Authentication modes
CMDBuild supports delegating authentication to external services. This applies to account verification (username and password) only — profiles and permissions are still managed within CMDBuild through the group to which the user belongs.
Authentication settings can be managed via REST commands. Use editconfig to open a GUI showing all available configurations (when CMDBuild is running locally), or use setconfig / setconfigs to apply settings directly from the command line. Example:
cmdbuild.sh restws setconfig org.cmdbuild.auth.case.insensitive true
Configuration of the authentication type
CMDBuild supports the following authentication methods:
- Default authentication — credentials stored in the database or verified via LDAP
- SSO CAS authentication
- SSO SAML authentication
- OAuth2 authentication
The following additional methods are also available:
- RSA authentication
- Header authentication
- Custom login — similar to header authentication, with the addition of a control script
From version 3.4 onwards, multiple authentication modules can be configured simultaneously using the following configuration schema:
| Config | Type | Description |
|---|---|---|
org.cmdbuild.auth.modules | String | Comma-separated list of auth module names |
org.cmdbuild.auth.modules.{ModuleName}.type | String | Authentication type for the specified module |
org.cmdbuild.auth.modules.{ModuleName}.description | String | Module description, shown on the login button |
org.cmdbuild.auth.modules.{ModuleName}.enabled | Boolean | Enables or disables the module |
org.cmdbuild.auth.modules.{ModuleName}.hidden | Boolean | If true, the module is not shown on the login page and can only be triggered by passing cm_login_module in the request |
org.cmdbuild.auth.modules.{ModuleName}.... | String | Additional module-specific configurations |
The type parameter accepts the following values: default, cas, saml, oauth2.
CAS configuration
| Config | Type | Description |
|---|---|---|
org.cmdbuild.auth.module.cas.server.url | String | CAS server URL |
org.cmdbuild.auth.module.cas.login.page | String | CAS login page URL |
org.cmdbuild.auth.module.cas.service.param | String | CAS service parameter |
org.cmdbuild.auth.module.cas.ticket.param | String | CAS ticket parameter |
SAML configuration
| Config | Type | Description |
|---|---|---|
org.cmdbuild.auth.module.saml.handlerScript | String | SAML authentication response handler script |
org.cmdbuild.auth.module.saml.idp.cert | String | IdP certificate |
org.cmdbuild.auth.module.saml.idp.id | String | IdP ID URL |
org.cmdbuild.auth.module.saml.idp.login | String | IdP login URL |
org.cmdbuild.auth.module.saml.idp.logout | String | IdP logout URL |
org.cmdbuild.auth.module.saml.logout.enabled | Boolean | Enables IdP logout |
org.cmdbuild.auth.module.saml.requireSignedAssertions | Boolean | Requires signed assertions |
org.cmdbuild.auth.module.saml.requireSignedMessages | Boolean | Requires signed messages |
org.cmdbuild.auth.module.saml.signatureAlgorithm | String | Signature algorithm URL |
org.cmdbuild.auth.module.saml.sp.baseUrl | String | Service provider base URL |
org.cmdbuild.auth.module.saml.sp.cert | String | Service provider certificate |
org.cmdbuild.auth.module.saml.sp.id | String | Service provider ID URL |
org.cmdbuild.auth.module.saml.sp.key | String | Service provider private key |
org.cmdbuild.auth.module.saml.strict | String | Enables strict validation |
OAuth2 configuration
| Config | Type | Description |
|---|---|---|
org.cmdbuild.auth.module.oauth.clientId | String | OAuth client ID |
org.cmdbuild.auth.module.oauth.clientSecret | String | OAuth client secret |
org.cmdbuild.auth.module.oauth.login.attr | String | OAuth login attribute matched against CMDBuild users |
org.cmdbuild.auth.module.oauth.login.type | String | Login type matching (username or email) |
org.cmdbuild.auth.module.oauth.logout.enabled | Boolean | Enables OAuth logout |
org.cmdbuild.auth.module.oauth.logout.redirectUrl | String | Logout redirect URL |
org.cmdbuild.auth.module.oauth.protocol | String | OAuth protocol (e.g. msazureoauth2) |
org.cmdbuild.auth.module.oauth.redirectUrl | String | Local URL accepted by the provider |
org.cmdbuild.auth.module.oauth.resourceId | String | OAuth resource ID |
org.cmdbuild.auth.module.oauth.scope | String | OAuth scope |
org.cmdbuild.auth.module.oauth.serviceUrl | String | OAuth service URL |
org.cmdbuild.auth.module.oauth.tenantId | String | OAuth tenant ID |
LDAP configuration
| Config | Type | Description |
|---|---|---|
org.cmdbuild.auth.ldap.server.address | String | LDAP server address |
org.cmdbuild.auth.ldap.server.url | String | LDAP server URL — if set, overrides host, port and SSL config; multiple URLs can be specified separated by a space |
org.cmdbuild.auth.ldap.server.port | Integer | LDAP server port |
org.cmdbuild.auth.ldap.basedn | String | Base DN for user queries |
org.cmdbuild.auth.ldap.bind.attribute | String | User bind attribute |
org.cmdbuild.auth.ldap.followReferrals | Boolean | Enables following LDAP referrals |
org.cmdbuild.auth.ldap.search.auth.method | String | Auth method (none, simple, strong) |
org.cmdbuild.auth.ldap.search.auth.password | String | Auth password |
org.cmdbuild.auth.ldap.search.auth.principal | String | Auth principal |
org.cmdbuild.auth.ldap.search.filter | String | Search filter |
org.cmdbuild.auth.ldap.use.ssl | Boolean | Enables SSL |
org.cmdbuild.auth.ldap.use.tls | Boolean | Enables TLS |
General configuration
| Config | Type | Description |
|---|---|---|
org.cmdbuild.auth.case.insensitive | Boolean | Enables case-insensitive login |
org.cmdbuild.auth.loginAttributeMode | String | Login attribute mode (username, email, auto_detect_email) |
org.cmdbuild.auth.loginServiceReturnSessionId | String | Return session ID at login (auto, always) |
org.cmdbuild.auth.logoutRedirect | String | Logout redirect URL |
org.cmdbuild.auth.maxLoginAttempts.count | Integer | Maximum number of failed login attempts |
org.cmdbuild.auth.maxLoginAttempts.window | Integer | Time window in seconds for login attempt counting |
org.cmdbuild.auth.preferredPasswordAlgorythm | String | Password encryption algorithm (legacy, cm3easy, cm3) |
org.cmdbuild.auth.users.expireInactiveAfterPeriod | ISO 8601 | Inactivity period after which a user account expires |
Configuring LDAP authentication
This section describes how to configure LDAP authentication for CMDBuild.
For permission management to work correctly, every user authenticating via LDAP must also exist as a user within the CMDBuild webapp.
For example, to allow an LDAP user with UID j.doe to access CMDBuild as a member of the Technicians group, perform the following steps:
- Create the user
j.doein CMDBuild with a default password (this does not need to match the LDAP password) - Create the Technicians group in CMDBuild and define the relevant permissions
- Add
j.doeto the Technicians group
When j.doe logs in, their credentials are verified against the LDAP directory using the authentication chain defined in auth.modules.
Single Sign-On configuration via CAS
This section describes how to configure Single Sign-On (SSO) in CMDBuild using CAS.
The authentication flow works as follows:
- The user requests the CMDBuild URL
- The CAS authenticator redirects the request to the CAS server (
${cas.server.url}+${cas.login.page}), passing the CMDBuild access URL as the${cas.service.param}parameter - The CAS server responds with a ticket (via the
${cas.ticket.param}parameter), from which the username is extracted - If the username is successfully validated, CMDBuild proceeds with the login
As with LDAP authentication, every user authenticating via CAS must also exist as a user within the CMDBuild webapp.