Creating authentication realms

To create an authentication realm on the server, specify where to store user information, such as internal storage on the server, a single sign-on service, an LDAP server, or in OpenID Connect.

Procedure

  1. On the Web UI, click Settings > Authentication (Users) > Create Realm. The Create Authentication Realm pane opens.
  2. Enter a name, and description.
  3. Select the authentication realm type from the Type list.
    The available types in the list are as follows: LDAP or Active Directory, Single Sign-on (SSO), Internal Storage, and OpenID Connect.
    If you select Internal Storage, no additional parameters are required.
    If you select LDAP or Active Directory, specify the following parameters:
    Table 1. LDAP or Active Directory authentication realm properties
    Field Description
    LDAP URL The URL of the LDAP server that begins with ldap:// or ldaps://. You can provide more than one URL, separated by spaces. If you provide more than one URL, the server tries the URLs one at a time until the server succeeds.
    Authentication Mechanism Indicates the authentication mechanism for use. The default mechanism is Simple. Select DIGEST-MD5 to configure the LDAP server to use DIGEST-MD5, and then specify the SASL realm.
    Search Anonymously When this checkbox is selected, LDAP accepts anonymous queries. If this check box is cleared, specify the LDAP search connection DN and associated password. This check box is selected by default.
    Search Connection DN Complete the LDAP distinguished name to search. This parameter is required if the Search Anonymously check box is cleared.
    Search Connection Password The password that is used for LDAP searches. This parameter is used with the value in the Search Connection DN field.
    Specify how to search LDAP Specifies how LDAP is searched. If users exist in multiple directories, select LDAP users may exist in many directories; search across LDAP using a criterion. Otherwise, select LDAP users exist in a single directory; use a pattern to create the DN for users. Depending on the selection, more fields are displayed.
    User Search Base When you search multiple directories, specify the starting directory that is used for searches, such as ou=employees,dc=mydomain,dc=com.
    User Search Filter The LDAP filter expression to use when you search for group entries, such as (&(|(mail={0})(cn={0}))(objectclass=ePerson)). The user name replaces the {1} variable in the search pattern, and the full user DN replaces the {0} variable. If the value is not part of the DN pattern, enclose the value in parentheses, for example, (accountName={0}). For more information, see the help information for your LDAP server and look for information about creating user search filters.
    Search User Subtree When you search multiple directories, select this check box to search directories that are subordinate to the base directory.
    User DN Pattern When you search a single directory, the name is substituted in place of 0 in the pattern, for example, cn={0},ou=employees,dc=yourcompany,dc=com.
    Name Attribute Contains the user name in LDAP.
    Email Attribute Contains the user email address in LDAP.
    Login Machanism Enables you to use OpenID Connect as an authentication mechanism with two modes; UID and alternate ID.

    For the properties that are common to both types, refer to the OpenID Connect authentication realm properties in the table that follows.

    Force Authentication through OpenID Connect Prevents direct username and password authentication with LDAP for this realm.
    UID Claim The OpenID Claim that contains the unique ID to use for LDAP lookup.
    Alternate ID Claim The OpenID Claim that contains the alternate or custom ID to use for LDAP lookup.
    Alternate ID Search The LDAP search filter that uses the alternate ID as {0}.
    If you select Single Sign-on, specify the following parameters:
    Table 2. SSO authentication realm properties
    Field Description
    User Header Name The header that contains the list of users.
    Email Header Name The header that contains the list of user email addresses.
    Logout URL The URL to which users are redirected after they log out of HCL DevOps Deploy (Deploy).

    If you select OpenID Connect, specify the following parameters:

    Table 3. OpenID Connect authentication realm properties
    Field Description
    OpenID Provider and Client Identity
    Client ID The client ID that is registered with the OpenID provider.
    Client Secret The client secret that the OpenID provider issues upon registration.
    Issuer The issuer identifier for the issuer of the token response. Enter the issuer identifier, and click Discover to fetch the OpenID endpoint configuration automatically. The issuer identifier must not contain a query or fragment.
    OpenID Endpoints
    JWKS URI The JSON Web Key Sets (JWKS) URI endpoint.
    Authorization Endpoint The URI for authorization with the OpenID provider.
    Token Endpoint The URI for token requests with the OpenID provider.
    Userinfo Endpoint The URI for user information requests with the OpenID provider.
    Custom OpenID Claims
    Name Claim The custom claim that you want to use to display as Name in the web UI. Defaults to name.

    Note that the Name Claim is not available in LDAP with OpenID Connect type authentication realm.
    Email Claim The custom claim that contains user e-mail ID and is displayed as Email in the web UI. Defaults to email.

    Note that the Email Claim is not available in LDAP with OpenID Connect type authentication realm.
    Note:
    • Make sure that the external agent URL matches with the OpenID provider configuration for the redirect URI.
    • The OpenID provider must be set to use RS256 as its token signature algorithm, so that Deploy communicates with it correctly.
  4. Disable password-based login for the authentication realm by checking the Disable Login option.
    Administrators can still login by using login password via the admin URL, that is https://hostname:port/admin. Note that authentication tokens that are defined in this realm continue to work. Changing this setting does not disrupt active sessions.
  5. Enter the number of user login attempts to accept in the Allowed Login Attempts field.
    A blank value means that an unlimited number of attempts is allowed. If a user exceeds the attempt limit, use the Unlock User action on the Authentication page to unlock the user.
  6. Select the authorization realm from the Authorization Realm list.
    The internal security realm is available by default. See Authorization realms.
    Note: If you use an LDAP authentication realm with an LDAP authorization realm, the settings in this authentication realm override the settings in the LDAP authorization realm. If you use an SSO authentication realm with an LDAP authorization realm, you must specify connection settings on the LDAP authorization realm.

Results

When new users log on to the server and use their LDAP or SSO credentials, they are listed on the Authentication tab. In most cases, do not manage user passwords or remove users from the list. If an active user is removed from Deploy, they can still log on to the server while their LDAP credentials are valid.