the XME.digital, as it is supported Auth 2.0.

XME.digital sign-in page with Mobile ID:

Picture 56

Mobile ID page with the sign-in form:

Picture 57

Mobile ID page with operation code:

Picture 58

Mobile phone with operation code:

Picture 59

Mobile phone with entering PIN:

Picture 60

XME.digital signed-in user over Mobile ID:

Picture 61

4. Public Settings configuration

publicSettings -a container for public settings.

passwordSettings - password settings container.
minLength - minimun password length.
maxLength - maximun password length.
enableBackEndValidation - defines the server side validation (true/false).
passwordPolicies- password policies settings container.

pattern -regular expression string that will be applied to password.
patternMessage -object with translations of messages that describes policy requirements

passwordPoliciesMinimalMatchCoun - number of required password policies passed to accept password.

Example:

publicSettings:
passwordSettings:
minLength: 8
maxLength: 12
enableBackEndValidation: true
passwordPolicies:
- pattern: ".*\\d.*"
patternMessage: {en: "The password must contain at least 1 digit"}
- pattern: ".*[!@#$%^&*%].*"
patternMessage: {en: "The password must contain at least 1 special character"}
- pattern: ".*[A-Z].*"
patternMessage: {en: "The password must contain at least 1 uppercase character"}
passwordPoliciesMinimalMatchCount: 2