Authentication 6.2

Owned by Ray O'Meara (Unlicensed)
Oct 31, 2020
9 min read

Configure LDAP and SAML user authentication on the Authentication page.

LDAP and SAML authentication


When users authenticate through LDAP or SAML to log into Alert for the first time, they are added to the Alert database. The Alert administrator can change permissions for the users in the User Management user interface. Typically, LDAP and SAML users log in with the most restrictive permissions.

In Alert versions 5.2.0 and later, the authentication functionality was moved from the Settings page to the Authentication page.

On the Authentication page in Alert versions 5.2.0 and later, you can expand and collapse the LDAP, SAML, and User Management configuration settings. Click + to expand or - to collapse the LDAP Configuration, SAML Configuration, or User Management sections.

You can test an LDAP and SAML authentication setting on the Alert Authentication page.  Click the Test Configuration button to open a dialog box.  The dialog displays an LDAP and a SAML section.

 

User role mapping

In Alert 6.0.0 the User Role Mapping form was removed from the Authentication page. For LDAP and SAML, Alert still grants privileges for the corresponding default Alert roles if the user has been assigned the following:

LDAP group names:

  • ROLE_ALERT_ADMIN - If a user belongs to this group they have ALERT_ADMIN role privileges along with any other role privileges assigned to the user in the Alert user interface.

  • ROLE_ALERT_JOB_MANAGER - If a user belongs to this group they have ALERT_JOB_MANAGER role privileges along with any other role privileges assigned to the user in the Alert user interface.

  • ROLE_ALERT_USER - If a user belongs to this group they have ALERT_USER role privileges along with any other role privileges assigned to the user in the Alert UI.

SAML attribute mapping

  • ALERT_ADMIN - If a user contains the "AlertRoles" attribute containing a value of "ALERT_ADMIN" then ALERT_ADMIN role privileges are granted along with any other role privileges assigned to the user in the Alert user interface.

  • ALERT_JOB_MANAGER - If a user contains the "AlertRoles" attribute containing a value of "ALERT_JOB_MANAGER" then ALERT_JOB_MANAGER role privileges are granted along with any other role privileges assigned to the user in the Alert user interface.

  • ALERT_USER - If a user contains the "AlertRoles" attribute containing a value of "ALERT_USER" then ALERT_USER role privileges are granted along with any other role privileges assigned to the user in the Alert user interface.

For SAML the "SAML Role Attribute Mapping" is still present to allow a user of Alert to configure another SAML attribute other than the default "AlertRoles" attribute to contain the Alert role information. This is intended for Alert system administrators logging in via SAML.

How LDAP and SAML works in ALert

LDAP
Users log into Alert where they are added to the Alert system with the most restricted access to Alert.
After the user has logged in initially to Alert, a System Administrator can assign the user roles. The next time the user logs in they will have their access privileges based on the roles assigned to them.

SAML
SAML works the same as LDAP for non-admin users of Alert. They must log in initially and an administrator grants them privileges afterward. The difference for SAML is in the administrative user. Since SAML login redirects the user to another site to login an Alert administrative user must have the Attribute containing their ALERT_ADMIN role assigned. This will add them to Alert as a user and they will have administrative access when they log in to Alert that first time, which enables them to assign roles to other users.

LDAP configuration

Alert authenticates users through LDAP. To set up your LDAP environment, navigate to Authentication > LDAP Configuration. To display the LDAP fields, click + to the left of LDAP Configuration.

Complete the following fields.

  • LDAP Enabled: Select the checkbox to enable LDAP authentication.

  • LDAP Server: Type your LDAP server IP address.

  • LDAP Manager DN: Type the distinguished name of the LDAP manager.

  • LDAP Manager Password: Type the password of the LDAP manager.

  • LDAP Authentication Type: Click the drop-down selector and choose the type of authentication required to connect to the LDAP server. Options are:

    • None

    • Simple

    • Digest-MD5

  • LDAP Referral: The type of authentication required to connect to the LDAP server. Options are:

    • Ignore

    • Follow

    • Throw

  • LDAP User Search Base: The area in the LDAP directory in which user searches are done.

  • LDAP User Search Filter: The filter used to search for user membership.

  • LDAP User DN Patterns: The pattern used to supply a DN for the user. The pattern must be the name relative to the root DN.

  • LDAP User Attributes: User attributes to retrieve for users.

  • LDAP Group Search Base: The part of the LDAP directory in which group searches are done.

  • LDAP Group Search Filter: The filter used to search for group membership.

  • LDAP Group Role Attribute: The ID of the attribute containing the role name for a group.

After entering your LDAP configuration settings, click Save.

To test your LDAP configuration when your LDAP configuration is enabled.

  1. Click + LDAP Configuration and type the user name and password to test LDAP authentication.

  2. Click Send Test Message to test the authentication.

SAML configuration

Security Assertion Markup Language (SAML) authentication is supported. This is configured in Authentication > SAML Configuration; click + to the left of SAML Configuration to display the SAML fields. Configure your SAML server's metadata URL to retrieve the metadata regarding the authentication.

If SAML authentication is enabled from the Authentication page, it takes precedence as the authentication provider. You are not able to log into Alert as the default sysadmin administrative user. If you have configured Alert in error, use the appropriate environment variable overrides to disable SAML authentication when restarting the Alert container.

For Alert to work properly, roles must be assigned to SAML attributes. Each identity provider is different regarding the assignment of SAML attributes. However, Alert requires the SAML attribute AlertRoles. The AlertRoles must be a list of roles that Alert recognizes. ALERT_ADMIN is currently the only role that should be on the list.

To configure SAML authentication, complete the following fields.

  1. SAML Enabled: Select the checkbox to enable SAML. If true, Alert attempts to authenticate using the SAML configuration.

  2. Force Auth: Select the checkbox to enable force auth. If true, the forceAuth flag is set to true in the SAML request to the identity provider (IDP). Check with your identity provider to verify support for force auth.

  3. Identity Provider Metadata URL: The metadata from the external identity provider.

  4. Identity Provider Metadata File: In Alert versions 5.1.0 and higher, you can upload a metadata XML file for SAML in the settings configuration. You can configure a URL if the IDP provides a URL or you can download a metadata XML file and upload it to the server.

    1. Click Browse to select your XML file.

    2. Click Upload.

    3. The Upload input field also includes the ability to remove the uploaded SAML XML configuration file from the server. Click Remove Uploaded File to remove the uploaded file from the server.

  5. Entity ID: The entity ID of the server provider. This is the audience defined in Okta.

  6. Entity Base URL: The URL of your Alert system.

  7. Click Save.

To test your SAML configuration when your SAML configuration is enabled.

  1. Click + SAML Configuration. No input is required because the SAML metadata fields are tested by the server.

  2. Click Send Test Message to test the authentication.

SAML variables

The following SAML variables are added to the blackduck-alert.env configuration file.

ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_ENABLED= ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_ENTITY_BASE_URL= ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_ENTITY_ID= ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_FORCE_AUTH= ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_METADATA_URL= ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_ROLE_ATTRIBUTE_MAPPING_NAME= # The following SAML variables are not supported in Alert 6.0.0 ALERT_COMPONENT_SETTINGS_SETTINGS_SAML_ENABLED= ALERT_COMPONENT_SETTINGS_SETTINGS_SAML_ENTITY_BASE_URL= ALERT_COMPONENT_SETTINGS_SETTINGS_SAML_ENTITY_ID= ALERT_COMPONENT_SETTINGS_SETTINGS_SAML_FORCE_AUTH= ALERT_COMPONENT_SETTINGS_SETTINGS_SAML_METADATA_URL=

The following SAML variables are added to the 1-cm-alert.yml file

- ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_ENABLED= - ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_ENTITY_BASE_URL= - ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_ENTITY_ID= - ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_FORCE_AUTH= - ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_METADATA_URL= - ALERT_COMPONENT_AUTHENTICATION_SETTINGS_SAML_ROLE_ATTRIBUTE_MAPPING_NAME= # The following SAML variables are not supported in Alert 6.0.0 ALERT_COMPONENT_SETTINGS_SETTINGS_SAML_ENABLED: ALERT_COMPONENT_SETTINGS_SETTINGS_SAML_ENTITY_BASE_URL: ALERT_COMPONENT_SETTINGS_SETTINGS_SAML_ENTITY_ID: ALERT_COMPONENT_SETTINGS_SETTINGS_SAML_FORCE_AUTH: ALERT_COMPONENT_SETTINGS_SETTINGS_SAML_METADATA_URL:

Disabling SAML

There are two methods for disabling SAML authentication.

The first method is:

  1. Log in through SAML.

  2. Navigate to Authentication > SAML Configuration.

  3. Deselect the SAML Enabled checkbox.

The second method is:

  1. Disable SAML using environment variables by deleting all values for the SAML environment variables.

  2. Set the ALERT_COMPONENT_SETTINGS_SETTINGS_STARTUP_ENVIRONMENT_VARIABLE_OVERRIDE environment variable to true. However, doing so overrides all the stored values with the values from the environment variables. For example, if you do not want the Black Duck provider configuration to be deleted, you must completely remove the environment variables related to the Black Duck provider configuration, or update the values for the following variables as appropriate for your environment.

  • ALERT_PROVIDER_BLACKDUCK_BLACKDUCK_URL

  • ALERT_PROVIDER_BLACKDUCK_BLACKDUCK_API_KEY

  • ALERT_PROVIDER_BLACKDUCK_BLACKDUCK_TIMEOUT

  1. Restart Alert.

SAML example

  1. An Alert Administrators application is created that sets the AlertRoles application attribute with the ROLE_ALERT_ADMIN as the value.

  2. An Alert Job managers application is created that sets the AlertRoles application attribute with the ROLE_ALERT_JOB_MANAGER as the value.

  3. An Alert Users application is created that sets the AlertRoles application attribute with the ROLE_ALERT_USER as the value.

When these applications are created, the administrator assigns users to those applications. This grants the appropriate roles to the user.

You must add the AlertRoles to the attribute statements of the application. An administrator assigns the roles for the Alert application, and grants access to users of the application. Synopsys recommends creating:

  • An Alert Admin application for administrator users.

  • An Alert Job Manager for job manager users.

  • An Alert for read-only access.

The AlertRoles attribute in SAML contains a list of role names that may include one or more combinations of the following role names:

  • ALERT_ADMIN

  • ALERT_JOB_MANAGER

  • ALERT_USER

User role mapping configuration

Alert versions 5.1.0 and later has the following user roles:

  • Admin

  • Job Manager

  • User

The following fields allow LDAP group names to be mapped to a corresponding role in Alert. These fields are optional and are only required when role mapping is required for using unique role names in Alert. If SAML is enabled, then SAML contains the Alert roles in an attribute assigned to the application. If the user belongs to an LDAP group that matches the name input into one of the following fields, then Alert grants the user access to Alert, according to the mapped Alert role.

User roles

The user role fields in User Role Mapping are as follows:

  • Admin User Role Name: The LDAP group name or SAML role attribute value to grant access as an administrator in Alert.

  • Job Manager Role Name: The LDAP group name or SAML role attribute value to grant access as a job manager in Alert.

  • User Role Name: The LDAP group name or SAML role attribute value to grant access as a user in Alert.

For SAML, the functionality is the same: if the attribute containing the Alert roles for the user contains the input into one of the following fields, then Alert grants the user access to Alert, according to the mapped Alert role. To set up user roles, navigate to Authentication > User Management.

To configure Users and Roles in Alert, on the left navigation, click User Management > Users or Roles.

SAML roles

The SAML field is:

  • SAML Role Attribute Mapping

Alert also allows the definition of the attribute name that contains the roles for Alert. By default, Alert expects an application attribute of AlertRoles. To use a different attribute name, you can configure the name here. Alert inspects the attributes assigned to your application and retrieves the list of roles from this attribute. Access is granted if there are proper Alert roles assigned to the user.

User role assignment for SAML and LDAP

The user information regarding the roles from external systems such as SAML or LDAP is added to the current role configuration in the Alert database for the logged-in user.

Refer to the following example to see how roles are impacted by changes made by the provider:

  1. The user has an ALERT_ADMIN role because in SAML they have the attribute specifying the role ALERT_ADMIN.

  2. The user logs into Alert 5.3.0 for the first time.

  3. The database is updated to associate the ALERT_ADMIN role with the user.

  4. The user logs out of Alert.

  5. In the SAML provider, the role attribute is changed from ALERT_ADMIN to ALERT_JOB_MANAGER.

  6. The user logs into Alert.

  7. The database is updated to associate the ALERT_JOB_MANAGER role with the user.

  8. The user now has both ALERT_ADMIN and ALERT_JOB_MANAGER roles assigned to them.

The capability to edit the role of a SAML or LDAP user in Alert  is helpful in the following circumstances:

  • The user's role is changed on the SAML or LDAP server, and the system administrator can delete the old role in Alert.

  • The alertuser user has the ALERT_USER user role.

Disabling Google Analytics

Synopsys Alert transmits data such as IP address, product name, and version to Google Analytics for future product enhancement. This feature can be turned off using the following property and value in the file blackduck-alert.env:

SYNOPSYS_SKIP_PHONE_HOME=true

©2018 Synopsys, Inc. All Rights Reserved