LabShare Auth Configuration
Copy the sample-config.json into the config directory of auth and rename it to local.json. For advanced configuration, such as environment or deployment-specific configuration files, view the Config Library Documentation.
Default Tenant Setup
The defaults configuration object provisions the default Tenant, Identity Providers, and Client.
Since LabShare Auth is completely dynamic, configuring a default Tenant allows the initial system administrator(s) to
start configuring the system with applications such as the Auth UI or
through the management REST APIs.
| Property | Type | Details |
|---|---|---|
| tenant | object | The default tenant. Required. |
| tenant.tenantId | string | The default tenant GUID. Default: ‘ls’ |
| tenant.title | string | The default tenant title. Default: ‘’ |
| providers | array | A list of Identity Provider definitions. See the Strategy configuration section below for more info. |
| client | object | The default Auth Management Client definition. |
System administrators
The system configuration object provides system-wide configuration settings.
| Property | Type | Details |
|---|---|---|
| administrators | array | A list of system-level Auth administrators. |
| administrators.email | string | An email address of a system administrator. |
| administrators.identityIssuer | string | An Identity Provider issuer. It must match one of the Identity Provider issuers in the Tenant. For example: ‘https://accounts.google.com’ |
Example:
{
"auth": {
"system": {
"administrators": [
{
"email": "admin@example.com",
"identityIssuer": "https://accounts.google.com"
}
]
}
}
}
Database
MySQL
The MySQL driver can be configured with the connection options provided by the mysql library described here.
| Property | Type | Details |
|---|---|---|
| host | string | The server address containing the database. Default: localhost |
| database | string | The database name. Default: ‘labshare’ |
| port | string | Port number. Default: 3306 |
| user | string | Mysql user name. Required. |
| password | string | Mysql user password. Required (optional if using the MySQL Docker image). |
| socketPath | string | The path to a unix domain socket to connect to. When used, the host and port options are ignored. Optional. |
User Alerts (key: userAlerts)
| Property | Type | Details |
|---|---|---|
| filter | array | list of Login Events to be used for alerts. Default[TOTP_CREATED, TOTP_FAILED, TOTP_SUSPENDED,TOTP_VALIDATED] |
| redisConfig | string | Redis config options from https://github.com/NodeRedis/node-redis |
Tenant Authentication Providers
Configuring Identity Providers
- Go to the Tenant dashboard in the Auth UI
- Select the Providers section from the left navigation menu
- Create or edit Identity Providers from the dashboard
WSFed
| Property | Type | Details |
|---|---|---|
| identityProviderUrl | string | Url for the Identity provider. Required. |
| realm | string | The IDP realm. Required. |
| cert | string | The WSFed signing certificate. Required. |
| scripts | object | A dictionary of scripts used by the WSFed IdP |
| lifetimeInSeconds | number | The duration of the WSFed session. Default: 8 hours. |
| scripts.mapUserProfile | string | A JS script that exports a function. This script is used to map the assertion claims into a user profile object. See example below. |
{
"identityProviderUrl": "https://idp.url",
"realm": "my-id",
"cert": "awefjkawfjlwaefawefl...",
"scripts": {
"mapUserProfile": "module.exports = function (ctx, callback) {
const claims = ctx.secrets.claims;
callback(null, {
email: claims.Email
});
}"
}
}
Azure Open ID Connect
Go to https://apps.dev.microsoft.com and register an application to obtain the client ID and tenant. Ensure the replyUrl for the application is set to your LabShare Auth tenant’s authenticate callback URL and enable id token access. For example: https://a.labshare.org/_api/auth/docs#/Public/get_auth__tenantId__authenticate_callback.
| Property | Type | Details |
|---|---|---|
| clientID | string | Azure app clientID. Required. |
| tenant | string | Azure tenant ID or name (e.g. ‘nih.onmicrosoft.com’). Required. |
Details: https://www.npmjs.com/package/passport-azure-ad#5-usage
Configuration: https://www.npmjs.com/package/passport-google-oauth2#usage-of-oauth-20 Go to https://console.developers.google.com/ to generate Google OAuth secret
| Property | Type | Details |
|---|---|---|
| clientID | string | Google clientID. Required. |
| clientSecret | string | Google clientSecret. Required. |
| scope | string | Scope of permissions to be requested via OAuth. Required. |
| [authorizationURL] | string | OAuth2 Authorization URL. Optional. |
| [tokenURL] | string | OAuth2 Token URL. Optional. |
Github (NYI)
https://www.npmjs.com/package/passport-github#usage
| Property | Type | Details |
|---|---|---|
| clientID | string | Github clientID. Required. |
| clientSecret | string | Github clientSecret. Optional. |
| authorizationURL | string | OAuth2 Authorization URL. Optional. |
| tokenURL | string | OAuth2 Token URL. Optional. |
Saml2
https://www.npmjs.com/package/passport-wsfed-saml2
Note:
The SAML IDP’s ACS will need to be configured to POST to the LabShare Auth auth/{tenantId}/authenticate/callback endpoint. Example: https://a.labshare.org/_api/auth/{tenantId}/authenticate/callback.
| Property | Type | Details |
|---|---|---|
| scripts | object | The scripts associated with the strategy. Required. |
| scripts.mapUserProfile | string | The script used to parse the user’s profile from the SAML assertion claims. See the example below. Required. |
| realm | string | The SAML IDP realm. Required. |
| identityProviderUrl | string | The URL of the SAML IdP. Required. |
| cert | string | The public signing certificate for the IdP. Required. |
| decryptionKey | string | The private encryption key for the IdP SAML assertion. Optional. |
Example:
{
"name": "my-saml-idp",
"type": "saml2",
"config": {
"realm": "https://example.com",
"identityProviderUrl": "https://example.com/samlp",
"cert": "waefnioawfnaewofnawef...",
"scripts": {
"mapUserProfile": `module.exports = function (ctx, callback) {
const claims = ctx.secrets.claims;
callback(null, {
email: claims.Email
});
}`
}
}
}
Configuring the Auth WSFed Server
LabShare’s WSFed implements the wsignin1.0 and wsignout1.0 flows.
Configuring WSFed
| Property | Type | Details |
|---|---|---|
| issuer | string | Name of the issuer of the token. Required. |
Service Configuration
Auth’s HTTP port can be configured by modifying the rest options. See: options.
Example:
{
"rest": {
"port": 7000,
"basePath": "/_api"
}
}
Schedule Configuration
A scheduled process can trim the audit log and event log tables according to the configurable rules by the combination of date and size.
Example:
"schedule": {
"trimLogOptions": [
{
"logType": "auditLog",
"bySize": {
"checkNumber": 5,
"cronSyntax": "*/5 * * * *"
},
"byDate": {
"ageLimit": "360 days",
"cronSyntax": "0 0 * * *"
}
},
{
"logType": "eventLog",
"bySize": {
"checkNumber": 5,
"cronSyntax": "*/5 * * * *"
},
"byDate": {
"ageLimit": "360 days",
"cronSyntax": "0 0 * * *"
}
}
]
}
bySize
| Property | Type | Details |
|---|---|---|
| checkNumber | number | CLI will trigger trimming process when logs number reach this threshold number so it can make sure the table doesn’t grow too large . Required. |
| trimRatio | number | CLI will trim to logs number down to the percentage of threshold number, trimRatio number should not larger than 1. Required. |
| cronSyntax | string | Frequency of this trim process to run. See: cron syntax. Required. |
byDate
| Property | Type | Details |
|---|---|---|
| agelimit | string | Max age of the log records that can be kept in table. Required. |
| cronSyntax | string | See: cron syntax. Required. |
Note: this configuration uses ms to define time format.