-
Notifications
You must be signed in to change notification settings - Fork 5
Authentication Authorization
CDP4-COMET makes use of a Role Based Access Control. A Person, which is the type used to describe a user on CDP4-COMET, is assigned a Role that permits the user to acess data based on the Permissions that are associated to this Role. The CDP4-COMET Database is used to store and retrieve the known users as well as the different kinds of Roles that exist in the system. Authorization is fully managed by CDP4-COMET itself. Authentication however can be offloaded to a different system.
Authentication and Authorization are not the same. Authentication is a mechanism used to determine the identity of a user, many times based on a secret (e.g. a password). Authorization is a mechanism used to determine what a user is allowed to do. Usualy a user is first authenticated after which the authorization is determined.
As of version 10.0.0, the CDP4-COMET Web Services supports both Basic Authentication and JWT Authentication. The JWT authentication can be performed by the CDP4-COMET Webservices or can be ofloaded to an external identity provider using OIDC,
The CDP4-COMET provides a plugin mechanism to enable different means of authentication. Currently 4 authentication mechanisms are supported:
- internal: CDP4-COMET Authentication using Basic Authentication
- internal: CDP4-COMET Authentication using JWT
- external: LDAP Authentication
- external: Open-ID Connect (OIDC)
The CDP4-COMET server keeps record of all the users (called Persons), their Roles and Permissions as well as the Engineering Models (aka projects) they have been assigned to.
When internal authentication is used (this is valid for both Basic and JWT authentication), the CDP4-COMET Webservices take care of authenticating the users. The users username and passwords are stored in the database. The passowrds are SHA-hashed and salted to make sure they cannot be retrieved from the database AND are not vulnerable against rainbow attacks.
Authentiation of a CDP4-COMET user can be offloaded to one ore more LDAP instances. A detailed description of how this works and how to configure CDP4-COMET and an LDAP instance is provided here.
LDAP Authentication is only available with the Enterprise Edition.
Authentiation of a CDP4-COMET user can be offloaded to an Open-ID Connect (OIDC) authentication provider. A popular open-source OIDC provider is [Keycloak|https://www.keycloak.org/]. A detailed description of how this works and how to configure CDP4-COMET and a [Keycloak|https://www.keycloak.org/] instance is provided here.
OIDC Authentication is only available with the Enterprise Edition.
copyright @ Starion Group S.A.