EQuIS Enterprise Authentication Methods
Copyright © 2020 EarthSoft, Inc • Modified: 14 Feb 2020
EQuIS Enterprise supports the following authentication scenarios through the Login Page:
1.Forms / Cookie Based Authentication (aka, Basic Authentication) – POST request with HTML form fields "username" and "password" may result in an HTTP response that includes the HTTP cookies SessionToken and SessionKey if successful. The SessionToken cookie must be returned with all subsequent request. If the request is other than GET HEAD or OPTIONS, the request must also include the value of SessionKey as either an HTTP request header "x-session-key" or HTML form field "SessionKey".
2.Microsoft Azure Active Directory OpenID – The Login page includes a button to initiate OpenID authentication with any Azure Active Directory (AAD) domain. EQuIS user entries in ST_USER.USERNAME must exactly match the AAD credentials and the OpenID Directory ID and signing key must match the configuration keys in the ST_CONFIG table. See Azure Active Directory for User Authentication.
EQuIS Enterprise supports the following authentication scenarios independently of the Login Page. These scenarios appear to "just work" from the user's perspective. When users visit EQuIS Enterprise, they are automatically logged in.
1.LDAP/NTLM or Windows Authentication – EarthSoft clients hosting EQuIS Enterprise on-premise may opt to configure EQuIS Enterprise to accept windows authentication LDAP (RFC 4511) or NTLM. In this scenario, EQuIS assumes that IIS has already completed the authentication and matches a record in in the ST_USER table to that user. See LDAP Authentication.
2.SAML-based SSO Authentication – EarthSoft clients hosting EQuIS Enterprise on-premise may opt to configure EQuIS Enterprise to use SAML Single Sign On (SSO) authentication. See SAML-based Single Sign On.
EQuIS Enterprise REST API supports two authentication scenarios in addition to those already discussed.
1.RFC 2617 Basic Authentication – RFC 2617 Basic Authentication is supported by EQuIS Enterprise while Digest Authentication is not supported. The Basic Authentication mechanism consists of adding the Base64 encoded concatenation of the username + ":" + password to the HTTP request header. For example, Base64 encoding of "administrator:admin" is "YWRtaW5pc3RyYXRvcjphZG1pbg==". Perform RFC 2617 Basic Authentication by adding an HTTP request header like the following.
Authorization: basic YWRtaW5pc3RyYXRvcjphZG1pbg==
2.Bearer JWT Token Authentication – EQuIS issues JWT tokens from the REST API route api/tokens. A control in the User Profile Editor provides a simple user interface to this rest controller. The token itself appears to be a long Base64 string. Perform bearer authentication by adding an HTTP request header like the following.
Authorization: bearer eyJaqlkRlslLBa562slkqovqevpoija2dvn20ribn30inv0indokod31j4b2ficokwcnklnij2igj==
Warning: RFC 2617 Basic Authentication and the Bearer JWT Token Authentication should only be used with SSL connections for security (i.e., https).