CSSCurrent en:Pointsharp Identity Provider Configuration: Unterschied zwischen den Versionen
Keine Bearbeitungszusammenfassung |
Keine Bearbeitungszusammenfassung |
||
| Zeile 1: | Zeile 1: | ||
== Pointsharp Identity Provider == | == Pointsharp Identity Provider == | ||
Cryptshare supports authentication via the | Cryptshare supports authentication via the Pointsharp Identity Provider for the '''Admin Interface.''' | ||
This feature allows administrators to integrate Cryptshare into an external Identity and Access Management (IAM) environment. | This feature allows administrators to integrate Cryptshare into an external Identity and Access Management (IAM) environment. | ||
The feature is | The feature is optional. When enabled, authentication via the local Cryptshare user database is disabled. It is always possible to revert back to local authentication by disabling the Identity Provider configuration. | ||
The Pointsharp Identity Provider integration is available since '''Cryptshare version 7.5.0'''. | The Pointsharp Identity Provider integration is available since '''Cryptshare version 7.5.0'''. | ||
== Supported Identity Providers == | == Supported Identity Providers == | ||
Cryptshare officially supports the | Cryptshare officially supports the Pointsharp Identity Provider. | ||
Other Keycloak-based Identity Providers may work but are | Other Keycloak-based Identity Providers may work but are not tested and not officially supported. | ||
The Identity Provider must provide a '''UserInfo endpoint''', as this is required by the underlying authentication mechanism. | The Identity Provider must provide a '''UserInfo endpoint''', as this is required by the underlying authentication mechanism. | ||
== Configuration == | == Configuration == | ||
Identity Provider authentication is configured using a configuration file. | Identity Provider authentication is configured using a configuration file and the Admin Interface. | ||
* File: <code>cryptshare.properties</code> | * File: <code>cryptshare.properties</code> | ||
| Zeile 35: | Zeile 35: | ||
== Authentication Behavior == | == Authentication Behavior == | ||
When accessing the Admin Interface | When accessing the Admin Interface, the authentication flow behaves as follows: | ||
# The user is redirected to the configured Identity Provider. | # The user is redirected to the configured Identity Provider. | ||
| Zeile 47: | Zeile 47: | ||
=== User Existence === | === User Existence === | ||
* The user '''must exist in the Identity Provider''' | * The user '''must exist in the Identity Provider.''' | ||
* On first successful login: | * On first successful login: | ||
** A '''local Cryptshare | ** A '''local Cryptshare Adminuser is created automatically.''' | ||
=== Groups and Roles === | === Groups and Roles === | ||
| Zeile 55: | Zeile 55: | ||
* Group information is provided by the Identity Provider (e.g. Active Directory groups). | * Group information is provided by the Identity Provider (e.g. Active Directory groups). | ||
* A standard role mapping is provided. | * A standard role mapping is provided. | ||
* Role mapping is configured | * Role mapping is configured exclusively in the Identity Provider. | ||
If role mapping is missing or invalid, login is denied. | If role mapping is missing or invalid, login is denied. | ||
== Logout Behavior == | == Logout Behavior == | ||
Logging out ends the '''local Cryptshare session only''' | Logging out ends the '''local Cryptshare session only.''' | ||
* No logout request is sent to the Identity Provider. | * No logout request is sent to the Identity Provider. | ||
* Single Logout is not supported. | * Single Logout is not supported. | ||
Version vom 19. Dezember 2025, 12:52 Uhr
Pointsharp Identity Provider
Cryptshare supports authentication via the Pointsharp Identity Provider for the Admin Interface.
This feature allows administrators to integrate Cryptshare into an external Identity and Access Management (IAM) environment.
The feature is optional. When enabled, authentication via the local Cryptshare user database is disabled. It is always possible to revert back to local authentication by disabling the Identity Provider configuration.
The Pointsharp Identity Provider integration is available since Cryptshare version 7.5.0.
Supported Identity Providers
Cryptshare officially supports the Pointsharp Identity Provider.
Other Keycloak-based Identity Providers may work but are not tested and not officially supported.
The Identity Provider must provide a UserInfo endpoint, as this is required by the underlying authentication mechanism.
Configuration
Identity Provider authentication is configured using a configuration file and the Admin Interface.
- File:
cryptshare.properties
idProvider.clientSecret=ETHs0jTaopSKuZxYbc7Xf3a idProvider.baseUrl=https://idp.pointsharp.com idProvider.realm=Dev idProvider.clientId=css
Identity Provider authentication is enabled when the following property is set in cryptshare.properties:
Once this property is present, Cryptshare will use the configured Identity Provider for authentication to the Admin Interface and the API.
The base URL used for redirects is configurable via the Admin Interface.
Any change to the Identity Provider configuration requires a restart of the Cryptshare service.
Authentication Behavior
When accessing the Admin Interface, the authentication flow behaves as follows:
- The user is redirected to the configured Identity Provider.
- The user authenticates at the Identity Provider.
- After successful authentication, the user is redirected back to the Cryptshare Admin Interface.
If the Identity Provider is unavailable or authentication fails, the login attempt fails.
User Handling and Role Mapping
User Existence
- The user must exist in the Identity Provider.
- On first successful login:
- A local Cryptshare Adminuser is created automatically.
Groups and Roles
- Group information is provided by the Identity Provider (e.g. Active Directory groups).
- A standard role mapping is provided.
- Role mapping is configured exclusively in the Identity Provider.
If role mapping is missing or invalid, login is denied.
Logout Behavior
Logging out ends the local Cryptshare session only.
- No logout request is sent to the Identity Provider.
- Single Logout is not supported.