Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
You can connect to Windows Active Directory (in read-only mode). In order for the Active Directory user manager option to be available in the User manager tab of the Users / Groups section in JMap Admin, you must include the following line in the JMAP_HOME/conf/jmapserver.properties file:
usermanager.ad=com.kheops.jmap.server.security.ActiveDirectoryUserManager
We recommend you use the Composite user manager instead of simply using the Active Directory user manager. This will allow you to maintain access to JMap Admin even if errors arise in the configuration of Active Directory.
In the User manager section, select the Composite user manager and add the Active Directory user manager. A new interface opens, allowing you to enter the settings to configure the connection to the Active Directory server.
Active Directory
Friendly name
Name used to easily identify the Active Directory user manager.
Server address
Address of the Windows domain controller server configured with Active Directory. You can add several Active Directory servers by separating them with a space.
Example:
ldap://host1 ldap://host2
where host1
and host2
are the Active Directory server URL. Active Directory is based on LDAP.
DN
Unique identifier (Distinguished Name) pointing at the root of the directory. Composed of a list of DC (Domain Component) entries.
Example:
dc=k2
,dc=com
Domain
Name of the Windows domain.
Example:
k2.com
User / SPN
User name that JMap Server will use to connect to the Active Directory. It is recommended to create a user especially for JMap. Its password should never expire. If you wish to use single sign-on, you will have to create an SPN (Service Principal Name) associated with this user. See Single Sign-On for more details.
Password
Password of the user JMap Server will use to connect to the Active Directory.
Admin. password
A user named administrator must always exist in JMap. If no administrator user exists in the Active Directory, JMap will simulate one. In such a case, provide the password associated with this user. If the user administrator does exist in the Active Directory and a password is entered, this password will simply be ignored.
Enable single sign-on
Enables the single sign-on option. See Single Sign-On for more details.
Default / Custom LDAP configuration
Active Directory is based on LDAP. This option allows for the use of LDAP parameters that are most commonly used for Active Directory. However, if those parameters don’t match the ones in use, it is possible to specify custom values. The settings are described in the following section, JMap LDAP user manager.
Max page size
Active Directory limits the transaction size to a maximum number of records at a time (page size). The value of this parameter must not be greater than the maximum size authorized by Active Directory (1000 is the default value in Active Directory). If the size is too small, this can reduce performance. A size greater than the authorized limit will cause missing data in the user list.
In JMap Admin, the user manager configuration can be accessed by clicking on Users / Groups in the JMap Server section. Select the User manager tab.
The user manager allows you to define how JMap will manage user accounts and groups. There are two ways to manage this information with JMap:
Using the JMap user account database: you create and delete the user accounts directly from JMap Admin;
By connecting to an existing database of user accounts such as a Windows Active Directory system, an LDAP compatible system or a relational database or by connecting to an identity manager using protocols such as SAML2 or Open Id Connect.
Several systems can also be combined to be used simultaneously (e.g. the JMap database and Windows Active Directory). These systems are then used as a single system. When JMap Server connects to an existing database, user account management is simplified because no account or user group needs to be created and managed in JMap.
The following sections describe each available option.
When you connect to a user or identity manager that is external to JMap (Active Directory, LDAP, OIDC, SAML2 or an external relational database), it is useful to synchronize JMap Server with the database for 2 reasons :
When users or groups are deleted from the database and those deleted users or groups had been given permissions in JMap (e.g. to open a project or view certain layers), the permissions are not deleted from JMap Server permission lists. This can happen because JMap Server is not aware the users or groups have been deleted from the database. When synchronizing, JMap Server removes all existing permissions for deleted users and groups. However, even if you don’t synchronize, there is no security problem because deleted users will fail at login.
When the contents of user groups are modified (members added or removed), so that JMap Server can reload the lists of users that belong to the groups. JMap Server keeps the group member lists in memory for performance reasons.
You can automate the synchronization by selecting the option Synchronize automatically every… and specifying a time period.
This type of user management allows you to combine several managers together. You can add as many user managers as necessary. All user managers will function as a single user manager. Refer to the previous sections for information on user manager configuration.
A composite user manager is recommended if your system integrates several managers or if you wish to transition towards a web-based single-sign on system.
This type of user account management records users and groups directly into JMap Server’s System database or in an external database containing the required tables and fields. The JMap administrator must create and manage all user accounts and groups.
Click on the User manager tab from the Users / Groups section. Select JMap DB user manager to indicate that user accounts will be managed within a relational database. To store information in JMap Server’s System database, select the JMap Server database option.
You can also use any relational database that contains at least the required tables and fields by selecting the External database option. When you do this, an interface displays, allowing you to define the configuration parameters. Using this configuration interface, select the database you wish to use. Afterwards, select the tables and fields containing the various information pertaining to users and groups. If needed, you can select Read-only mode to prevent account information from being modified by JMap Admin.
Once this configuration has been defined, you can create, modify and delete user accounts directly from JMap Admin.
You can connect to any LDAP compliant directory (in read-only mode). Unix, Linux and Windows systems offer many LDAP compliant directories.
In order for the JMap LDAP user manager option to be available in the User manager tab of the Users / Groups section in JMap Admin, you must include the following line in the JMAP_HOME/conf/jmapserver.properties file:
usermanager.ldap=com.kheops.jmap.server.security.LDAPUserManager
We recommend you use the Composite user manager instead of simply using the LDAP user manager. This will allow you to maintain access to JMap Admin even if errors arise in the configuration of LDAP.
In the User manager section, select the Composite user manager and add the JMap LDAP user manager. A new interface opens, allowing you enter the settings to configure the connection to the LDAP server.
For more information on the LDAP protocol, refer to http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol.
JMap LDAP user manager
Friendly name
Name used to easily identify the LDAP user manager.
Server URL
LDAP server address. You can add several LDAP servers by separating the addresses with a space.
Example:
ldap://host1 ldap://host2
where host1
and host2
are the URLs of the LDAP servers.
DN
Unique identifier (Distinguished Name) used to define the root of the directory. Includes a list of Domain Component entries.
Example:
dc=k2geospatial
,dc=com
User
User name that will be used by JMap Server to connect to the LDAP directory. It is recommended to have a user created specifically for JMap purposes. This user’s password should never expire. The user name must be accompanied by the domain the user belongs to.
Example:
cn=admin
,dc=k2geospatial
,dc=com
Password
The user password that JMap Server will use to connect to the LDAP directory.
Admin. password
A user named administrator must always exist in JMap. If there is no administrator user in the LDAP directory, JMap will simulate one. In this case, you must provide the password associated with this user. If the administrator user exists in the LDAP directory and a password is entered, it will be ignored.
Use prefix and suffix
Select this option if the LDAP server uses a prefix and a suffix for user authentication.
Authentication prefix
Some LDAP servers require a prefix to be concatenated with the user name in order to proceed with authentication.
Example:
Prefix: a_domain\
User: a_user
Result: a_domain\a_user
Authentication suffix
Some LDAP servers require a suffix to be concatenated with the user name to proceed with authentication.
Example:
Suffix=@a_domain
User=a_user
Result: a_user@a_domain
User class
This setting and the ones that follow depend on the internal structure of the LDAP server, i.e. the way the users are organized into groups. This information is used to identify the LDAP users and groups. You must indicate the corresponding parameters in the LDAP server to which you connect. Name of the LDAP object class used to identify a user in the LDAP directory.
Group class
Name of the LDAP object class used to identify a group in the LDAP directory.
User filter
Search filter used to extract users from the LDAP directory. This filter must be formatted according to the standard LDAP syntax.
Group filter
Search filter used to extract groups from the LDAP directory. This filter must be formatted according to the standard LDAP syntax.
User attribute
The attribute of an LDAP user that defines this user’s identity.
Group attribute
The attribute of an LDAP group that defines this group’s identity.
Member attribute
The attribute of an LDAP group that defines which users are members of this group.
Full name attribute
The attribute of an LDAP user that defines this user’s full name.
Email attribute
The attribute of an LDAP user that defines this user’s email address.
Max page size
In LDAP directories, the size of transactions is limited to a maximum number of recordings at once (the size of the page). The value of this parameter must not exceed the maximum size permitted by the directory (1000 is the default value in LDAP directories). If the size is too small, this could affect performance. If the size is larger than the authorized limit, data will be missing in the user list.
You can allow users who already have an account in OpenID Connect (OIDC) user managers to connect to JMap Web and JMap NG applications using that account.
For detailed information on this protocol, visit the OpenID Connect 1.0 website.
Configuring an OIDC user manager is complex. Your organization’s IT department will provide the OIDC settings. The following table describes the settings related to JMap.
You can allow users who already have an account in an identity manager that uses SAML2 to connect to JMap Web and JMap NG applications using that account.
SAML is an open standard that establishes a single sign-on between an identity manager and an application server such as JMap. This site provides details on SAML2.
Configuring a SAML2 user manager is complex. Your organization’s IT department will provide the settings related to SAML2. The following table describes the settings related to JMap.
OIDC user manager
Friendly name
This name allows you to easily identify the OIDC user manager in JMap Server and identify the users from this manager.
Administrator password
An administrator is automatically created when this manager is used. You must enter the password of this account in this field.
Groups
Unlike with Active Directory and LDAP, user accounts from the OIDC manager are not known in advance because they are created as the users connect to a JMap Web or JMap NG application. That said, how can permissions be granted on JMap’s resources to users who are not known in advance? Groups that are defined in advance allow you to grant permissions related to JMap’s resources. When a user connects to a JMap application for the first time, OIDC assigns the user to one or more of the groups defined in Groups attribute based on the information in that user’s profile. Since the OIDC user manager is in read-only mode, you cannot create users or groups in JMap’s Users and Groups sections. This setting allows you to create groups by entering their names. Afterwards, you can grant permissions to these groups, which contain the users from OIDC. There must be an exact match between the names of the groups in OIDC and the groups you create using this setting. If a user connects to an application for the first time via OIDC and his/her profile indicates a group that doesn’t exist in JMap, the group will be created automatically and will be displayed in the Groups section.
Default group
Select the group to which you will assign all users who are not assigned to a group in OIDC (in Groups attribute). Example: you can create a group called Guests; all users who connect to a JMap Web or JMap NG application for the first time and whose OIDC profile doesn’t indicate a group will be assigned to this Guests group. You can grant access permissions to the Guests group for a specific project.
Button image
This image appears in the homepage of the JMap Web or JMap NG application and identifies the access to the OIDC manager to log in.
Press Choose to select the image.
The image must have a maximum size of 100*
100 pixels.
Button label
This text appears in the identification button with the image.
SSO callback URL
Your IT department will provide this information.
Client name
The name given by JMap to the OIDC user manager. This name integrates and completes the URL of the OIDC manager.
Discovery URI
Your IT department will provide this information.
Client ID
Your IT department will provide this information.
Client secret
Your IT department will provide this information.
Scope
Your IT department will provide this information.
Response type
Your IT department will provide this information.
Response mode
Your IT department will provide this information.
Use nonce
Your IT department will provide this information.
With state
Your IT department will provide this information.
Disable PKCE
Your IT department will provide this information.
Username / ID attribute
Optional setting. Indicates the attribute containing the user name in OIDC. Your IT department will provide this information.
Email attribute
Optional setting. Indicates the attribute containing the email address in OIDC . Your IT department will provide this information.
First name attribute
Optional setting. Indicates the attribute containing the user’s first name in OIDC. Your IT department will provide this information.
Last name attribute
Optional setting. Indicates the attribute containing the user’s last name in OIDC. Your IT department will provide this information.
Groups attribute
Optional setting. Indicates the customizable attribute that allows you to define groups in OIDC to which the users are assigned. These groups are displayed in the Users and Groups sections in JMap. Your IT department will assist you with this setting.
SAML2 user manager
Friendly name
This name allows you to easily identify the SAML2 user manager in JMap Server and identify the users from this manager.
Administrator password
An administrator is automatically created when this manager is used. You must enter the password of this account in this field.
Groups
Unlike with Active Directory and LDAP, user accounts from the SAML2 manager are not known in advance because they are created as the users connect to a JMap Web or JMap NG application. That said, how can permissions be granted on JMap’s resources to users who are not known in advance? Groups that are defined in advance allow you to grant permissions related to JMap’s resources. When a user connects to a JMap application for the first time, SAML2 assigns the user to one or more of the groups defined in Groups attribute based on the information in that user’s profile. Since the SAML2 user manager is in read-only mode, you cannot create users or groups in JMap’s Users and Groups sections. This setting allows you to create groups by entering their names. Afterwards, you can grant permissions to these groups, which contain the users from SAML2. There must be an exact match between the names of the groups in SAML2 and the groups you create using this setting. If a user connects to an application for the first time via SAML2 and his/her profile indicates a group that doesn’t exist in JMap, the group will be created automatically and will be displayed in the Groups section.
Default group
Select the group to which you will assign all users who are not assigned to a group in SAML2 (in Groups attribute). Example: you can create a group called Guests; all users who connect to a JMap Web or JMap NG application for the first time and whose profile in SAML2 doesn’t indicate a group will be assigned to this Guests group. You can grant access permissions to the Guests group for a specific project.
Button image
This image appears in the homepage of the JMap Web or JMap NG application and identifies the access to the SAML2 manager to log in.
Press Choose to select the image.
The image must have a maximum size of 100*
100 pixels.
Button label
This text appears in the identification button with the image.
SSO callback URL
Your IT department will provide this information.
Client name
The name given by JMap to the SAML2 user manager. This name integrates and completes the URL of the SAML2 manager.
IdP Metadata
Your IT department will provide this information.
SP Entity ID
Your IT department will provide this information.
Username / ID attribute
Optional setting. Indicates the attribute containing the user name in SAML2. Your IT department will provide this information.
Email attribute
Optional setting. Indicates the attribute containing the email address in SAML2. Your IT department will provide this information.
First name attribute
Optional setting. Indicates the attribute containing the user’s first name in SAML2. Your IT department will provide this information.
Last name attribute
Optional setting. Indicates the attribute containing the user’s last name in SAML2. Your IT department will provide this information.
Groups attribute
Optional setting. Indicates the customizable attribute that allows you to define groups in SAML2 to which the users are assigned. These groups are displayed in the Users and Groups sections in JMap. Your IT department will assist you with this setting.