iObeya Administration Guide

Configuring Your iObeya Platform¶

Warning

If you install iObeya for the first time, we advise you to carefully follow the different steps of this section.

This chapter explains how to configure your iObeya platform from the administration interface.

As a platform administrator you will learn how to:

Define and modify the iObeya license on your iObeya platform.
Configure an iObeya authentication policy.
Configure the iObeya password security (only for the iObeya internal user management).
Configure an iObeya email feature and notifications.
Configure the frequency of iObeya platform jobs (scheduled tasks).
Configure internal and custom add-ons.

Configuring Your License¶

Note

Required permissions: Platform (Can use + Administrate).
Required: iObeya license key provided by iObeya Support.

Changing/Saving the License¶

If you have purchased a new license, or if you are installing iObeya for the first time, you will need to provide information to iObeya Support which will generate a compatible License:

Installing the License for the First Time¶

After the deployment of the iObeya application on your server:

Go to the iObeya administration interface on that server.

The platform Administrator is automatically redirected to the license page.
Note the Server ID and send it by email to our Support team (support@iobeya.com).

You will then rapidly receive your new version 4.0 compatible license.
Copy and paste the license key text from the text editor into the license text zone on the license page.
Select Save.

The license becomes active immediately.

Updating the License¶

After purchasing a new license, or renewing an existing license:

Go to iObeya administration interface.
Select License in the left-hand side menu.
Select Edit license.
Open the new license file in a text editor.
Copy the new license content, then paste it into the license text zone.
Select Save changes.

The new or existing license becomes active immediately.

Note

After updating your license, check the details table to see the new license parameters.

Checking Information Concerning the License¶

Subject:

License name or License owner name.

Issued:

Creation date of the license.

Not before:

License validity start date. You cannot activate the license before this date.

Not after:

License validity end date. You cannot use the iObeya platform after this date. To continue using iObeya, a new license has to be provided.

SupportDate:

Support end date for the active license. You cannot upgrade the iObeya platform to newer versions and no support will be provided after this date. To upgrade iObeya and get support, a new license has to be provided.

RunningTimeout:

Number of hours of use authorized by a Developer license.

ServerIdRestriction:

Display the server ID that is compatible with the active license.

LicenseType:

0: On-premise commercial license
1: Demonstration license with a limited validity period
2: Developer license with a limited number of hours of use
3: Cloud commercial license

Configuring Authentication¶

As of iObeya version 3.6, authentication configuration has been integrated into the administration interface of iObeya. It is now possible to configure and change your authentication configuration without restarting your server.

By default, only local users can connect to the application using form authentication. This is the default authentication protocol. If you wish to change this policy, or if you are already using another policy in a previous version of iObeya, the platform administrator needs to configure another authentication policy.

Creating a New Authentication Policy¶

A local platform administrator can create a new authentication policy by following these steps:

Select Authentication policy in the left-hand side menu (SETTINGS section) of the administration interface.
Select Add authentication policy.
Set a name for the new authentication protocol, then validate.

A new authentication policy has been created. This policy is empty and not enabled for the moment.

Adding and Configuring an Authentication Mechanism¶

Standard Authentication¶

Every parameter is explained in more detail in the Advanced authentication section below. However, for customers wishing to implement standard authentication with LDAP or Local users with the same login page as usual, follow the procedure below:

In the administration interface of iObeya, go to SETTINGS ‣ Authentication Policies.
Create a new policy by clicking on the corresponding button and save.

You are redirected to the parameters of this policy.
Select New Mechanism, then:
1. Add Form credentials mechanism.
2. Add Local Users authentication mechanism.
3. Add LDAP authentication mechanism.
Configure your LDAP.

Do not forget to add directory.name= + the name you defined above.

Once you have finished configuring, you must enable this authentication policy.

Advanced Authentication¶

iObeya provides several mechanisms for authentication. Choose your authentication mechanism by selecting an authentication mechanism parameter in the list of configurations.

Form: The form authentication mechanism is the standard mechanism for entering credentials (login and password). With this mechanism, the application asks the user for their username and password and provides them to the web server or enterprise directory. This mechanism must be used with a credentials validation mechanism (such as local users or LDAP users).

Basic

With a basic authentication mechanism, the browser provides the username and password to the web server or enterprise directory. This mechanism must be used with a credentials validation mechanism (such as local users or LDAP users).

Warning

There is no timeout for auto logoff or manual logoff with this authentication method.

Header

With a header authentication mechanism, the application retrieves the username from a request header. This mechanism is provided by some SSO systems. You have to make sure that your system and your iObeya users are synchronized. This mechanism does not require another mechanism for it to function.

For security reason, with this method, make sure that users cannot inject the header that defines the user in header requests.

Warning

There is no timeout for auto logoff or manual logoff with this authentication method.

Container

With a container authentication mechanism, the application server provides security mechanisms to authenticate users. You have to make sure that iObeya users and application server users are synchronized. This mechanism does not require another mechanism to function.

Warning

There is no timeout for auto logoff or manual logoff with this authentication method.

SAMLv2

iObeya also provides a mean to authenticate users (but not to authorize them) with the SAMLv2 protocol. For the SAMLv2 authentication to occur, the users returned by the SAMLv2 IdP should exist in the iObeya database.

There are 2 ways to do this, you can:

synchronize with LDAP server used by the IdP (with the LDAP add-on)
or activate the provisioning on login in the SAML configuration.

To activate the provisioning on login in the SAML configuration:

From the admistrator platform homepage, click SETTINGS ‣ Authentification policies.
Click Configure on a policy.
Click Edit information on an authentification mechanism.
From the Authentification attributes section, click Allow account creation.
Fill in:
- IdP Username Attribute Name,
- IdP Lastname Attribute Name.

Note

If you use both LDAP synchronization and provisioning on login: make sure all users created by provisioning on login exist in your LDAP directory.

As of version 3.6 of iObeya, SAMLv2 is automatically installed with iObeya as an add-on. This is disabled by default and needs to be enabled by the platform administrator in the ADD-ONS section.

Warning

As for now, there can only be one active SAML authentication mechanism per authentication policy.
- The iObeya API cannot work if you do not configure at least a Form or a Basic authentication mechanism.

Local user

This mechanism is the standard way to validate credentials, using local password management. This mechanism must be used with a mechanism for credentials prompt (such as form or basic authentication).

LDAP

This mechanism validates credentials against an LDAP directory. This mechanism must be used with a mechanism for credentials prompt (such as form or basic authentication).

As of version 3.6 of iObeya, enterprise directory is automatically installed with iObeya as an add-on. This add-on is disabled by default and needs to be enabled by the platform administrator in the ADD-ONS section.

Note

As of version 3.6 of iObeya, you can use several compatible authentication methods in the same policy, and allow dual authentication.

It allows you, for example, to configure SAMLv2 authentication with a local user form authentication.

Configuring a Form Authentication Mechanism¶

Add the form authentication mechanism to the authentication policy.
Set a name.
Specify the time of inactivity in ms before client disconnection.
Select Create mechanism.

Configuring a Basic Authentication Mechanism¶

Warning

There is no timeout for auto logoff or manual logoff with this authentication method.

Add the basic authentication mechanism to the authentication policy.
Set a name.
Set the real name attribute.
Optionally, uncheck Protect application.

This option is mandatory for Microsoft Edge.
Select Create mechanism.

Configuring a Header Authentication Mechanism¶

Warning

There is no timeout for auto logoff or manual logoff with this authentication method.

Add the header authentication method to the authentication policy.
Set a name.
Set the header to use.
Optionally, set the specific change and forgot password URLs.

Configuring a Container Authentication Mechanism¶

Warning

There is no timeout for auto logoff or manual logoff with this authentication method.

Add the container authentication mechanism to the authentication policy.
Set a name.
Optionally, set the specific change and forgot password URLs.

Configuring a SAMLv2 Authentication Mechanism¶

Ensure the SAMLv2 add-on is enabled.
1. Access the ADD-ONS section.
2. Verify that the SAMLv2 add-on has an ENABLED status, not INSTALLED.
  
  If the status is INSTALLED, enable the add-on by clicking on Enable.
Access the configuration interface of the authentication policy.
Add the SAMLv2 authentication mechanism to the authentication policy.
Set a name that will appear on the login page.
Customize the look of the login page by setting a text color and an icon to illustrate your SAMLv2 provider.

It will be useful to customize the login page when using dual authentication with SAMLv2 and form mechanisms.
Configure the metadata.
1. Upload metadata file, or set the paths/URL, to access the file of the Identity Provider.
2. If this already exists, upload the iObeya metadata file.
  
  Generate it if it is the first time configuring SAMLv2 authentication in iObeya.
Configure the Key management section.
Configure the Authentication attributes section.
Optionally, customize the SAMLv2 authentication mechanism in the Additional settings section.

Here is the description of each parameter and their possible values

Metadata¶

Metadata for the identity provider

To authenticate users with SAMLv2, iObeya needs to know the Identity Provider it should use and the features it supports. This information is provided in the IdP metadata.

Values

Upload the IdP metadata file or set an URI limited to:

http://

file:///

Metadata for iObeya (SP)

iObeya metadata.

Values: Upload the iObeya metadata file, or generate it.

Entity ID of iObeya

The entity ID of iObeya to be used for iObeya metadata generation, or to retrieve data from uploaded metadata.

Values

For metadata generation, default value is the URL where iObeya metadata will be available, that is <SERVER_URL>/saml/metadata.

For uploaded metadata, this can be empty or undefined, if there is only one entity ID in the metadata file.

Keystore¶

Keystore file

Keystore file containing the necessary keys.

Values

The keystore should be generated with Keytool which is part of the Java standard distribution.

Note

Use a Keytool version compatible with the JDK version used to deploy iObeya.

See Technical requirements to know which JDK version you are using.

Here are examples of key generation and certificate extraction. Example usages of keytool:

Generate key mycompany.com in keystore keystore.jks

keytool -genkey -keystore keystore.jks -alias mycompany.com -keyalg
RSA -sigalg SHA256withRSA -keysize 2048 -validity 1095

Note

validity = period before expiration in days

Extract X509 certificate from key mycompany.com in keystore keystore.jks

keytool -export -keystore  keystore.jks -alias mycompany.com -file mycompany.com.cert –rfc

Possibly reimport certificate signed by certification authority (should use the same alias as private key)
```
keytool -import -keystore keystore.jks -alias mycompany.com -file mycompany.com.signed.cert
```

Password of the keystore

Password of the keystore itself.

Values: Any string

Passwords for the keys in the keystore

Passwords for the keys in the keystore.

Values

JSon formatted object, where keys are the key names and values are passwords as strings.

Example:

{"mycompany.com":"iobeya123",
 "signing.mycompany.com":"iobeya456"}

Name of the default key

Name of the default key to use when a specific key has not been defined for a particular task (signing, encryption, tls/ssl). Private and public keys must be present in the keystore at keystorePath.

Values: The name of a key present in the keystore.

Authentication Attributes¶

idpAuthAttributeName

The name of the attribute that is returned by the Identity Provider to be used as an identifier to authenticate the user in iObeya. It will be mapped to the iobeyaAuthAttributeName property.

Values: Any string.

Name of iObeya user authentication attribute

Name of iObeya user attributes that should match the value of the attributes whose name is idpAuthAttributeName.

Values

email

Username

Allow account creation

If necessary, create an iObeya account when a user connects via SAML.

Values: Boolean

Additional Settings¶

Logout method

Allows the choice of the logout action in iObeya.

Values

Local: When a user logs out from iObeya, she stays connected to the IdP, but is disconnected from iObeya.
Global: When a user logs out from iObeya, the IdP will be asked to perform a single logout (IdP tries to contact all connected SPs to disconnect them).
Custom: When a user logs out from iObeya, she is redirected to a custom URL, for example, the logout URL of the IdP.

Security profile

Security profile for verification of message signatures.

Values

metaiop

SAMLv2 Metadata Interoperability Profile.

Uses cryptographic data from the metadata document of the entity in question. No checks for validity or revocation of certificates is done in this mode. All keys must be known in advance.

pkix

Signatures are deemed as trusted when credentials can be verified using PKIX with trusted keys of the peer configured as trusted anchors.

SSL security profile

Security profile for verification of SSL/TLS endpoint trust.

Values

Same as sslSecurity:

metaiop
pkix

SSL Hostname Verification

Hostname verifier to use for verification of SSL connections

Values

default: org.apache.commons.ssl.HostnameVerifier.DEFAULT
defaultAndLocalhost: org.apache.commons.ssl.HostnameVerifier.DEFAULT_AND_LOCALHOST
strict: org.apache.commons.ssl.HostnameVerifier.STRICT
allowAll: org.apache.commons.ssl.HostnameVerifier.ALLOW_ALL, does not perform any validation.

Signing Algorithm

URI identifying the algorithm variant to use for signing. This will only be taken into account to select the hash function (sha256, sha512, …), given that the algorithm is already specified by the signing key (attributes defaultKey/signingKey ).

Values

The valid URIs are the OpenSAML supported subset of those in:

XML Signature

RFC 6931#section-2.3

Typical values

sha256

sha512

sha384

Digest Method for signature reference

URI identifying the digest algorithm to be applied to the signed object.

Values

The valid URIs are the OpenSAML supported subset of those in:

XML Signature 1.1

RFC 6931#section-2.3

Typical values

sha256

sha512

sha384

Signing Key

Name of the key to use for signing.

Private and public keys must be present in the keystore at keystorePath.

Values: The name of a key present in the keystore.

Encryption key

Name of the key to use for encrypting.

Private and public keys must be present in the keystore at keystorePath.

Values: The name of a key present in the keystore.

TLS Key

Alias of private key used for SSL/TLS client authentication.

No client authentication is used when value is not specified.

Private and public keys must be present in the keystore at keystorePath.

Values: The name of a key present in the keystore.

Trusted keys

Keys included as trusted anchors during PKIX evaluation. Keys are only used with PKIX security profile.

Values: Comma separated list of key names from the keystore (@keystorePath).

Max authentication age

Maximum time of the authentication token. User needs to authenticate if this time is spent since the last connection.

Values: Time in seconds the IdP configuration can override this configuration.

Scoping inclusion

When true, include scoping (should be false when using Microsoft ADFS or Azure AD as IdP).

Values: boolean

Enable SAML 2.0 ECP profile

Enables support for the SAML 2.0 ECP profile.

Values: boolean

Support for unsolicited response

Enables support for unsolicited responses (IdP-Initialized SSO).

Values: boolean

Metadata signature

When true, sign metadata (using XML Signature using certificate corresponding to signingKey).

Values: boolean

Requirement of signature for logout requests

When true, only accept signed logout requests from IdP.

Values: boolean

Sign logout requests sent to IdP

When true, sign logout requests sent to IdP.

Values: boolean

Requirement of signature for logout responses

When true, require from IdP to sign logout responses.

Values: boolean

Signature of logout responser

When true, sign logout responses sent to IdP.

Values: boolean

Warning

When updating from version 3.4.4 or below, to version 3.5 or above, default values for signing algorithm and signature reference digest methods have been updated from SHA-1 to SHA-256 due to security concerns. In case of incompatibility, we suggest updating IdP hash methods, but it is still possible to set values explicitly to SHA-1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1) in attributes signingAlgorithm and signatureReferenceDigestMethod.

Troubleshooting¶

In the case of configuration problems, it can be helpful to activate the debug logs related to SAMLv2 in the log4j configuration file.

<logger name="org.opensaml">
 <level value="DEBUG"/>
</logger>
<logger name="org.springframework.security.saml">
 <level value="DEBUG"/> </logger>
 <logger name="com.iobeya.security.web.authentication.saml"> <level value="DEBUG"/>
</logger>

<root>
...
 <appender-ref ref="debugfile"/> </root>
</root>

Adding and Configuring Local User Authentication Mechanism to the Policy¶

After choosing between form or basic authentication methods (supported method for local user authentication):

Add a new mechanism to your authentication policy by clicking on Add new authentication mechanism.
Select Local user authentication mechanism.
Configure options to let iObeya manage, or not, the change password and forgot password behavior for local users.

Adding and Configuring External User Authentication Mechanism to the Policy¶

After choosing between form or basic authentication methods (supported method for external user authentication), platform administrators need to:

Configure the connection between iObeya and the external user directory.

This will allow platform administrators to validate their configuration and add users or groups from the enterprise directory to iObeya, and activate the synchronization mechanism between iObeya and the external directory.
Add and configure your authentication policy to allow users to authenticate to iObeya using the configured directory.

Configuring Your Enterprise Directory Access¶

The administration interface includes an enterprise directory configuration page, providing information on how the add-on is configured. This page is useful for checking the add-on configuration directly from the administration interface, as well as for finding potential causes for login issues.

Ensure the enterprise directory add-on is enabled.
1. Access the ADD-ONS page.
2. Verify that the enterprise directory add-on has an ENABLED status, not INSTALLED.
  
  If the status is INSTALLED, enable the enterprise directory by clicking on INSTALLED.
Edit the enterprise directory configuration.
1. Access the directory configuration page in the SETTINGS section.
2. Click Edit configuration and set parameters.
  
  Parameters are listed at the end of this section.
3. Click Save configuration.
4. If necessary, check the configuration using the diagnostics, by clicking on Show details at the top of the page to display more information.

Note

The diagnostics consists of a list of error or warning messages that might have an impact on the correct functioning of the enterprise directory add-on.

The diagnostics test that:

The host is reachable.
The port is open.
The Base DN is found.
The different defined attributes exist.

Review these diagnostics if you have any issue in querying your enterprise directory, in order to identify the root causes.

When the configuration is correctly set:

There are 2 new entries in the USERS & GROUPS section that allow platform administrators to request users and groups directly in the directory, and add them to iObeya.
Synchronization between directory and iObeya is enabled. External users and groups are automatically synchronized in iObeya by the SynchronizationDirectory job.
Platform administrators can create an authentication policy using this external configuration (directory.name is mandatory to identify this configuration).

Here is the description of each parameter and its possible values.

directory.name

Name of the directory. Mandatory to identify this parameter when a platform administrator configures an external user authentication mechanism.

directory.synchronization.enabled

This parameter is a boolean. This parameter must be set to true. It enables the synchronization between iObeya and the enterprise directory.

Value: True or False.

directory.remote.admin

Remote administrator username. This user will be created as a local user with platform administration permissions.

Value: The value is the username in LDAP or Active Directory of the iObeya platform administrator, e.g.: ADMINISTRATOR=vhugo.

directory.url

URL of the directory. The url scheme defines the type of directory (ldap/files…). Supported schemes are: ldap://, ldaps:// and file://. File format can be TXT or LDIF.

Value: The value can be an IP address, or an address name e.g.: directory.url=ldap://192.168.25.87:389

directory.file.format

The file formats supported are CSV or LDIF. These parameters are used only if directory.url is a file. Additional parameters directory.file.quote and directory.file.delimi ter can be defined if the format selected is CSV.

Value: directory.file.format = CSV.

directory.file.quote

Define the string delimiter.

Value: Default value is ‘’.

directory.file.delimiter

Define the field delimiter.

Value: Default value is ‘t.

directory.disable.authentication

This parameter is a boolean. Set this parameter to true if you do not want to authenticate the user against the directory

Value: True or False.

ldap.referral

Based on javax.naming.Context. REFERRAL values. Define how to handle referral (links).

Value: Ignore, Follow, Throw.

ldap.connect.timeout

Timeout for connect (optional).

Value: The value is a time in ms.

ldap.read.timeout

Timeout for read (optional).

Value: The value is a time in ms.

ldap.page.use

Needed on some servers to handle a large number of users.

Value: True or False.

ldap.page.size

Size of a page for paged result.

Value: By default =1000.

ldap.range.use

Mandatory for Active Directory (only) with large groups.

Value: True or False.

ldap.range.size

Size of attribute set for range request.

Value: By default =1000.

ldap.bind.username

Define the default user to connect to the LDAP server. Leave blank if anonymous.

Value: The username to connect, or blank if the connection is anonymous, e.g.: ldap.bind.username=gdmaupassant.

ldap.bind.credential

Define the password of the user to connect to the LDAP server. Leave blank if anonymous.

Value: The password of the user to connect, or blank, e.g.: LDAP_PASSWORD=belami

ldap.schema.base.dn

Define the base domain name of the LDAP server.

Value: List of key=value separated by comma to define the base domain name, e.g.: ldap.schema.base.dn=dc=mycompany,dc=com.

ldap.schema.user.base.dn

Define the base domain name for users.

Value: List of key=value separated by comma to define the base domain name, e.g.: ldap.schema.user.base.dn=dc=mycompany,dc=com.

ldap.schema.group.base.dn

Define the base domain name for groups.

Value: List of key=value separated by comma to define the base domain name, e.g.: ldap.schema.group.base.dn=dc=mycompany,dc=com.

directory.schema.objectclass.attribute

Define the object class attribute in the LDAP server.

Value: The name of the attribute, e.g.: directory.schema.obje ctclass.attribute=objectclass.

directory.schema.user.objectclass

Define the object class value to define a person in the LDAP server.

Value: The name of the attribute, e.g.: directory.schema.user .objectclass=person.

directory.schema.user.id.attr

Define the object class value that represents a user id in the LDAP server.

Value: The name of the attribute, e.g.: directory.schema.user.id.attr=uid.

directory.schema.user.group.def.by.uid

Determine if the LDAP groups should be identified by their uid.

Value: True or false, e.g.: directory.schema.user.group.def.by.uid=true.

directory.schema.user.group.def.attr

Define the object class value that represent a group member id in the LDAP server.

Value: The name of the attribute, e.g.: directory.schema.user .group.def.attr=memberUid.

directory.schema.user.firstname.attr

Define the user first name attribute.

Value: The name of the attribute, e.g.: directory.schema.user .firstname.attr=givenName.

directory.schema.user.lastname.attr

Define the user last name attribute.

Value: The name of the attribute, e.g.: directory.schema.user .lastname.attr=sn.

directory.schema.user.mail.attr

Define the user email attribute.

Value: The name of the attribute, e.g.: directory.schema.user.mail.attr=mail.

directory.schema.user.service.attr

Define the user service attribute.

Value: The name of the attribute, e.g.: directory.schema.user .service.attr=service .

directory.schema.user.site.attr

Define the user site attribute.

Value: The name of the attribute, e.g.: directory.schema.user .site.attr=location.

directory.schema.user.language.attr

Define the user language attribute.

Value: The name of the attribute, e.g.: directory.schema.user .language.attr=language.

directory.schema.user.country.attr

Define the user country attribute.

Value: The name of the attribute, e.g.: directory.schema.user .country.attr=country .

directory.schema.group.objectclass

Define the object class value to define a group in the LDAP server.

Value: The name of the attribute, e.g.: directory.schema.grou p.objectclass=posixGroup.

directory.schema.group.name.attr

Define the object class value that represents a group name in the LDAP server.

Value: The name of the attribute, e.g.: directory.schema.group.name.attr=cn.

directory.schema.default.group

Define a group name where users imported from the directory are added. This directory is created automatically if it does not exist.

Value: The name of a group in iObeya, e.g.: iobeya-users.

directory.search.user.field.attr

Define a list of the user searchable criteria in the administration interface.

Value: The ordered list of class separated by comma, e.g.: directory.search.user.field.attr=uid,givenName,sn.

directory.search.user.field.lbl

Define the labels corresponding to the user searchable criteria.

Value: The list of labels separated by comma, e.g.: directory.search.user .field.lbl=Login,First Name,Last Name.

directory.search.user.max

Define the maximum number of search results of users.

Value: e.g.: directory.search.user.max=100.

directory.search.group.max

Define the maximum number of search results of groups.

Value: e.g.: directory.search.group.max=100.

directory.batch.size.default

Define the size by default of a batch.

Value: By default =100.

directory.batch.size.user.in.group

Number of users to add to a group during a single transaction.

Value: e.g.: directory.batch.size.user.in.group=100.

directory.batch.size.user.out.group

Number of users to remove from a group during a single transaction.

Value: e.g.: directory.batch.size.user.out.group=100

directory.batch.size.user.delete

Number of users to delete during a single transaction.

Value: e.g.: directory.batch.size.user.delete = 100.

directory.batch.size.user.update

Number of users to update during a single transaction.

Value: e.g.: directory.batch.size.user.update = 100.

directory.batch.size.group.delete

Number of groups to delete during a single transaction.

Value: e.g.: directory.batch.size.group.delete = 100.

directory.batch.size.group.update

Number of groups to update during a single transaction.

Value: e.g.: directory.batch.size.group.update = 100.

directory.allow.creation.from.remote

Allow the addition of users or groups to a room directly from the LDAP, without adding the users previously in iObeya.

Value: True or False.

directory.allow.creation.on.login

If necessary, create an iObeya account when a user connects via LDAP.

Value: True or False.

Adding and Configuring External User Access in an Authentication Policy¶

Access the configuration screen of the authentication policy.
Add a new mechanism to your authentication policy by clicking on Add new authentication mechanism.
Select LDAP authentication mechanism.
Select the LDAP directory name in the list specified during the configuration of LDAP access in the previous step.
Configure URLs of change and forgot password to allow external users to be redirected to the external forms of change and forgot password.

If empty, no links will be shown to users.
Select Save.

Allowing external user authentication¶

Prerequisite : to allow external user authentication you need to use an IdP.

Configure SAMLv2. See Configuring a SAMLv2 Authentication Mechanism.
Activate the provisioning on login. See Advanced Authentication ‣ SAMLv2.

Warning

This operation allows external users to create an iObeya account.

Combining Mechanisms¶

You can combine several mechanisms in the same policy. The order in which they are listed is important in the way multiple mechanisms interact, as this defines their priority (first mechanism has highest priority).

Tip

Platform administrators have the ability to configure several credentials validation mechanisms for the same authentication protocol. This allows local and external users to connect on the same platform
If a user is known by several authentication mechanisms, the first authentication mechanism referenced in the policy configuration is taken into account.
SAMLv2 can be mixed with form:
- If SAMLv2 is the first mechanism, then users are redirected to IdP for connection.
  
  To connect using form authentication in this case, user must disconnect, then form login is displayed. Otherwise login url can be used to force use of form login.
- If form is the first mechanism, then the form is always displayed if user is not connected. Then the user can choose to use IdP, or enter a credentials in the form.

Warning

Using multiple SAMLv2 IdPs is not supported. If you defined more than one IdP, only the first will be used.
Header and container mechanisms cannot be used with other mechanisms.

Note

SAMLv2 is only compatible with form authentication as an alternative credentials prompt mechanism. It does not work with header, container, or basic authentications.

Changing Your Authentication Policy¶

When a new authentication policy is configured correctly, the local platform administrator can change the current authentication policy to the new one.

Warning

If platform administrators have made errors in the policy configuration, it may be possible that you cannot login with an account after changing the authentication policy.

First, we advise the testing of the configuration in a pre-production environment.

Also, do not forget to copy the link shown during the change process.

This link is an encoded, protected link allowing platform administrators to restore the default local authentication policy. This link is written in the log file when a policy is activated (this might be a way to retrieve it if you forgot to note it).

Move the cursor over the new authentication policy, then select Edit information.
Select Enable.
Copy the link shown in the confirmation popup to restore the default local authentication policy, if there is an issue with the newly enabled policy.
Close the confirmation popup.

All users will be disconnected and redirected to the new authentication system.

Warning

Ensure you keep a local platform administrator account even if the selected authentication policy does not allow local access. If there is an issue with your authentication policy, the link provided disables the current authentication policy and enables the default authentication policy, allowing only local user authentication.

Downloading and Importing an Authentication Policy¶

To easily transfer policy configurations, platform administrators can download and upload authentication policies from the authentication policy page.

To download an authentication policy:

Move your cursor over an authentication policy.
Select Download that will create a .policy file.

To upload an authentication policy:

Select Upload policy.
Select an existing backup of an authentication policy.
Select Save.

Note

An imported authentication policy is always disabled by default, even if the policy was enabled when you downloaded it.

Tip

Downloading and importing the active policy is the recommended way to modify this policy.

Managing the Password Policy¶

This section allows platform administrators to configure the level of security of the password for local users of the platform. This option is for platforms where user management is not totally externalized, and allows the creation of local users.

Defining the Password Policy Option¶

Platform administrators can enable or disable this option:

If this option is disabled, the user can set their password without requirements.
If this option is enabled, the user must fulfill the requirements defined in the password policy to set their password.

If enabled, platform administrators can use the default password policy:

At least 8 characters.
At least one (1) number.
At least one (1) character in lowercase and one (1) character in uppercase.

The platform administrator can customize the password policy settings by selecting the Customized option and choosing the rules to apply for new passwords.

Defining the Forgot Password Section¶

This section allows platform administrators to define a specific message for users who have forgotten their password, to explain the procedure to follow to reset it when the mail server is not set correctly and/or the forgot password template is disabled.

When the user clicks on the Forgot password link, they will receive this message.

Configuring Email Notifications¶

Platform administrators can configure the iObeya platform to automatically send emails to users in different cases.

SMTP integration is used to send emails when:

A platform administrator creates a new local user.
A platform administrator resets the password of a user.
A user wants to change their password.
A user wants to retrieve their password.
A room administrator grants a user access to a room.

Warning

To work correctly, email feature needs to meet certain requirements:

The mail server must be configured correctly and accessible from the iObeya server.
The EmailTasks job must be scheduled (if not, scheduled emails will not be sent and will remain blocked in the email queue).
email templates (corresponding to the use case you require) must be enabled.

Defining the Mail Server in iObeya¶

Set the mail server parameters in iObeya:
1. Select email in the left-hand side menu (SETTINGS section) of the administration interface.
2. Select Parameters.
3. Define the parameters:
  
  Enabled
  
  Uncheck to disable server and stop using email.
  
  Name
  
  A user-friendly name for the configuration profile that you choose in order to identify it easily.
  
  SMTP Server
  
  The IP address or the hostname of the SMTP server.
  
  Cryptographic protocol used
  
  TLS or SSL.
  
  Port
  
  SMTP port of the mail server.
  
  From
  
  email address that sends the automatic emails.
  
  If an authentication is required
  
  Check the Check for authentication box, and complete the corresponding fields.
  
  Maximum number to send
  
  Maximum number of messages to send in one instance.
  1. Select Save.
Test the parameters to ensure that your email settings are set correctly.

See the procedure below this section.
Schedule the EmailTasks job in Jobs submenu of the SETTINGS section.

This job is paused when the mail server is not responding, or not configured correctly. See Configuring jobs.

Testing Email Settings¶

Select Test email.

A popup appears with each field populated automatically:

To

Default email address is the address of the current user.

Message type

HTML or Text.

Message

Parameters of the mail server.
Optionally, modify some fields and select Send email to check that the server is configured correctly.

The mail is sent directly.
Check the recipient’s Inbox to confirm that the email function is correctly configured.

Configuring Email Templates¶

The mail server must be configured correctly, the EmailTasks job must be enabled, and these templates must be enabled to be functional.

List of Email Templates¶

Forgot your password: email sent when a local user clicks on the Forgot password link on the iObeya login page, or when a platform administrator resets the password of a user. This email contains a link to reset the password.
Change your password: Confirmation email sent after resetting password.
New room access: email sent when a user is added to a room directly from the iObeya user interface by a room administrator.
First connection: email sent when a local user has been created on the platform. This email contains a link to set the password.
iObeya account room invitation: email sent when a room administrator send an invite to an email address that is already linked to an iObeya account.
New account room invitation: email sent when a room administrator send an invite to an email address that is not linked to any iObeya account.

Enabling/Disabling a Template¶

Check the boxes of the template(s) that require enabling/disabling.
Open the Actions menu.
Select Enable or Disable.

../_images/configuring-email-templates-update-1.png

Warning

Please note that deactivating certain templates may prevent associated functions from working properly.

Customizing a Template¶

To customize a template and/or its parameters, move the cursor over it and select Edit template:

Name: the name of the template can be changed.
Select a format: HTML or Text.
Select a language: English, French, German or Japanese.
Subject: define the email subject.

Then you can modify the content by filling in these three fields:

First field: title that will be displayed in bold in the email received.
Second field: the main content that will be displayed bellow the title and before the call to action button.
Button: the text of the call to action button can be edited. Leave it blank if you don’t want to have a button.

../_images/configuring-email-templates-update-2.png

Note

It is possible to use HTML code to format the text in the second field corresponding to the main content of the email, but its rendering may vary on different mail clients.

In the email templates, you have access to different variables that can be used in the main content to generate dynamic content:

[user]: Full name of the user who will receive or send the email depending on the template.
[login]: Login of the user who will receive the email.
[email]: Email of the user who will receive the email.
[admin]: Full name of the room admin who added a user to a room.
[room]: Full name of the room to access.
[inviter]: Full name of the user who invites you to a room.
[invitee]: Full name of the user who will receive the invitation to access the room.
[invitation_url]: Description of the invitation URL.
<iob-break> : A tag used to separate different sections of a paragraph. Every time you use <iob-break> after a section, the content will be wrapped in HTML tags containing basic styling.

Below are all variables listed for each template which can be used during the email template customization.

Forgot your password: [user], [login], [email], <iob-break>
Change your password: [user], [login], [email], <iob-break>
New access to a room: [user], [login], [email], [admin], [room], <iob-break>
First connection: [user], [login], [email], <iob-break>
New account room invitation: [inviter], [invitation_url], <iob-break>
iObeya account room invitation: [inviter], [invitee], [invitation_url], <iob-break>

Configuring the Email Default Language¶

As the language is not a mandatory field when a platform administrator creates a user, they can configure the email default language for users who have not already selected their preferred language.

In the email language tab, select the default language and save changes.

Consulting and Emptying the Email Queue¶

emails waiting to be sent are stored in an email queue in iObeya. The email queue will be updated periodically according to the email parameters and the periodicity of the email job (see Configuring jobs).

Display the email queue by clicking on the corresponding tab, and use the Search function to find a particular email and check its status.

To empty iObeya’s email queue, select Empty. All emails in the queue will be deleted and not be sent.

Configuring Jobs¶

Required permissions

Platform (Can use + Administrate)

A Job scheduling feature has been added to avoid platform administrators relying on their system administrator for some management tasks.

It enables platform administrators to more efficiently manage:

DataSourceTasks: Synchronizes external sources that have been configured.
DomainsAndRoomTasks: Checks the domain or rooms that must be archived (see Archive).
ElemSynchronizationTask: Synchronizes synchronized cards and copies.
EmailsTasks: Performs regular sending of emails waiting in the email queue. This job is disabled by default, platform administrators have to enable it after configuring the mail server.
EmptyTrashJob: Removes the corresponding elements from the trash. These elements will actually be deleted by the PurgeJob.
IntegrityCheckTasks: Launches a check of database integrity, and fixes it if necessary.
monCountJobPlan: Updates global counters (monitoring).
monitoryJobPlan: Updates data monitoring.
PurgeJob: The purge period is defined when installing and configuring the application. This job permanently deletes every element in a deleted state (rooms, domains, boards, elements on boards). Deleted elements are kept on the platform during the retention period (default value 7 days).
PurgeNotifications: Deletes notifications that are older than 60 days.
PurgeUnusedRegistrationTokens: Deletes Firebase Cloud Messaging registration tokens which has exceed their time-to-live.
RebuildIndexTasks: Rebuilds the indexes. It is not scheduled because you have to use it only in case of issues concerning users and/or groups (e.g. if users do not seem to appear anymore).
ReplayEventsTask: Deletes and reconstructs views.

Warning

This job takes a long time and blocks most of iObeya features like boards or elements creation).
SendNotifications: Sends all pending notifications.
StatisticsTasks: Updates each room’s statistics.
SynchronizeDirectory: Synchronizes users and groups added in iObeya with the LDAP add-on.
TimeActorJob: Updates board’s screenshots when card’s color changes in case of closer or passed due date.

To manage different job scheduling activities, or even to run jobs on-demand, go to the administration interface and select Jobs in the left-hand side menu in the SETTINGS section.

To run a job immediately, move the cursor over the job and select Run now.
To edit scheduling, move the cursor over the job and select Edit information.

On the scheduling editing page, you will find:

Information

Summary with the name, description, and current scheduling of the edited job.

There is also a URL to launch a job immediately. It has the same effect as clicking on the Run now icon of the previous page, except the URL can be saved as a bookmark to run the job on-demand.

Tip

This is an encrypted URL for each unique platform administrator so that it can be launched without the need to provide any credentials (e.g. if it is used in a batch script, there is no need to include credentials in the script).

If the user who generated this URL does not have the permission to administrate the platform anymore, the job URL will no longer work.

Schedule section

Allows platform administrators to select a trigger method, and to configure it.

CRON: Jobs are scheduled using CRON syntax.
Start date and repetition: Jobs are scheduled based on a date and a frequency.

Control buttons

Cancel: Cancel changes, and go back to the Jobs section interface.
Schedule: Save the changes, and schedule the job.
Unschedule: Stop scheduling the job.
Pause/Resume: Put the job on hold.

OAuth Client: Applications Accessible From iObeya¶

This section describes how to configure and use iObeya as an OAuth client.

Configuring External Applications in iObeya¶

To configure iObeya to access external applications as an OAuth client you have to configure this external application in the administration interface of iObeya. The configuration of external applications requires two steps:

Configure an application type.

From the administration interface you have to create an application type, facilitating the grouping of application instances.

To do this, simply access the SETTINGS ‣ Applications accessible from iObeya menu and add a new application:
Configure an application instance.

You can add a new application instance from an application type. This instance matches with an external application that should return OAuth tokens. iObeya supports OAuth 1 and OAuth 2.0 external applications. There are specific fields according to the OAuth version.

For OAuth 1 you have to specify:

A default access token validity

This property is required because with OAuth 1 it is not always possible to get the access token validity.

Private key

iObeya supports OAuth 1 with RSA-SHA1 signature encryption.

For OAuth 2.0 you have to specify:

Resources

This property is required. For instance, to access Microsoft graphs API you must specify the following value: https://graph.windows.net/

Below an example of a new application instance configuration.

A callback URL (Redirect URL field) is generated while creating a new application instance. You will need to use this URL in the external application to configure iObeya’s access. The following screenshot shows an application instance’s details with the generated callback URL.

Configuring the iObeya Application in an External Application (Jira Example)¶

To configure an OAuth client application in Jira you have to access the application’s submenu from the administration interface.

Then access the Application links menu and configure a new application link for iObeya. In the configuration popup, update the OAuth tab in the Incoming Authentication menu as follows:

Note

In the case of Jira, at the end of the Consumer Callback URL you must add the ‘?’ character, otherwise the redirection will fail. This error is due to the fact that Jira automatically adds the / character at the end of callback URL while saving the configuration.

After saving this configuration you are now ready to generate and use OAuth tokens from iObeya.

API¶

iObeya allows external applications to use its API via OAuth tokens.

To use the iObeya API with OAuth tokens from an external application you will have to configure this external application in the iObeya administration interface.

Configuring Source Connectors¶

A source connector is a connection from iObeya to an external data source.

External source connectors are present in the ADD-ONS section of the platform administration interface.

Warning

By default, the SharePoint connector is not installed, you have to download it from the iObeya Resource Center.

OAuth Server¶

Configuring an External Application¶

From the administration interface click SETTINGS ‣ API.
Click Add OAuth application.
Fill in:

Application name

Name of the external application.

Redirection URI

The external application callback URL. This URL will be called by iObeya in order to send an OAuth authorization code or OAuth access token.

Grant types

The OAuth grant types allowed by iObeya. The external application will be able to choose one of these grant types to generate or refresh OAuth tokens.

Note

The implicit grant type does not allow you to generate a refresh token.

Access token validity

The lifetime of the access token generated for the external application. The possible values are 1/10/60 minutes or 365 days.

Note

The 365 days token validity is only available if the option Authorization code is not checked and Implicit authorization is checked. This value is useful to generate a long-lived token.

Refresh token validity

The lifetime of the generated refresh token. The possible values are 7/90/360 days

Client secret

Allows to configure a client secret when it’s required by the external application (e.g. Microsoft Power Automate). This value cannot be displayed or recovered later. However it’s possible to change the client secret value of an existing OAuth application if the value is lost/fogotten.
Click Add application.

Note

After saving a new external application in iObeya you can get the OAuth client_id from the detail of that external application. This client_id is the identifier of the external application.

Generating OAuth Tokens¶

Once an external application is configured in the iObeya administration interface, you can generate OAuth tokens from this external application by calling these following iObeya OAuth endpoints:

GET /s/oauth/authorize: The iObeya OAuth authorization endpoint.

These are the query parameters you will have to specify:

client_id (required): The external application identifier.
response_type (required): code for authorization code grant type or token for implicit grant type
redirect_uri (optional): The external application callback URL.
state (optional): Unique and non-guessable arbitrary value used to mitigate CSRF attacks.
code_challenge (optional): Hashed random value (PKCE)
code_challenge_method (optional): plain or S256

Once called, the authorize URL will display a confirmation dialog to the user:

POST /s/oauth/token: The OAuth 2.0 token endpoint.

The client must authenticate using one of the following methods:

Basic Authentication
Including client_id in the request body
Including client_id in the request parameters

These are the request parameters you will have to specify:

code (required with authorization_code grant type): The authorization code returned by the authorize endpoint.
redirect_uri (required with authorization_code grant type): The external application callback URL.
grant_type (required): authorization_code or refresh_token.
code_verifier (required with authorization_code grant type if code_challenge was used): Code verifier for PKCE.
refresh_token (required with refresh_token grant type): A valid refresh token.

Managing Add-Ons¶

Note

Required permissions: Platform (Can Use + Administrate).

An add-on is a complementary module to the iObeya platform that extends the application’s functionalities. Some add-ons are included out-of-the-box with iObeya, while others are available for manual installation.

Warning

Once installed some add-ons cannot be disabled nor uninstalled. Therefore we strongly recommend to test any add-on on a test environment first before deploying it on a production environment.

Warning

iObeya Enterprise on-premises: Add-ons are managed entirely from the administration interface for installation or update.
iObeya Enterprise online: Contact our Support team (support@iobeya.com) to install or update add-ons.

Installing an Add-On¶

This section describes how to install an add-on to your iObeya platform.

Go to the ADD-ONS section in the left-hand side of the menu of the administration interface.
Select the button +Upload add-on.
Select the JAR file corresponding to the add-on in your filesystem.

Once uploaded, the add-ons appears in the list.
(optional) If the add-on needs to be configured (depends on the add-on), the Configure option is listed.

Enabling an Add-On¶

This section describes how to enable an add-on to your iObeya platform.

Go to the ADD-ONS section in the left-hand side of the menu of the administration interface.
Select the button +Upload add-on.
Select the JAR file corresponding to the add-on in your filesystem.

Once uploaded, the add-ons appears in the list.
Click Enable.
(optional) If the add-on needs to be configured (depends on the add-on), the Configure option is listed.

Updating an Add-On¶

See Setup and maintenance documentation ‣ Add-ons.

Accessing an Add-On Configuration¶

To manage and configure the iObeya add-ons:

Select ADD-ONS in the left-hand side of the menu of the administration interface.
Configure an add-on by clicking on Configure if available (do not forget to select Save).

Disabling an Add-On¶

Some add-ons can be disabled if needed. This action is available in the ADD-ONS section of the administration interface.

Click Disable to disable it. The add-on state will then be changed to DISABLED.

Uninstalling an Add-On¶

Some add-ons can be uninstalled and removed from an iObeya platform. This action is available in the ADD-ONS section of the administration interface.

Click Uninstall to uninstall it. The add-on will no longer appear in the add-ons list.

Managing Personnal Access Tokens¶

The Personnal Access Token (PAT) is a token that allows you to retrieve data from an external system. Some iObeya features, such as the ADO add-on and others, require this type of token.

Add a Personal Access Token¶

To add a PAT refer to the documentation of the add-ons using PAT authentication.

See the corresponding documentation for more information.

Delete a Personal Access Token¶

You can delete a PAT from the admin platform.

You may need to delete a PAT if you mistyped your token or if you want to delete an expired token.

From the SETTINGS menu, click Personal Access Tokens.
Select the token you want to delete.
Click Delete.

Configuring Your iObeya Platform¶

Configuring Your License¶

Changing/Saving the License¶

Installing the License for the First Time¶

Updating the License¶

Checking Information Concerning the License¶

Configuring Authentication¶

Creating a New Authentication Policy¶

Adding and Configuring an Authentication Mechanism¶

Standard Authentication¶

Advanced Authentication¶

Configuring a Form Authentication Mechanism¶

Configuring a Basic Authentication Mechanism¶

Configuring a Header Authentication Mechanism¶

Configuring a Container Authentication Mechanism¶

Configuring a SAMLv2 Authentication Mechanism¶

Metadata¶

Keystore¶

Authentication Attributes¶

Additional Settings¶

Troubleshooting¶

Adding and Configuring Local User Authentication Mechanism to the Policy¶

Adding and Configuring External User Authentication Mechanism to the Policy¶

Configuring Your Enterprise Directory Access¶

Adding and Configuring External User Access in an Authentication Policy¶

Allowing external user authentication¶

Combining Mechanisms¶

Changing Your Authentication Policy¶

Downloading and Importing an Authentication Policy¶

Managing the Password Policy¶

Defining the Password Policy Option¶

Defining the Forgot Password Section¶

Configuring Email Notifications¶

Defining the Mail Server in iObeya¶

Testing Email Settings¶

Configuring Email Templates¶

List of Email Templates¶

Enabling/Disabling a Template¶

Customizing a Template¶

Configuring the Email Default Language¶

Consulting and Emptying the Email Queue¶

Configuring Jobs¶

OAuth Client: Applications Accessible From iObeya¶

Configuring External Applications in iObeya¶

Configuring the iObeya Application in an External Application (Jira Example)¶

API¶

Configuring Source Connectors¶

Configuring CORS (Cross-Origin Resource Sharing)¶

Adding an Authorized URL¶

Managing Authorized URLs¶

Editing an Authorized URL¶

Deleting an Authorized URL¶

OAuth Server¶

Configuring an External Application¶

Generating OAuth Tokens¶

Managing Add-Ons¶

Installing an Add-On¶

Enabling an Add-On¶

Updating an Add-On¶

Accessing an Add-On Configuration¶

Disabling an Add-On¶

Uninstalling an Add-On¶

Managing Personnal Access Tokens¶

Add a Personal Access Token¶

Delete a Personal Access Token¶