Skip to main content
Version: 16.1

Authentication

The Authentication page enables you to configure the authentication mechanisms for users connecting to ADONIS. These mechanisms can be used individually or in combination. You can also configure authentication settings for accessing the ADONIS REST API.

The Authentication page has 5 sub-pages:

  • Connectors

    Configure connectors, each representing an authentication mechanism in ADONIS.

  • LDAP

    Add and manage LDAP domains and general LDAP settings in ADONIS.

  • SAML

    Modify global configuration parameters for SAML connectors.

  • JWT

    Create a JWT configuration for accessing the ADONIS REST API.

  • OAuth 2.0

    Edit OAuth 2.0 settings for accessing the ADONIS REST API.

Additionally, more tools can be found behind the More options button, allowing you to configure license warnings, security settings, and general authentication settings.

Connectors

The Connectors page enables you to create, edit, and delete connectors. Connectors represent the authentication mechanisms in ADONIS. Each connector can be used individually or in combination with others and can be configured to use LDAP coupling to retrieve additional user data from a directory service.

View Connectors

When you open the Connectors page, you'll see a list of all connectors and their details. The following information is displayed:

  • Precedence

    The order in which connectors are tried during an authentication request. If a user logs in without specifying a connector or type, ADONIS will use the first applicable connector in the list unless specific constraints are defined.

  • Name

    The name of the connector.

  • Type

    The type of the connector.

  • Connector enabled

    Indicates whether a connector is enabled or disabled.

  • LDAP coupling

    Indicates whether LDAP coupling is configured for this connector.

  • IP constraints

    Indicates whether IP restrictions are configured for this connector.

Connector Types

The available connector types in ADONIS are:

  • STANDARD: Displays the standard login page where users can enter their username and password. Supports two authentication mechanisms:

    • Standard ADONIS users: If LDAP coupling is not configured, the provided credentials authenticate the user against the database.

    • LDAP authentication: If LDAP coupling is configured, the provided credentials authenticate the user against the configured directory service.

  • IDM: Supports IDM authentication, allowing users to log in via single sign-on or with a username and password.

  • SAML: Supports SAML authentication, enabling single sign-on or login with credentials (username, password, certificates, etc.).

  • OIDC: Supports OIDC authentication, providing single sign-on capability.

Add and Configure Connector

To create a new connector:

  1. Go to Authentication > Connectors, and then click Create.

  2. In the ID box, enter a unique name for your connector.

  3. From the Select type list, select a connector type.

  4. Click Create.

Once you have created the connector, you can start working on the configuration right away. Follow these four steps:

  1. Properties

  2. Constraints

  3. LDAP Coupling

  4. User Mapping

These steps are discussed in more detail in the following sections.

Properties

The first page of the connector configuration allows you to define various settings based on the connector type selected.

STANDARD

For STANDARD connectors, the following settings are available:

SAML

For SAML connectors, the following settings are available:

  • IDP properties

    • IDP name: The name of the Identity Provider (IdP). You can choose any name. This name will be shown in ADONIS and appear in logs.

    • Binding type: Defines the binding type for communication with the IdP. The default is "post", meaning communication happens through an HTML form submission using the POST method. If set to "redirect," the client will contact the IdP via a redirect call, though this might not be allowed to specific policies.

    • IDP address: Specifies the URL of the IdP for sending authentication requests.

    • Assertion decryption: Controls whether assertion encryption is enabled for this specific connector. Options are: "Enabled", "Disabled", or "Not set".

      • If not set, the global assertion encryption settings from the SAML configuration will apply.

      • If disabled, assertion decryption/encryption will be disabled for this connector, regardless of the global SAML settings.

      • If enabled, assertion encryption will be required for this connector, but it also depends on the global SAML settings, which must have assertion encryption enabled and properly configured.

      By default, this setting is "Not set", meaning that global SAML assertion encryption settings will determine if encryption is applied for this connector.

    • IDP session end on service provider session end: Specifies whether logging out from ADONIS should also trigger a logout on the IdP. By default, this option is disabled.

  • IDP public key file: Click Browse to upload the token-signing certificate from the IdP. This field may be pre-filled if you have previously referenced the IdP metadata URL in ADONIS (see Configure IdP under Adjust Connectors).

  • Claims: Define the claims that the IdP should provide. Claims are used to transport user information (e.g., email address, first name, and last name).

IDM

For IDM connectors, the following settings are available:

  • Remote user location: Specifies how the remote user is identified in an IDM scenario. Options are: "method", "header", or "basic_auth".

    • If "method" is selected, the remote user is determined using the servlet request method getRemoteUser.

    • If "header" is chosen, the remote user is extracted from a request header. You must specify the header in the Name of the header that contains the user name of the remote user field.

    • If "basic_auth" is selected, the remote user is retrieved from the Authorization header of the request.

    Optionally, you can include processing instructions to handle or modify the username value during runtime.

  • Name of the header that contains the user name of the remote user: Required if Remote user location is set to "header". This field defines the name of the header that holds the remote user's username.

  • Crop the domain extension of the remote username: Determines whether to remove a domain extension (e.g., '\@domain') from the remote username. When enabled (default setting), a username like 'user\@domain' will be shortened to 'user'.

  • Regular expression to replace strings in the username with another string: Allows you to define a rule for modifying the username by replacing specific strings. The rule must be provided as a regular expression.

  • Replacement for sections in the username found using in the regular expression field: Specifies the string that will replace sections of the username identified by the Regular expression to replace strings in the username with another string field.

OIDC

For OIDC connectors, the following settings are available:

  • Authorization Server

    • Authorization endpoint: The authorization endpoint at the OP.

    • Token endpoint: The token endpoint at the OP.

    • Issuer: The issuer identifier of the OP.

    • Client ID: The public identifier for ADONIS as registered with the OP.

    • Client secret: The secret password for ADONIS as registered with the OP.

    • Remember user: Enable this option to store the last used user ID and pass it for future authentication processes, so this user account will be automatically selected (can be useful when operating multiple user accounts).

  • Claims: Define the claims that the OP should provide. Claims are used to transport user information (e.g., email address, first name, and last name).

  • Scopes: Define the scopes used during the authentication process to authorise access to specific user details. Each scope returns a set of attributes, which are represented as claims.

Configure Self-Service Password Reset

Self-service password reset lets ADONIS users reset their own passwords without having to contact their ADONIS administrator each time. They can simply click the "Forgot Password?" link on the login page, and will then receive an email with a link to reset their password.

Availability

This functionality is available if the mail component is configured and a STANDARD connector is used (= standard login page where the user can enter their username and password).

note

For details on how to configure the mail component please refer to the section Email.

The following users CANNOT reset their password themselves:

  • ADONIS Administrators (users with global administrator rights)

  • Technical users

  • Users from an external user management system

  • Users without email address

Configuration

In the ADONIS Administration, you can enable or disable the self-service password reset, and configure how long a password reset link is valid.

To configure the password reset properties:

  • Go to Authentication > Connectors.

  • Edit the STANDARD connector you want, for example Standard Login. On the Properties page, under Password reset, adapt the following settings:

    • Enabled: Select or clear this option to enable or disable password reset in self-service in ADONIS.

    • Password reset expiration in minutes: Specify how long a password reset link is valid in minutes (for example 30 minutes)

  • Click OK, and then click Save.

Constraints

The second page of the connector configuration allows you to define constraints. The following settings are available:

  • Constraints: Use this option to restrict access to the connector by allowing or blocking requests based on the client’s IP address. You can define rules that either permit or deny access depending on whether the client’s IP matches a specified pattern. The behaviour is determined by the applied logic - either "whitelist" (allow access) or "blacklist" (deny access). For each constraint, you can choose between two modes:

    • Match: Applies the rule if the client’s IP exactly matches the specified pattern.

    • Subnet: Applies the rule if the client’s IP falls within a defined subnet range.

LDAP Coupling

The third page of the connector configuration allows you to set up LDAP coupling for any connector. This feature enables the retrieval of additional user data from a directory service. For STANDARD connectors, LDAP coupling also facilitates user authentication against the configured directory service. The following settings are available:

  • Enable/Disable LDAP coupling

    • Enabled: Enable or disable LDAP coupling for this connector. Keep in mind that LDAP coupling will only function if the LDAP mechanism is activated in the general LDAP settings.
  • LDAP domains: Optionally, select one or more domains to be used for authentication and user data retrieval. Only domains previously configured on the LDAP page will be available for selection. If no domain is specified, ADONIS will attempt all domains from the global LDAP settings sequentially until successful authentication.

  • Properties: Optionally, define additional LDAP properties specific to this connector. These properties will be used alongside those set in the general LDAP settings.

User Mapping

The fourth page of the connector configuration allows you to define per connector how properties retrieved from an external user management system are processed for assigning system roles, user groups, repositories, and more.

note

Only properties previously defined in ADONIS can be selected. For instance, properties for SAML connectors are defined under Claims on the Properties page. If LDAP coupling should be used, a core set of attributes to retrieve can be defined under the general LDAP Settings, while additional connector-specific LDAP properties may be defined directly on the LDAP Coupling page.

The following settings are available:

  • Properties: Assign user attributes in ADONIS based on external properties. Each assignment is configured with the following parameters:

    • Property: Choose the external property to map to a user attribute.

    • Attribute: The corresponding attribute in ADONIS (e.g., "First name" or "Email").

    • Processing instruction: Optionally, you can include processing instructions to handle or modify the value during runtime.

Example

Property: givenName, Attribute: First name

The value of the LDAP property "givenName" is assigned to the ADONIS attribute "First name" .

  • Roles: Assign system roles based on external properties.

    • Default roles: Define default system roles for users if no role assignments apply.

    • Roles: Configure custom role assignments using:

      • Property: Select the property for assigning the system role.

      • Type: Choose a method to match values (see Possible Methods to Match Values).

      • Match: Define the value to match.

      • Target name: Select the ADONIS system role to assign.

  • Groups: Assign user groups based on external properties.

    • Default groups: Define default user groups for users if no group assignments apply.

    • Groups: Configure custom group assignments using:

      • Property: Select the property for assigning the user group.

      • Type: Choose a method to match values (see Possible Methods to Match Values).

      • Match: Define the value to match.

      • Target name: Select the user group in ADONIS to assign.

  • Repository: Assign repositories based on external properties using:

    • Property: Select the property for assigning the repository.

    • Type: Choose a method to match values (see Possible Methods to Match Values).

    • Match: Define the value to match.

    • Target name: Select the repository in ADONIS that should be assigned to users as their working place. Simultaneously, the users will be made available as objects in modelling. Choose to target either "All repositories" or a specific repository. You can also specify an object group per repository in which the assigned user objects should be located.

  • Named Use: Assign users to scenarios for named use.

    • Default scenarios: Define the scenarios to which users should have named use access by default if no scenario assignments apply.

    • Scenarios: Configure custom scenario assignments using:

      • Property: Select the property for assigning the scenario.

      • Type: Choose a method to match values (see Possible Methods to Match Values).

      • Match: Define the value to match.

      • Target name: Select the scenario in ADONIS that should be assigned.

  • Mapped user handling: Can be used to specify cases where already authenticated users should be mapped to (= treated as) alias users. These alias users will represent the authenticated user when they log in to ADONIS. An example of this might be mapping a specific group of users to a user with access to the Organisation Portal.

    • Default mapped user: Define a default alias user that users should get assigned to if no other mapping applies (new users only).

    • Mapped users: Configure custom alias user assignments using:

      • Property: Select the property for assigning the alias user.

      • Type: Choose a method to match values (see Possible Methods to Match Values).

      • Match: Define the value to match.

      • Map existing users: Optionally, specify how existing users are handled. When enabled, the authenticated user will always be treated as the alias user if the mapping criteria are met. If disabled, this mapping only applies to new users who do not already exist in the ADONIS database and cannot be automatically created.

      • Target name: Select the alias user in ADONIS that should be assigned.

  • Synchronize users: Control user creation and synchronisation:

    • Create user automatically: Specify whether users that log in to ADONIS for the first time will be created "on-the-fly" in the ADONIS database.

    • Synchronize automatically: Specify whether user data should be updated according to the information retrieved from the directory service every time the user logs in and/or every time a periodic synchronisation task is performed. Manual changes to the user by the ADONIS administrator are overwritten in this case.

      What user data is synchronised can be defined in the child properties of this parameter:

      • Synchronize attributes: Specify whether the assignment of user attributes should be updated every time the user data is synchronised.

      • Synchronize roles: Specify whether the assignment of system roles should be updated every time the user data is synchronised.

      • Synchronize groups: Specify whether the assignment of user groups should be updated every time the user data is synchronised.

      • Synchronize repositories: Specify whether the assignment of repositories should be updated every time the user data is synchronised.

      • Synchronize named use: Specify whether the assignment of named use access to scenarios should be updated every time the user data is synchronised.

  • Deletion handling

    • Delete not found users: Specify whether users which are not found during synchronisation should be deleted.

    • Move undeletable users to group: Specify whether users which cannot be deleted during synchronisation should be moved to a specific user group. If enabled, you must select a specific group to move these undeletable users to Otherwise, the users will not be moved.

note

Which users are undeletable?

  • Users who are logged in.

  • Users that have been shared with a repository (= to make them available as objects in modelling) when they are being used in a model or have incoming references.

Possible Methods to Match Values

When defining a user mapping for a connector, possible methods to match values include (parameter Type):

  • equals: The values must match exactly.

  • equalsIgnoreCase: The values must match exactly, but case is ignored.

  • contains: The target value must contain the specified match as a substring.

  • containsWord: The target value must contain the exact word (as a whole) you're matching.

  • containsWordIgnoreCase: Same as containsWord, but case is ignored.

  • regExp: The matching is done using a regular expression (a pattern-based matching system).

  • indicator: The matching is done based on indicators (for IDM connectors only)

Adjust Connectors

Connectors can be renamed, deleted, and more:

  1. Go to Authentication > Connectors.

  2. Find the connector you want to adjust.

Then choose one of the following actions:

  • Edit Connector

    Hover over the connector, click More, and then select Edit. Now you can configure the connector.

  • Rename or Delete Connector

    Hover over the connector, click More, and then select Rename or Delete.

  • Increase or Decrease Precedence

    If multiple connectors are enabled, you can adjust the order in which they should be tried to handle an authentication request. Use the drag handle () to drag a connector to a new position. Or, hover over the connector, click More, and then select Increase precedence or Decrease precedence.

  • Enable or Disable Connector

    Hover over the connector, click More, and then select Enable Connector or Disable connector. This option is useful, for example, if you want to temporarily disable a connector instead of permanently removing it.

  • Configure IdP

    Only available for SAML connectors. Hover over the connector, click More, and then select Configure IDP. This option allows you to either upload a metadata XML file or provide a metadata URL. The metadata contains all the necessary information for ADONIS to consume tokens issued by your IdP. Upon upload, the following properties of the SAML connector are automatically populated: Binding type, IDP address and IDP public key file.

LDAP

The LDAP page allows you to configure general LDAP settings and domain-specific parameters. It consists of two panes:

  • LDAP domains

    The left pane of the LDAP page lets you add and manage domains used for authentication and retrieving user data. All configured domains are listed here.

  • LDAP settings

    The right pane of the LDAP page allows you to set general parameters that apply to all domains.

Add Domain

To add a new domain in the ADONIS Administration:

  1. Go to Authentication > LDAP.

  2. In the left pane, under LDAP Domains, click Create.

Once you have added the domain, you can start working on the configuration right away. Follow these three steps:

  1. General

  2. User Mapping

  3. Schedule

General

The first page of the domain configuration allows you to define general settings such as the domain name, provider URL, principal user details, and more. The following settings are available:

  • Precedence: The order in which domains are tried during an authentication request.

  • Name: The identifier of this domain. This value must be unique among the domains. Additionally, this name will appear in logs.

  • Provider URL: Specifies the URL for the LDAP directory server. This value takes the form "ldap://host:port". Note that it is recommended to use IP addresses instead of domain names to avoid the DNS lookup.

  • Security protocol: In case you are using LDAPS, you need to enable SSL and upload a SSL (X509) certificate here.

  • Principal: The login name of the principle user used to look up all other users. This user MUST have read access to all parts of the directory service that are used in ADONIS.

  • Principal domain: The domain of the principle user.

  • Principal format: This field defines how to compose the principal's username and domain to authenticate with the directory. Placeholders (%principal%, %principaldomain%) are used to represent the login name and domain, and their arrangement depends on the directory service you're using. For example, in Microsoft Active Directory, the format is typically %principal%@%principaldomain%, while for IBM Tivoli, it's cn=%principal%,%principaldomain% (where principaldomain follows a specific structure, e.g., "o=domain.com").

  • Password: The password of the principal user. Will be stored in encrypted form.

  • Connection timeout: The maximum time allowed to establish a connection to the directory during authentication and other LDAP-related requests. The default value, if left unset, is 5000 milliseconds (5 seconds)

  • Unique identifier: Define one or more properties to serve as a unique identifier for internal use. If no specific LDAP property can uniquely distinguish directory objects, use NAME_IN_NAMESPACE. You can list multiple properties (comma-separated) to handle cases where different users might use different properties (e.g., upper/lower case differences). ADONIS will sequentially attempt each property for every user, using the first matching one as the unique identifier.

  • Login base DN: The base domain specification where the user objects are located.

  • Login filter: This mandatory filter option includes a placeholder for the username, used to precisely identify the relevant user object in the LDAP directory. The default configuration (&(objectClass=user)(sAMAccountName=%username%)) is typically sufficient and usually does not require modification. When a user attempts to log in, ADONIS automatically replaces %username% with the entered username. The filter then searches the LDAP directory for a user object with an sAMAccountName attribute matching the provided username. If a corresponding entry is found, ADONIS confirms that the login credentials belong to a valid user in the directory. For more information on the allowed filter types and Boolean operators, please refer to the info text associated with this setting.

  • Sync filter: This option defines a filter to be used during synchronisation jobs. It follows the same rules and options as Login Filter. Sync Filter acts as a fallback mechanism for synchronisation jobs that do not specify a "filter" parameter. If a synchronisation job is configured without a "filter" parameter and no Sync Filter is defined, the default filter (objectClass=user) will be applied to that synchronisation job.

  • Sync base DN: This parameter specifies the base distinguished name (DN) from which synchronisation jobs should start. It serves as a fallback for synchronization jobs that do not have a Start Node parameter defined. If neither Sync Base DN nor Start Node are specified, the value from the Login Base DN parameter in the domain configuration will be used as the default starting point for that synchronisation job.

  • Login scope: This property specifies the scope of the search within the directory. It determines how extensively the search will be performed. The available options are:

    • Subtree: (default) Searches the entire subtree starting from the root or specified start node.

    • One: Searches the current node and one additional level beneath it.

    • Object: Searches only the current object. This option is generally not recommended.

  • Paged result Control OIDs: Specifies the Object Identifier (OID) for the directory service control used to determine whether the directory service supports paged results.

  • Page size: Specifies the number of entries per page when paged results are supported by the directory service. This setting determines the maximum number of results that are returned in each page of the search results.

  • Default connector: Specifies the connector with LDAP coupling that should be used to determine the user mapping when LDAP is used outside of a specific connector context (e.g., in scheduled jobs). Note: If not specified, ADONIS will use the first active connector with LDAP coupling enabled for this domain that includes a user mapping. If no such connector is found, the user mapping will default to the domain-specific user mapping.

  • Ignore missing ObjectSID: Determines whether to ignore missing objectSid values for LDAP users. By default, LDAP objects are identified by their unique LDAP ID, retrieved via the objectSid attribute. If this ID cannot be retrieved for an LDAP user, their LDAP properties will be skipped, which means their role, group, and other assignments according to user mapping will not be applied. This affects both login and synchronisation actions. If this option is enabled, any missing objectSid values will be ignored, and user data will still be retrieved, but the user will lack a unique LDAP ID in their properties, which could lead to issues such as inability to log into ADONIS Administration. If this parameter is disabled, missing objectSid values will not be ignored, and the LDAP user data for such users will be skipped.

  • Referral: Configures how referrals from the directory service are handled. If not specified, the default behavior of the directory service will be used.

    • ignore: Do not follow referrals; referrals will be ignored.

    • follow: Follow and resolve referrals automatically.

    • throw: Throw an exception when a referral is encountered.

User Mapping

The second page of the domain configuration allows you to set up user mapping directly at the domain level. This user mapping will be applied in cases where users log in through a connector that does not specify its own user mapping, or when a scheduled synchronisation for this domain occurs without a Default connector being configured.

note

How to configure these settings is explained as part of connector configuration documentation. For details please refer to the section User Mapping.

Schedule

The third page of the domain configuration allows you to automate user synchronisation with LDAP by setting up a schedule for a specific domain.

note

You can also configure synchronisation for all domains simultaneously under the general LDAP Settings. The configuration process is the same for both domain-specific and global schedules.

The following settings are available:

  • Name: A name to use for this job (just for traceability in the log files).

  • Filter: An optional filter to refine the search results. If no specific filter is provided for a sync job, the value from the Sync Filter setting in the domain configuration will be used as a fallback. If neither a specific filter nor a fallback filter is set, the default filter (objectClass=user) will be applied to retrieve only user objects.

  • Start node: Define the node in the directory service tree structure that should be used as the starting point for user searches. The Sync Base DN parameter is used as a fallback when the Start Node attribute is not defined for the synchronisation job. If neither Sync Base DN nor Start Node are defined, the Login Base DN parameter is used as a fallback.

  • Type: Choose the time unit for the synchronisation schedule. Available options include secondly, minutely, hourly, daily, weekly, or yearly.

  • Interval: Define the frequency of the synchronisation job. Select every how many time units ADONIS performs the job. This setting works in conjunction with the Type option and is compatible with secondly, minutely, hourly, and yearly.

  • Start at: Optional start date indicating when the schedule should become active. By default, the schedule is active immediately.

  • End at: Optional end date specifying when the schedule should become inactive. After this date, the schedule will no longer be active.

  • Schedule CRON data: This parameter allows you to schedule the synchronization job to run at specific times or dates periodically. It works in conjunction with the Type option and is compatible with days, weeks, and months. It includes the following properties:

    • Day of month: Specify the day of the month when the job should run. Allowed values range from 1 to 31.

    • Weekdays: Select one or more days of the week when the job should be executed.

    • Execution time: Define the exact hour and minute at which the job should start.

Adjust Domains

Domains can be edited, deleted, and more:

  1. Go to Authentication > LDAP.

  2. In the left pane, under LDAP Domains, find the domain you want to adjust.

Then choose one of the following actions:

  • Edit Domain

    Hover over the domain, click More, and then select Edit. Now you can configure the domain.

  • Delete Domain

    Hover over the domain, click More, and then select Delete.

  • Increase or Decrease Precedence

    If multiple domains are enabled, you can adjust the order in which they should be tried to handle an authentication request. Use the drag handle () to drag a domain to a new position. Or, hover over the domain, click More, and then select Increase precedence or Decrease precedence.

Configure LDAP Settings

To modify the general LDAP settings that apply to all domains:

  1. Go to Authentication > LDAP.

  2. In the right pane, under LDAP Settings, adjust the settings in the General, Environment, Properties and Schedule sections.

The following settings are available:

  • General

    • Enabled: Enable or disable the LDAP mechanism globally. LDAP coupling for a connector will only function if this setting is enabled.

    • Allow client action: Determines whether or not LDAP calls initiated from the client side are permitted. This setting controls whether the following actions can be triggered manually in the ADONIS Administration (see Server for more information):

      • Start LDAP synchronisation

      • Clear LDAP Cache

    • Default domain: Specify the domain that should be used for authentication and querying user data whenever no other domain is specified.

    • Authentication mode: An optional setting that specifies the security level for authentication. Possible values are "none", "simple", or "strong". If this option is left unspecified, the behavior will be determined by the directory service provider's default settings.

    • Context factory: Specifies the name of the main class responsible for implementing LDAP. If you are using the LDAP implementation from JavaSoft, the value should be set to com.sun.jndi.ldap.LdapCtxFactory. Only adjust this setting if necessary for your specific LDAP configuration.

    • URL package prefixes: This property defines the list of package prefixes to be used when loading URL context factories. The value should be a colon-separated list of package prefixes for the class name of the factory class that will create a URL context factory. Only adjust this setting if necessary for your specific LDAP configuration.

  • Environment: A list of additional properties used during the creation of the initial LDAP context. These properties help customize the LDAP environment and connection settings. For more details, refer to the javax.naming.Context documentation. Only adjust this setting if necessary for your specific LDAP configuration.

  • Properties: These properties define the core set of attributes that will be retrieved via LDAP. If LDAP coupling is enabled, additional connector-specific LDAP properties may be fetched. All properties that should be used in domain configurations to set up a user mapping directly at the domain level must be included in this list.

  • Schedule: Configure automated user synchronisation with LDAP for all domains simultaneously.

note

You can also configure synchronisation for a specific domain directly within the domain configuration. The configuration process is the same for both domain-specific and global schedules. For detailed information on the available settings, please refer to the Schedule section in the domain configuration documentation.

SAML

The SAML page allows you to configure various parameters to enable SAML authentication. These settings define how ADONIS interacts with the SAML identity provider (IdP).

The following settings are available:

  • Issuer name: Enter a unique identifier that ADONIS will use to identify itself to the IdP. This value must match the ID configured on the IdP side for ADONIS. For example, for Microsoft Entra ID, it must be equal to the Identifier (Entity ID).

  • Assertion consumer URL: Specify the URL where ADONIS will expect to receive the authentication token from the IdP. Enter the HTTPS URL of ADONIS and add "/auth.view", using the following pattern: "https://<SERVER_NAME>:<TOMCAT_PORT>/ADONIS16_1/auth.view". This value must match the reply URL configured on the IdP side. For example, for Microsoft Entra ID, it must be equal to the Reply URL (Assertion Consumer Service URL).

  • Token signing: Configure the settings for signing SAML tokens, which ensures the integrity and authenticity of data exchanged between ADONIS and the Identity Provider (IdP).

    To enable token signing in ADONIS, an SSL certificate for the Service Provider (SP) is required. You can generate a self-signed certificate using the Java keytool for this purpose.

    • Keystore alias: Enter the alias specified in the KeyStore file for the SP's token-signing certificate.

    • Keystore file: Click Browse to upload the KeyStore file that contains the SP's token-signing certificate.

    • Keystore password: Enter the password for accessing the KeyStore. Will be stored in encrypted form.

  • Assertion decryption: If your IdP has been configured to encrypt assertions for enhanced security, you can configure settings for decrypting SAML assertions in ADONIS.

    To enable assertion decryption in ADONIS, an SSL certificate for the Service Provider (SP) is required. This certificate can be the same as the SP’s token-signing certificate.

    • Enabled: Enable this option to allow ADONIS to decrypt incoming encrypted assertions from the IdP.

    • Keystore alias: Enter the alias specified in the KeyStore file for the SP's assertion-decrypting certificate.

    • Keystore file: Click Browse to upload the KeyStore file that contains the SP's assertion-decrypting certificate.

    • Keystore password: Enter the password for accessing the KeyStore. Will be stored in encrypted form.

JWT

The JWT page allows you to configure JWT authentication for REST requests.

note

How to configure the settings on the JWT page is explained as part of REST API documentation. For details please refer to the section Enable JWT Authentication for ADONIS.

OAuth 2.0

The OAuth 2.0 page allows you to configure OAuth 2.0 authentication for REST requests.

note

How to configure the settings on the OAuth 2.0 page is explained as part of REST API documentation. For details please refer to the section Enable OAuth 2.0 for ADONIS.

More Tools

The Authentication page provides tools that let you configure license warnings, security settings, and general authentication settings:

Licence Warnings

To configure licence warnings - automated email notifications when most of the available named users are already assigned for a specific scenario and action should be taken to extend the licence:

  • Go to Authentication   > More options, and then click Licence Warnings.

Adapt the following parameters and save the changes afterwards:

  • Notification recipient email

    Enter the email address that should receive the notifications.

  • Notification threshold

    Specify the notification threshold. Enter the percentage of named users already assigned for a specific scenario that, when exceeded, triggers a licence warning.

  • Notify on threshold exceeded

    Specify whether a notification is sent when the number of named users for a scenario has exceeded the configured threshold.

  • Notify on threshold recovery

    Specify whether a notification is sent when the number of named users for a scenario has dropped below the configured threshold.

Availability

This functionality is available if the mail component is configured.

note

For details on how to configure the mail component please refer to the section Email.

Security Settings

To modify the security settings for authentication:

  1. Go to Authentication > More options, and then click Security Settings.

  2. Adjust the settings in the General, Brute Force, Reauthentication, REST and Org Portal IP Restrictions sections.

The following settings are available:

  • General

    • Allow CORS: Enable this option to allow OAuth 2.0 Authentication requests from the ADONIS Process Manager for Confluence module .
  • Brute Force: Configure brute force protection settings for regular login attempts to ADONIS by users (see Configure Brute Force Protection).

  • Reauthentication

    • Enabled: Enable this option to allow reauthentication. Reauthentication can be customised to protect certain critical business actions in ADONIS.

    • Brute Force: Configure brute force protection settings for reauthentication attempts (see Configure Brute Force Protection).

  • REST

    • Allow CORS: Enable this option to allow requests from the ADONIS Process Manager for Confluence module .

    • Brute Force: Configure brute force protection settings for login attempts via the ADONIS REST API (see Configure Brute Force Protection).

    • Basicauth IP Restrictions: Specify the IP addresses that shall be allowed to send requests with basic authentication to the ADONIS REST API (see Configure IP Restrictions).

    • Basicauth Roles: Optionally, select system roles that a user must have at least one of in order to use the ADONIS REST API with basic authentication. If no system role is selected, all system roles will allow access to the API.

  • Org Portal IP Restrictions: Specify the IP addresses that shall be allowed to access the Organisation Portal (see Configure IP Restrictions).

Configure Brute Force Protection

ADONIS has a mechanism to prevent brute force attempts from gaining access to login credentials. After a specified number of failed login attempts, login to ADONIS is blocked and a message is shown to the user. To adapt the brute force protection settings:

You can configure brute force protection settings at the following levels:

  • Brute Force: Settings for regular login attempts to ADONIS by users.

  • Reauthentication: Settings for reauthentication attempts. Reauthentication can be customised to protect certain critical business actions in ADONIS.

  • REST: Settings for login attempts via the REST API that allows authenticated access to exposed functionality in ADONIS.

Adapt the following parameters and save the changes afterwards:

  • Sleeptime Max Attempts per IP

    The amount of time (in milliseconds) that login attempts are blocked for an IP address after a specified amount of failed login attempts. The default value is 60,000 milliseconds (= 1 minute).

  • Sleeptime Max Attempts Overall

    The amount of time (in milliseconds) that login attempts are blocked for all users after a specified amount of overall failed login attempts. The default value is 30,000 milliseconds (= 30 seconds).

  • Clean Up Threshold User

    Time frame (in milliseconds) in which failed attempts for a user name are accounted. The default value is 600,000 milliseconds (= 10 minutes).

  • Clean Up Threshold IP

    Time frame (in milliseconds) in which failed attempts for an IP address are accounted. The default value is 10,800,000 milliseconds (= 3 hours).

  • Clean Up Period

    Time frame (in milliseconds) in which failed attempts for all users are accounted. The default value is 60,000 milliseconds (= 1 minute).

  • Max Attempts per IP

    The maximum number of failed login attempts before an IP address is blocked for a specified amount of time. The default value is 75 times.

  • Max Attempts per Username

    The maximum number of failed login attempts before a user name is blocked for 10 minutes. The default value is 15 times.

  • Max Attempts Overall

    The maximum number of overall failed login attempts before all users are blocked for a specified amount of time. The default value is 150 times.

Example

If there are 75 failed login attempts from an IP address [Max Attempts per IP] during an interval of 3 hours [Clean Up Threshold IP], users on that IP address have to wait for one minute [Sleeptime Max Attempts per IP].

Configure IP Restrictions

This section explains how to configure IP restrictions at the following levels:

  • Basicauth IP Restrictions: Control which IP addresses are allowed to send requests with basic authentication to the ADONIS REST API.

  • Org Portal IP Restrictions: Control which IP addresses are allowed to access the Organisation Portal

Configuration

To configure an IP restriction:

  1. Click Add IP Restriction to create a new IP rule.

  2. Under Mode, select Allow or Deny to specify whether the rule will permit or block access.

  3. Under Apply to, select All to apply the rule to all IP addresses, or choose Custom IP to define specific IP addresses or ranges. When selecting Custom IP, you can either enter a single IP address (e.g., 192.168.1.1) or use a wildcard format (e.g., 192.168.*) to encompass a broader range of addresses.

How IP Restrictions Work

Please keep the following in mind when configuring IP restrictions:

  • If IP restrictions exist but no matching rule is found, the default action is "deny".

  • If no IP restrictions are set, the default behavior depends on the functionality:

    • Basicauth IP Restrictions: Default is "deny"

    • Org Portal IP Restrictions: Default is "allow"

  • The first matching rule decides. Suppose you add the following IP restrictions:

    • Mode: Allow, Apply to: 192.*

    • Mode: Deny, Apply to: 192.168.0.1

    In this case, the "deny" rule would have no effect, as the "allow" rule already applies to the 192.168.0.1 address.

Example

To deny all IP addresses starting with 192., deny the IP address 193.168.0.1, and allow all other IP addresses:

Mode: Deny, Apply to: 192.*

Mode: Deny, Apply to: 193.168.0.1

Mode: Allow, Apply to: All

To allow all IP addresses starting with 178. except for 178.6.6.6, and deny all other IP addresses:

Mode: Deny, Apply to: 178.6.6.6

Mode: Allow, Apply to: 178.*

Mode: Deny, Apply to: All

General Settings

To modify general authentication settings:

  • Go to Authentication > More options, and then click General Settings.

The following settings are available:

  • Tracing

    Turn on authentication trace logging in order to have additional authentication details logged in the web server logs. This is useful in the setup phase for authentication mechanisms such as SAML. Tracing will automatically be turned off on web server restart.

  • Reset configuration

    Reset the authentication settings to the factory settings. Any previously applied modifications will be lost.