Authentication in Aeneis via Spring Security

The token-based authentication in Aeneis allows user data to be synchronized with Aeneis via the Spring Security framework. Users can thus access the Aeneis Portal and API directly via single sign-on (SSO).

Note: The Authentication in Aeneis via Spring Security works without an additional LDAP Sync license.

Functions:

  • Authentication via Azure AD, AWS, ADFS and SAML

  • Automatic creation of users and synchronization of the configured group assignments when accessing the Portal for the first time

  • Transfer of names, e-mail addresses and groups from the directory

Note: If a user is removed from the directory after synchronization, he/she remains present in Aeneis. However, access is not possible because no valid token is created by the identity provider.

Preparations:

  • Existing users must use the user ID that is used and synchronized within token authentication. If different IDs are used, additional users are created as part of the automatic creation process.

  • The SSL trustkeystore is always "aeneis-server-keystore.jks" as of Aeneis 6.3.SR1.

  • SSL certificates: The public certificate of the login page of e.g. Azure must be added in the application directory. If there is an error due to a missing certificate, it must be added in the application directory under "aeneis-server-keystore.jks". For Azure, for example, the certificate "stamp2-login-microsoftonline-com.pem".

Limitations:

  • Only the Portal and API can be authenticated via Spring Security.

  • The electronic signature (property Show login dialog in transitions) works only with ADFS and Azure. If authentication via ADFS SAML2 is configured, only the application.yml file needs to be modified for this, see Electronic Signature for SAML2 ADFS .

  • The synchronization of the groups only works via Azure, ADFS, and SAML2.

Automatically import users

To automatically import users that are synchronized via token-based authentication, activate the Automatic user import property in the properties of the database object in the SystemAdministration:

With ADFS and Azure, the UPN (User Principal Name) is used as the ID here. On AWS, the cognito:username is used.

Automatically update users

To automatically update users who are synchronized via token-based authentication and who change, activate the Automatically update imported users property in the properties of the database object in the SystemAdministration:

The following attributes are updated as soon as users log in:

  • User name

  • User email

  • User groups: If groups are added in the Groups attribute for LDAP registration, then the user will be added to these groups at the next login. If a group is removed from the Groups attribute for LDAP registration, then the user is not automatically removed from the group, but must be removed manually.

Log in to the Portal

Once authentication has been set up in Aeneis via SSO, users no longer need to log in to the Portal separately. To allow administrators to log in to Aeneis without SSO, the following link can be used to open the login screen for the Portal : https://[SERVER]:[PORT]/login.html.

Users that have been automatically imported into Aeneis via the interface have the property Is external object? If users were already created in Aeneis and SSO is subsequently activated, the property Is external object? must be set manually. The property Is external object? enables users to log in to Aeneis only through the token-based authentication that has been set up.

Synchronize users and groups

To synchronize imported users with external groups, you can activate the Synchronize imported users with external groups property in the database object properties in the SystemAdministration.

Requirements: For correct synchronization, the transmission of the groups in the token must be configured in the IDP. The ID of the group must match the value of the group that will be overlaid in the token (in ADFS TokenGroups - unqualified name, in Azure samAccountName). In Aeneis, the property Is external object? must additionally be activated in the group and the property External synchronization ID must be empty.