icingaweb2/doc/external_authentication.md

91 lines
3.2 KiB
Markdown

# Externel Authentication
It is possible to use the authentication mechanism of the webserver,
instead of using the internal authentication-manager to
authenticate users. This might be useful if you only have very few users, and
user management over *.htaccess* is sufficient, or if you must use some other
authentication mechanism that is only available through your webserver.
When external authentication is used, Icingaweb will entrust the
complete authentication process to the external authentication provider (the webserver):
The provider should take care of authenticating the user and declining
all requests with invalid or missing credentials. When the authentication
was succesful, it should provide the authenticated users name to its php-module
and Icingaweb will assume that the user is authorized to access the page.
Because of this it is very important that the webservers authentication is
configured correctly, as wrong configuration could lead to unauthorized
access to the site, or a broken login-process.
## Use External Authentication
Using external authentication in Icingaweb requires two steps to work:
1. The external authentication must be set up correctly to always
authenticate the users.
2. Icingaweb must be configured to use the external authentication.
### Prepare the External Authentication Provider
This step depends heavily on the used webserver and authentication
mechanism you want to use. It is not possible to cover all possibillities
and you should probably read the documentation for your webserver for
detailed instructions on how to set up authentication properly.
In general, you need to make sure that:
- All routes require authentication
- Only permitted users are allowed to authenticate
#### Example Configuration for Apache and HTTPDigestAuthentication
The following example will show how to enable external authentication in Apache using
*HTTP Digest Authentication*.
##### Create users
To create users for a digest authentication we can use the tool *htdigest*.
We choose *.icingawebdigest* as a name for the created file, containing
the user credentials.
This command will create a new file with the user *jdoe*. *htdigest*
will prompt you for your password, after it has been executed. If you
want to add more users to the file you need to ommit the *-c* parameter
in all further commands to avoInid the file to be overwritten.
sudo htdigest -c /etc/httpd/conf.d/.icingawebdigest "Icingaweb 2" jdoe
##### Set up authentication
The webserver should require authentication for all public icingaweb files.
<Directory "/var/www/html/icingaweb">
AuthType digest
AuthName "Icingaweb 2"
AuthDigestProvider file
AuthUserFile /etc/httpd/conf.d/.icingawebdigest
Require valid-user
</Directory>
### Prepare Icingaweb
When the external authentication is set up correctly, we need
to configure IcingaWeb to use it as an authentication source. The
configuration key *authenticationMode* in the section *global* defines
if the authentication should be handled internally or externally. Since
we want to delegate the authentication to the Webserver we choose
"external" as the new value:
[global]
; ...
authenticationMode = "external"
; ...