ember-1-15
Setting up Authentication and Single Sign-On
Ember Monitor uses username/password authentication by default. Username/password authentication configuration from Ember 1.14 or later is removed, no additional settings are required for it.
Ember Monitor supports authentication via external OAuth2 authentication providers, such as Auth0, Gluu, etc. Different authentication providers can require different settings, but the minimum set of required settings for any authentication provider are:
spring:
security:
oauth2:
client:
registration:
<provider-name>:
client-id: <client-id>
client-secret: <client-secret>
scope: openid, profile, <optional custom scopes>
authorization-grant-type: authorization_code
provider:
<provider-name>:
issuer-uri: <issuer-uri>
security:
oauth2:
provider:
name: <provider-name>
In this case security.oauth2.provider.name property is specified. If it’s missing, then Basic (username/password) authentication will be used.
Make sure that security.oauth2.provider.name is the same as the provider name in spring.security.oauth2.client.registration and spring.security.oauth2.client.provider sections.
Session lifetime
server:
servlet:
session:
timeout: 30m # valid options: s (seconds), m (minutes), h (hours)
By default, it's set to 30 minutes if property's not specified. This parameter defines how long the monitor remains idle before the user needs to re-authenticate. Supported for both oauth2 and basic authentication types.
General Ideas
The provider needs to be configured with an issuer-uri, which asserts an Issuer Identifier.
The clientId is an identifier of the application in the authentication provider.
The clientSecret is located in the application settings in the authentication provider (some providers show it only at the moment of client creation, so make sure to save it).
Most settings can be discovered automatically by Ember Monitor (like authorization-uri, token-uri, user-info-uri, jwk-set-uri) using issuer-uri, but you can override them manually in the following way:
spring:
security:
oauth2:
client:
provider:
<provider-name>:
authorization-uri: <authorizationUri>
token-uri: <tokenUri>
user-info-uri: <userInfoUri>
jwk-set-uri: <jwkSetUri>
Auth0 OAuth
Here is a minimal settings example for Auth0:
spring:
security:
oauth2:
client:
registration:
auth0:
client-id: XxObbM1ttgb5MpS48l7upTV5L8BlX4X7yN
client-secret: <client-secret> # located at the settings tab of your client app
scope: openid, profile, offline_access
authorization-grant-type: authorization_code
provider:
auth0:
issuer-uri: https://cryptocortex.auth0.com/
security:
oauth2:
provider:
name: auth0
audience: XxObbM1ttgb5MpS48l7upTV5L8BlX4X7yN
validateIssuer: true
userInfo:
enable: true
userNameKey: name
A few notes for Auth0:
- Make sure you specify
audience. client-idis the same as resource id.
KeyCloak OAuth
Here is a minimal settings example for Keycloak:
spring:
security:
oauth2:
client:
registration:
keycloak:
client-id: ember_monitor
client-secret: <client-secret> # for keycloak version <20 there should be set `Access Type: confidential` to enable client secret
# for versions >=20 set `Client authentication: ON` on settings tab
# client secret is located in credentials tab in your client page
scope: openid, email, profile, roles, offline_access
authorization-grant-type: authorization_code
provider:
keycloak:
issuer-uri: https://host:1111/auth/realms/myrealm
security:
oauth2:
provider:
name: keycloak
usernameClaim: preferred_username
validateIssuer: false
Azure AD (Entra ID) OAuth
Here is a minimal settings example for Azure AD (Entra ID):
spring:
security:
oauth2:
client:
registration:
azure:
client-id: b1af1d9c-e2b9-4fa5-a66a-7df098653078
client-secret: <client-secret> # see section 3.2 in Application registration below
scope: openid, profile, offline_access, api://8f5a9e26-de50-4d00-aa21-653c29b17624/app
authorization-grant-type: authorization_code
provider:
azure:
issuer-uri: https://login.microsoftonline.com/b41b72d0-4e9f-4c26-8a69-f949f367c92d/v2.0
security:
oauth2:
provider:
name: azure
usernameClaim: upn
validateIssuer: true
Azure AD (Entra ID) application registration
Follow these steps to create and configure an application in Azure AD (Entra ID):
- Open Azure Portal.
- Find
App registrationsservice. - Choose
New registration:- Register a new application with
Name(e.g.EMBER_MONITOR). Set up redirect URI: choose theWebapplication type and set URI to the value of theredirect-uriparameter inapplication.yaml. - Navigate to
Certificates & secretsfor the created application and create anew client secret. We suggest saving it, because you will not be able to view it after it is created! - Navigate to
Expose an APIfor the created application and add anApplication ID URI. Add a new scopeon the same page (e.g., with the nameappand display nameappand any description) and setWho can consent?-Admins and users. The scope must be in the Enabled state.- Go to
Manifest, findappsection in JSON file and set value ofrequestedAccessTokenVersionto2. - To assign roles for users follow this guide. In short:
- Navigate to
App rolesand create a new role (e.g.HALT_RESUME_TRADING) and assign it to theUsers/Groupsmember types. - Go to
Enterprise apps, find your application. - Select
Users and groupstab and clickAdd user/groupbutton. - Select a user and assign a role created in p. 3.6.1 to this user.
- Navigate to
- Register a new application with
- Return to
App registrationsand useNew registrationagain:- Create the second application with a
Name(e.g.EMBER_MONITOR_APP) withRedirect URIfor theSPA. - Navigate to
Authenticationpage for created application and add newRedirect URIif you need. An example ofRedirect URIlist for localhost setup: http://localhost:8988/assets/sign-in.html http://localhost:8988/assets/silent-auth.html - Navigate to
API permissionsand clickAdd a permission. Then, select theMy APIstab and select the application from p. 3.1 (EMBER_MONITOR). Find scope we created in p. 3.4 (app), choose it and clickAdd permission.
- Create the second application with a
- Navigate to
Overviewand select theEndpointstab. The endpoints from this tab will be used to configureEmber MonitorwithAzure AD.
AWS Cognito OAuth
Here is a minimal settings example for Amazon Cognito:
spring:
security:
oauth2:
client:
registration:
cognito:
client-id: 6imeu3v09bvri6o4uenka9dv9b
client-secret: <client-secret> # located at `App client information` tab for your client in Amazon
scope: openid, profile, <optional custom scopes>
authorization-grant-type: authorization_code
provider:
cognito:
issuer-uri: https://cognito-idp.us-east-2.amazonaws.com/us-east-2_b45Ex9azg
security:
oauth2:
provider:
name: cognito
audience: 6imeu3v09bvri6o4uenka9dv9b
usernameClaim: username
validateIssuer: true
For Cognito, the issuer-uri has the following format:
https://cognito-idp.{region}.amazonaws.com/{userPoolId}
For example, suppose you created a user pool in the us-east-2 region and its user pool ID is us-east-2_b45Ex9azg. In that case, the ID token issued for users of your user pool has the following iss claim value:
https://cognito-idp.us-east-2.amazonaws.com/us-east-2_b45Ex9azg
Make sure to edit app client settings in the Cognito console.
You need to enter two URLs for Callback URLs (/assets/sign-in.html and /assets/silent-auth.html) and one URL for Sign Out URLs (/assets/sign-in.html). These two sub paths are hardcoded in the frontend.
In our case, they are (case-sensitive):
- Callback URL(s):
https://ember.deltixuat.com/assets/sign-in.html, https://ember.deltixuat.com/assets/silent-auth.html - Sign out URL(s):
https://ember.deltixuat.com/assets/sign-in.html
Setting up Authorization
Ember Monitor uses the QuantServer 4.3 User Access Control (UAC) approach shared with TimeBase.
There are three options to define user permissions:
- User database is kept in a simple configuration file.
- User database is kept in LDAP (or ActiveDirectory).
- User roles are configured on OAuth2 authentication provider.
Please read the QuantServer UAC Configuration Guide for more information about the first two options.
The following steps briefly describe how to configure it:
Create two files under Ember’s home directory:
Make sure to add these settings to application.yaml:
security:
oauth2:
authenticationType: SIMPLE # valid options: NONE, SIMPLE, LDAP, PROVIDER
Reload Interval
To set up authentication reload interval, use the following:
security:
oauth2:
authenticationReloadInterval: 1I
This property means that Ember Monitor will load authentication configuration file in set interval. So you can change user permissions and groups without restarting the application.
Examples of different time intervals:
- 1D: 1 day
- 2H: 2 hours
- 3I: 3 minutes
- 10S: 10 seconds
For the third Oauth2 provider JWT authorization option, follow these steps:
- Create OAuth2 provider roles with the names matching Ember Monitor permissions:
HALT_RESUME_TRADING,
CHANGE_RISK_LIMITS,
ORDER_ENTRY,
POSITION_ADJUSTMENT,
ORDER_CANCEL,
ENABLE_DISABLE_SERVICE,
CONTROL_FIX_SESSION,
CHANGE_INSTRUMENT_PRICES
Grant the necessary roles to the Ember users.
- Set
authenticationTypetoPROVIDERin application.yaml:
security:
oauth2:
authenticationType: PROVIDER # valid options: NONE, SIMPLE, LDAP, PROVIDER
- In application.yaml add the
authoritiesClaimattribute to OAuth2 provider configuration. This attribute value must contain '.' separated path to the roles in JWT token issued by this provider. For instance for Keycloak provider JWT authorization configuration would look like this:
security:
oauth2:
authenticationType: PROVIDER
provider:
name: keycloak
usernameClaim: preferred_username
validateIssuer: false
authoritiesClaim: realm_access.roles