TABLE OF CONTENTS


1. Root element and types

The UAA configuration file starts with the --- and then contains different configuration elements:

---
...



2. LDAP integration configuration

  • ldap - a container for UAA integration configuration with Domain Controller over LDAP.

    • domain - a part of user login which follows after "@".

    • providerUrl - LDAP connection URL.

    • type - supported values: OPEN_LDAP, ACTIVE_DIRECTORY. Optional parameter. By default: OPEN_LDAP

    • systemUser - system LDAP user which used for searching user groups (must have read permissions)

    • systemPassword - system LDAP user password

    • groupSearchBase - the base DN from which the search for group membership should be performed.

    • groupSearchSubtree - enable searching of the entire tree below the groupSearchBase.

    • userDnPattern - pattern which are used as potential DN matches.

    • attribute - LDAP user attribute mapping container

      • key - XM UserDTO field, value - LDAP attribute name

    • role - a container for roles configuration.

      • defaultRole - default role which will be assigned if no one role is matched

      • mapping - LDAP role mapping to the XM roles.

key - LDAP CN of the group, value - XM role.



Example:

ldap:
  - 
domainxm.com
    
providerUrlldap://localhost:1389
    
systemUseruid=test@xm.com,ou=Users,dc=xm,dc=com
    
systemPasswordtest
    
groupSearchBaseou=Groups,dc=xm,dc=com
    
groupSearchSubtreetrue
    
userDnPatternuid={0},ou=Users,dc=xm,dc=com
    
attribute:
      
firstNamegivenName
      
lastNamesn
    
role:
      
defaultRoleROLE-DEFAULT-USER
      
mapping:
        
role-userROLE-USER
        
role-admin
SUPER-ADMIN



3. External authentication configuration

XME.digital is going to integrate any social login providers with oAuth 2.0 support via configuration. First of all, you need to get security settings from the social provider and then apply it into the XME.digital external authentication configuration.

  • social - a container with array of integration configuration for each authentication over oAuth 2.0.

  • providerId - a provider identification, it can be the name of the provider (facebookgoogle etc).

  • clientId- a client ID from the external system.

  • clientSecret - a client secret from the external system.

  • authorizeUrl - a external system URL for the authorization initialization.

  • useParametersForClientAuthentication - if true then clientId and clientSecret will be placed in URL, else in headers. By default: true.

  • accessTokenUrl - a external system URL for exchanging a code to the token.

  • scope - defines the specific actions applications can be allowed to do on a user's behalf.

  • userInfoUri - a external system URL to fetch user information.

  • tokenStrategy - defines the way to pass token to fetch user information. It could has values: AUTHORIZATION_HEADER or ACCESS_TOKEN_PARAMETER or OAUTH_TOKEN_PARAMETER. By default: AUTHORIZATION_HEADER

  • createAccountAutomatically - allows create new account in the UAA. By default:true.

  • baseUrl - defines UAA callback prefix.

  • userInfoMapping - a container with external user infromation mapping to use the UAA account. It's path field like response.user_info.first_name or simple family_name.

    • id - mapping for the account ID. It is required for authentication detection.

    • name - mapping for the account name.

    • firstName - mapping for the account first name.

    • lastName - mapping for the account last name.

    • email - mapping for the account email.

    • username - if set, UAA will try to use it as nickname, and it should be unique.

    • profileUrl - mapping for the account profile URL.

    • imageUrl - mapping for the account avatar URL.

    • phoneNumber - mapping for the account phone number.

    • langKey - mapping for the account preferred language.



Example:

social:

    - providerIdgoogle

      clientId<clientId>

      clientSecret<clientSecret>

      authorizeUrlhttps://accounts.google.com/o/oauth2/v2/auth

      accessTokenUrlhttps://www.googleapis.com/oauth2/v4/token

      scope'https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email'

      userInfoUrihttps://www.googleapis.com/oauth2/v3/userinfo      

      userInfoMapping:

        idsub

        namename

        firstNamegiven_name

        lastNamefamily_name

        emailemail

        username:

        profileUrllink

        imageUrlpicture

        phoneNumber

        langKeylocale   



Mobile ID authentication is possible to integration via configuration into the XME.digital, as it is supported Auth 2.0.


XME.digital sign-in page with Mobile ID:

Picture 56

Mobile ID page with the sign-in form:

Picture 57

Mobile ID page with operation code:

Picture 58

Mobile phone with operation code:



Picture 59


Mobile phone with entering PIN:


Picture 60

XME.digital signed-in user over Mobile ID:



                                                                          Picture 61


4. Public Settings configuration


  • publicSettings -a container for public settings.

  • passwordSettings - password settings container.

  • minLength - minimun password length.

  • maxLength - maximun password length.

  • enableBackEndValidation - defines the server side validation (true/false).

  • passwordPoliciespassword policies settings container.

  • pattern -regular expression string that will be applied to password.

  • patternMessage -object with translations of messages that describes policy requirements

  • passwordPoliciesMinimalMatchCoun -  number of required password policies passed to accept password.


Example:

publicSettings:
      passwordSettings:
        minLength
8
        maxLength
12
        enableBackEndValidation
true
      passwordPolicies:
        - pattern: ".*\\d.*"
        patternMessage: {en: "The password must contain at least 1    digit"}
        - pattern: ".*[!@#$%^&*%].*"
        patternMessage
{en: "The password must contain at least 1 special character"}
        - pattern: ".*[A-Z].*"
        patternMessage:
{en: "The password must contain at least 1 uppercase character"}
      passwordPoliciesMinimalMatchCount:
2