Authorization And Access Requirements
- Kumar Desai (Unlicensed)
- Former user (Deleted)
Overview
Authorization is the process of checking if a user has the proper permissions to access a particular file or perform a particular action (assuming that the user has successfully authenticated himself). Authorization is credential focused and dependent on specific rules and access control lists presented by the web application administrator(s) or data owners. Typical authorization checks involve querying for membership in a particular user group, possession of a particular clearance, or looking for that user on a resource's approved access control list. Any access control mechanism is clearly dependent on effective and forge-resistant authentication controls used for authorization.
Access Control refers to the much more general way of controlling access to web resources, including restrictions based on things like the time of day, the IP address of the HTTP client browser, the domain of the HTTP client browser, the type of encryption that the HTTP client can support, number of times the user has authenticated that day, the possession of any number of types of hardware/software tokens, or any other derived variables that can be extracted or calculated easily.
Following are the features breakdown the Authorization and Access requirements:
LDAP Integration
LDAP stands for Lightweight Directory Access Protocol and allows the usage of a single user account directory to login to various applications.
Before you provision your LDAP, you’ll need to configure HCP with LDAP Authentication. To configure HCP with LDAP Authentication ensure the following:
Dedicated read-only domain account for LDAP Bind. [1]
Example: CN=svc_hcpldap,CN=Users,DC=Domain,DC=com.The Base DN must include
The container where the LDAP Bind account is located
Additional OUs where end users are located.
All LDAP users must have their email configured in their account i.e. AD attribute: mail.
Secure LDAP Connection requires ROOT and Intermediate Certificates for the AD Domain. [2]
Notes:
[1] This account must not be a member of the domain admins group. Obtain the Distinguished Name of this LDAP Bind account.
[2] Contact HyperGrid Support to import an LDAP Certificate for LDAPS based connections.
HyperGrid Support will import certificates into HyperCloud SaaS-based deployments.
SAML Integration
Security Assertion Markup Language(SAML) is a standard for logging you into applications based on your session in another context. This has significant advantages over logging in using your username/password as there’s: no need to type in credentials, no need to remember and renew password, no weak passwords, etc. Most companies already know your identity because you’re logged into their Active Directory domain or intranet. It is natural to use this information to log users into other applications as well such as web-based applications. One of the more elegant ways of doing this is by using SAML.
Security Assertion Markup Language(SAML) Provider can be configured for each Tenant. Before you configure SAML:
Download the metadata from the HCP URL.
Example:[https://<ip>/saml/metadata].[1]Upload the metadata to SAML IDP:
HCP requires either the email address or the username in the SAML Response.
Ensure that the relevant attributes are configured on the IDP for the following authentication method.
Email Address based Authentication (mail).
Username based Authentication (uid).
Note:
[1] If the HCP base URL is changed, then the metadata must be exchanged between HCP and all IDPs used.
Otherwise, SAML based authentication will fail and the user will not be able to access the HCP.
Domain Integration (Provisioned VMs)
Use a dedicated AD service account if Windows VMs deployed via HCP are required to join the domain.
Domain Join will be performed via the use of HyperCloudTM Plugins.
© 2020 CloudSphere