• Document Up to Date

Configure Header-Based Authentication Enterprise only feature

Crafter Studio can integrate with any authentication system that sends custom HTTP headers containing information that will be used to authenticate the user in Studio. This section details how to set up Studio for header-based authentication.

Configure Studio for Header-Based Authentication

Configuring Studio for header-based authentication is very simple: in your Authoring installation, go to CRAFTER_HOME/bin/apache-tomcat/shared/classes/crafter/studio/extension and add the following lines to studio-config-override.yaml (of course, make any appropriate configuration changes according to your system):

 1# Studio authentication chain configuration
 2# studio.authentication.chain:
 3  # Authentication provider type
 4  # - provider: HEADERS
 5    # Authentication via headers enabled
 6    # enabled: true
 7    # Authentication header for secure key
 8    # secureKeyHeader: secure_key
 9    # Authentication headers secure key that is expected to match secure key value from headers
10    # Typically this is placed in the header by the authentication agent
11    # secureKeyHeaderValue: secure
12    # Authentication header for username
13    # usernameHeader: username
14    # Authentication header for first name
15    # firstNameHeader: firstname
16    # Authentication header for last name
17    # lastNameHeader: lastname
18    # Authentication header for email
19    # emailHeader: email
20    # Authentication header for groups: comma separated list of sites and groups
21    #   Example:
22    #   site_author,site_xyz_developer
23    # groupsHeader: groups
24    # Enable/disable logout for headers authenticated users (SSO)
25    # logoutEnabled: false
26    # If logout is enabled for headers authenticated users (SSO), set the endpoint of the SP or IdP logout, which should
27    # be called after local logout. The {baseUrl} macro is provided so that the browser is redirected back to Studio
28    # after logout (https://STUDIO_SERVER:STUDIO_PORT/studio)
29    # logoutUrl: /YOUR_DOMAIN/logout?ReturnTo={baseUrl}

The attribute enabled enables/disables headers authentication, make sure this is set to true for header-based authentication.

The secure_key attribute is a secret shared between the authentication agent and Studio via this header. Note that this secure_key is required and header-based authentication will not proceed unless the secure_key sent to Studio matches this configuration.

Upon matching the secure_key header, Studio will then look for the principal. This comes in as a set of loose headers that indicate the principal’s attributes: username, firstname, lastname, email, and groups.

Configuring Logout

The Sign out button link is disabled/hidden by default when headers based authentication is enabled.

To enable Sign out for users signed in using headers based authentication, change the following lines (as described from the above configuration) in your studio-config-override.yaml (of course, make any appropriate configuration changes according to your system):

# Enable/disable logout for headers authenticated users (SSO)
# logoutEnabled: false
# If logout is enabled for headers authenticated users (SSO), set the endpoint of the SP or IdP logout, which should
# be called after local logout. The {baseUrl} macro is provided so that the browser is redirected back to Studio
# after logout (https://STUDIO_SERVER:STUDIO_PORT/studio)
# logoutUrl: /YOUR_DOMAIN/logout?ReturnTo={baseUrl}