Reverse HTTP Proxy Authentication Method
Reverse HTTP Proxy Authentication Method
With this method, the users will be authenticated by the external HTTP reverse proxy. This method can be used only for web-based CDP applications, such as the Web UI, Semantic Web UI, or CDP Browser. Most web servers can be configured to provide this pre-authentication functionality, and it can be configured to provide numerous different authentication providers or methods, such as OpenID Connect or LDAP. See below the functional diagram of the authentication with this method.
Note: For this method to function properly, an external HTTP reverse proxy must be configured first. For example, see How To Set Up Google Authentication Using HTTP Reverse Proxy for instructions on setting up an HTTP reverse proxy in Apache or NGINX web server to authenticate users using Google OpenID Connect authentication.
To add the method, select the ProxyAuthentication from the bottom row Type column and click on the in front of the row or drag the Reverse Proxy Authentication resource from the Resource tree to the Authentication Methods table. To edit the method properties, click the navigate button in front of the method name and the editing window opens up.
This method has the following configurable properties:
Setting | Description |
---|---|
UsernameHeader | HTTP header name (that the HTTP reverse proxy will set) to fetch authenticated user-id from. This header value will then be looked up from the Username list and the user found will be logged in automatically. |
HostHeader | HTTP header name (that the HTTP reverse proxy will set) to use to identify the original host the user logged in from. |
EnabledFrom | IP address, semicolon-separated list of IP addresses or IP address mask where this proxy authentication method is enabled from. This can be used to prevent local network users (who can somehow bypass the proxy) from bypassing the authentication by spoofing the HTTP header. |
Note: Connecting to the system via Studio is not possible for users who have only this authentication method enabled in CDP Security configuration (i.e. the password authentication method is removed or disabled).
Authorization of Users
With this authentication method, the HTTP reverse proxy handles only user authentication, i.e., determining who a user is. The authorization of users, i.e., determining what a user is allowed to do in the system, is still the responsibility of CDP. For that, externally authenticated users are still needed to be created into the CDP Security Configuration database and access roles have to be assigned to them.
Note: With external authentication, users do not need a password set in CDP, as the password is not checked by CDP when proxy authentication is used.
Reauthentication and Logout
With this method, the authentication sessions are started and kept by the authentication proxy. CDP can only disconnect the StudioAPI connection for the authentication proxy to be able to re-authenticate, after the Idle Lockout Period seconds (CDP Security Authentication setting). But even with the Idle Lockout Period set, it depends on the authentication proxy session caching settings if the same user will be silently logged in again (based on user authentication cookies set into the browser) or a new authentication will be required. For details on the caching, see the authentication proxy configuration manual in use.
See Also
Get started with CDP Studio today
Let us help you take your great ideas and turn them into the products your customer will love.