Users that access the INTERGATOR web-interface directly are authenticated by intergator either using single-sign-on (SSO) or username and password.
When INTERGATOR is integrated into Confluence, users are already authenticated by Confluence. The Confluence Plugin then sends search requests to INTERGATOR on behalf of the user and visualizes the results.
In this scenario Confluence is located in between the user and intergaor but it does not have the user credentials (like password or SSO information) to authenticate the user with INTERGATOR.
For such use cases there is an INTERGATOR authentication mode called PreAuth. When this mode is configured, INTERGATOR relies on the upstream compunent (e.g. Confluence) to authenticate the user. The upstream application then sends the username to INTERGATOR in an HTTP header (typicallly X-User) or cookie and INTERGATOR accepts it without further checking.
Without PreAuth, all INTERGATOR APIs require authentication. With PreAuth mode enabled all INTERGATOR APIs have to support this mode. That means that any user that can talk to these APIs can impersonate any other user and e.g. donwnload documents from connected data sources.
To prevent this you have to make sure that only legitimate users and machines can access the INTERGATOR server and API proxy API. This can be done e.g. by a local firewall on the INTERGATOR machine(s) or by putting INTERGATOR into a separate network with restricted access.
The INTERGATOR webinterface can be configured in a way that only a dedicated IP address can use PreAuth mode. Requests from all other IP addresses have to be authenticated with username and password or SSO.
PreAuth mode has to be enabled in the INTERGATOR server and the web-interface. The API proxy just passes it through.
This article assumes that your integator is already connected to a Microsoft Active Direcory.
INTERGATOR server configuration
The server allows to configure a list of authentication providers. When a user logs in all authentication providers are invoked sequentially until the user is authenticated. Now we configure the PreAuth povider before the existing Active Directory provider.
Open the INTERGATOR Management Center and go to XML mode → Server Sicherheitskonfiguration
Inside the <providers> XML element you find an <item> with a <factoryId>active-directory-auth-provider-factory</factoryId> inside. This configures your Active Directory connection. Keep this! Do not change it!
Put the following <item>-element and descendants directly before the item of your Active Directory item:
PreAuth provider snippet to insert
The result should be similar to this:
Server Sicherheitskonfiguration (server security configuration)
That's all for the server side - no restart needed. Check if normal authentication via AD still works and make sure the INTERGATOR server and API proxy API can not be accesed by unauthorized users (see Security considerations above).
Add PREAUTH properties
Create a file web-interface/intergator/WEB-INF/properties/intergator.confluence-preauth.properties with the following content:
Restrict access to specific hosts
Edit web-interface/intergator/WEB-INF/intergator.xconf and add a similar match rule:
- Replace the IP address in the fixed-string-attribute with the IP of your Confluence server
Restart the INTERGATOR web-interface
This depends on the operating system. It is necessary to load the new configuration.
Add a custom authentication resolver
The custom resolver is only needed if your intergator is not connected to an Active Directory.
Create file server/lib/groovy/de/ifbus/intergator/authsystems/custom/ConfluencePreauthResolver.groovy with the following content: