Skip to content

Commit

Permalink
Update authentication documenation in system guide
Browse files Browse the repository at this point in the history
  • Loading branch information
MayaBerd committed Aug 21, 2024
1 parent b88ce39 commit 97d79c7
Show file tree
Hide file tree
Showing 54 changed files with 89 additions and 58 deletions.
2 changes: 1 addition & 1 deletion docs/system-admin-guide/api-and-webhooks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Navigate to **Administration → API and webhooks**.

![API settings in OpenProject administration](openproject_system_admin_guide_api.png)

Here, you can manage the **REST web service** to selectively control whether foreign applications may access your OpenProject API endpoints from within the browser. You can set the **maximum page size** the API will respond with. It will not be possible to perform API requests that return more values on a single page. You can also enable **write access to read-only attributes**, which will allow administrators to write static read-only attributes during creation, such as *createdAt* and *author*.
Here, you can manage the **REST web service** to selectively control whether foreign applications may access your OpenProject API endpoints from within the browser. This setting allows users to access the OpenProject API using an API token created from the users "My account" page. You can set the **maximum page size** the API will respond with. It will not be possible to perform API requests that return more values on a single page. You can also enable **write access to read-only attributes**, which will allow administrators to write static read-only attributes during creation, such as *createdAt* and *author*.

### Documentation

Expand Down
2 changes: 1 addition & 1 deletion docs/system-admin-guide/authentication/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ keywords: authentication

Configure **authentication** settings and authentication providers in OpenProject. To adapt these authentication settings, navigate to your user name and select -> *Administration* -> *Authentication*.

![Sys-admin-authentication](Sys-admin-authentication-1579787715984.png)
![Authentication settings in OpenProject system administration](openproject_system_guide_authentication_settings.png)

## Overview

Expand Down
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ Yes, for Enterprise on-premises and Community edition there is a [configuration

We support all authentication providers that support the SAML and OpenID Connect (OIDC) standards, such as Microsoft Entra ID, ADFS, CAS (with the OpenID connect overlay), Azure, Keycloak, Okta.

> [Note]
> [!NOTE]
> Please note that single sign-on is an Enterprise add-on and can only be activated for Enterprise cloud and Enterprise on-premises.
## Is it possible to use a custom SSO provider (e.g. Keycloak) with the Enterprise cloud edition?
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,16 @@ keywords: authentication settings
---
# Authentication settings

To adapt general system **authentication settings**, navigate to *Administration -> Authentication* and choose -> *Settings*.
To adapt general system **authentication settings**, navigate to *Administration -> Authentication* and choose -> *Authentication Settings*.

You can adapt the following under the authentication settings:

## General authentication settings

1. Select if the **authentication is required** to access OpenProject. For versions 13.1 and higher of OpenProject, this setting will be checked by default

**Important note**: If you un-tick this box your OpenProject instance will be visible to the general public without logging in. The visibility of individual projects depends on [this setting](../../../user-guide/projects/#set-a-project-to-public).
> [!IMPORTANT]
> If you un-tick this box your OpenProject instance will be visible to the general public without logging in. The visibility of individual projects depends on [this setting](../../../user-guide/projects/#set-a-project-to-public).
2. Select an option for **self-registration**. Self-registration can either be **disabled**, or it can be allowed with the following criteria:

Expand All @@ -25,22 +26,23 @@ You can adapt the following under the authentication settings:

c) **Automatic account activation** means that a newly registered user will automatically be active.

**Note:** By default, self-registration is only applied to internal users (logging in with username and password). If you have an identity provider such as LDAP, SAML or OpenID Connect, use the respective settings in their configuration to control which users are applicable for automatic user creation.
> [!NOTE]
> By default, self-registration is only applied to internal users (logging in with username and password). If you have an identity provider such as LDAP, SAML or OpenID Connect, use the respective settings in their configuration to control which users are applicable for automatic user creation.
3. Define if the **email address should be used as login** name.

4. Define after how many days the **activation email sent to new users will expire**. Afterwards, you will have the possibility to [re-send the activation email](../../users-permissions/users/#resend-user-invitation-via-email) via the user settings.

![Sys-admin-authentication-settings](Sys-admin-authentication-settings.png)
![Authentication settings in OpenProject system administration](openproject_system_admin_guide_authentication_settings.png)

## Define a registration footer for registration emails

You can define a footer for your registration emails under -> *Administration* -> *Authentication* -> *Settings*.
You can define a footer for your registration emails under -> *Administration* -> *Authentication* -> *Authentication Settings*.

1. Choose for which **language** you want to define the registration footer.
2. Enter a **text for the registration footer**.

![Sys-admin-authentication-registration-footer](Sys-admin-authentication-registration-footer.png)
![Define registration footer for registration emails in OpenProject administration](openproject_system_admin_guide_authentication_settings_registration_footer.png)

## Configure password settings

Expand All @@ -53,7 +55,7 @@ You can change various settings to configure password preferences in OpenProject
5. Define the **number of the most recently used passwords that a user should not be allowed to reuse**.
6. Activate the **Forgot your password.** This way a user will be able to reset the own password via email.

![Sys-admin-authentication-passwords](Sys-admin-authentication-passwords-1579791010597.png)
![Password settings in OpenProject administration](openproject_system_admin_guide_authentication_settings_passwords.png)

## Other authentication settings

Expand All @@ -64,7 +66,6 @@ There can be defined a number of other authentication settings.
3. Enable or disable the **autologin option**. This allows a user to remain logged in, even if he/she leaves the site. If this option is activated, the “Stay signed in” option will appear on the login screen to be selected.
4. Activate the **session expiration option**. If you select this option, an additional field will open, where you will be able to define the **inactivity time duration before the session expiry**.
5. Define to **log user login, name, and mail address for all requests**.
6. **Enable REST web service**. This setting allows users to access the OpenProject API using an API token created from the users "My account" page.
7. Do not forget to **save** your changes.

![Sys-admin-authentication-other-settings](Sys-admin-authentication-other-settings.png)
![Additional authentication settings in OpenProject administration](openproject_system_admin_guide_authentication_settings_other.png)
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
13 changes: 8 additions & 5 deletions docs/system-admin-guide/authentication/kerberos/README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
sidebar_navigation:
title: Kerberos
priority: 800
priority: 200
description: How to set up integration of Kerberos for authentication with OpenProject.
keywords: Kerberos, authentication

Expand All @@ -10,8 +10,9 @@ keywords: Kerberos, authentication

# Kerberos integration

> **Note**: This documentation is valid for the OpenProject Enterprise edition only.
[Kerberos](https://web.mit.edu/kerberos/) allows you to authenticate user requests to a service within a computer network. You can integrate it with OpenProject with the use of [GSSAPI Apache module](https://github.com/gssapi/mod_auth_gssapi/) (`mod_auth_gssapi`) plugging into the OpenProject packaged installation using Apache web server.
> [!NOTE]
> This documentation is valid for the OpenProject Enterprise edition only.
> [Kerberos](https://web.mit.edu/kerberos/) allows you to authenticate user requests to a service within a computer network. You can integrate it with OpenProject with the use of [GSSAPI Apache module](https://github.com/gssapi/mod_auth_gssapi/) (`mod_auth_gssapi`) plugging into the OpenProject packaged installation using Apache web server.
This guide will also apply for Docker-based installation, if you have an outer proxying server such as Apache2 that you can configure to use Kerberos. This guide however focuses on the packaged installation of OpenProject.

Expand Down Expand Up @@ -49,7 +50,8 @@ You will then need to add the generated keytab to be used for the OpenProject in

We are going to create a new file `/etc/openproject/addons/apache2/custom/vhost/kerberos.conf` with the following contents.

> **Please note**: The following kerberos configuration is only an example. We cannot provide any support or help with regards to the Kerberos side of configuration. OpenProject will simply handle the incoming header containing the logged in user.
> [!NOTE]
> The following kerberos configuration is only an example. We cannot provide any support or help with regards to the Kerberos side of configuration. OpenProject will simply handle the incoming header containing the logged in user.
```apache
<Location />
Expand Down Expand Up @@ -127,7 +129,8 @@ For non-existing users, if you have an LDAP configured with automatic user regis

As Kerberos provides its own Basic Auth challenges if configured as shown above, it will prevent you from using the OpenProject API using an Authorization header such as API key authentication or OAuth2.

**Note:** A precondition to use this workaround is to run OpenProject under its own path (server prefix) such as `https://YOUR DOMAIN/openproject/`. If you are not using this, you need to first reconfigure the wizard with `openproject reconfigure` to use such a path prefix. Alternatively, you might have success by using a separate domain or subdomain, but this is untested.
> [!NOTE]
> A precondition to use this workaround is to run OpenProject under its own path (server prefix) such as `https://YOUR DOMAIN/openproject/`. If you are not using this, you need to first reconfigure the wizard with `openproject reconfigure` to use such a path prefix. Alternatively, you might have success by using a separate domain or subdomain, but this is untested.
To work around this, you will have to configure a separate route to access the API, bypassing the Kerberos configuration. You can do that by modifying the `/etc/openproject/addons/apache2/custom/vhost/kerberos.conf`as follows:

Expand Down
Original file line number Diff line number Diff line change
@@ -1,30 +1,31 @@
---
sidebar_navigation:
title: LDAP authentication
title: LDAP connections
priority: 500
description: Manage LDAP Authentication in OpenProject.
keywords: ldap authentication
---

# Manage LDAP connections

> **Note**: In order to be able to access the administration panel and manage LDAP authentication you need to be a system admin.
> [!NOTE]
> In order to be able to access the administration panel and manage LDAP authentication you need to be a system admin.
To see the list of all available LDAP (Lightweight Directory Access Protocol) authentications navigate to - > *Administration* and select *-> Authentication* -> *LDAP connections* from the menu on the left. You will see the list of all available connections already created.

## Add a new LDAP connection

To create a new LDAP connection, click on the respective icon.

![Sys-admin_ldap-authentication](Sys-admin_ldap-authentication.png)
![LDAP connections in OpenProject administration](openproject_system_guide_ldap_connections.png)

You will then be able to specify the LDAP configuration. This can be any directory service compatible with the LDAPv3 standard, such as Microsoft Active Directory or openLDAP. The configuration depends on the specific database/applications, through which the authentication with OpenProject is intended.

The following screenshots contain an exemplary configuration for a new LDAP authentication mode. In the following, we will go through all available options.

### LDAP connection details and security

![Adding a new LDAP authentication server](ldap-host-and-security.png)
![Adding a new LDAP authentication server in OpenProject administration](openproject_system_guide_ldap_connections_new_host_security.png)

In the upper section, you have to specify the connection details of your LDAP server as well as the connection encryption to use.

Expand All @@ -45,7 +46,7 @@ In the upper section, you have to specify the connection details of your LDAP se

### LDAP system user credentials

![Defining the system user of the connection](ldap-system-user.png)
![Defining the system user of the LDAP connection in OpenProject administration](openproject_system_guide_ldap_connections_new_system_account_credentials.png)

Next, you will need to enter a system user that has READ access to the users for identification and synchronization purposes. Note that most operations to the LDAP during authentication will not be using these credentials, but the user-provided credentials in the login form in order to perform a regular user bind to the LDAP.

Expand All @@ -54,7 +55,7 @@ Next, you will need to enter a system user that has READ access to the users for

### LDAP details

![Defining the details of the connection](ldap-details.png)
![Defining the details of the LDAP connection in OpenProject administration](openproject_system_guide_ldap_connections_new_system_ldap_details.png)

Next you can define what sections OpenProject will look for in the LDAP and also if users should be created automatically in OpenProject when they are accessing it. Let's look at the available options:

Expand All @@ -70,7 +71,7 @@ Next you can define what sections OpenProject will look for in the LDAP and also

### Attribute mapping

![Defining the attribute map for users](ldap-attribute-mapping.png)
![Defining the attribute map for users in OpenProject administration](openproject_system_guide_ldap_connections_new_attribute_mapping.png)

The attribute mapping is used to identify attributes of OpenProject with attributes of the LDAP directory. At least the *login* attribute is required to create DNs from the login credentials.

Expand All @@ -80,9 +81,9 @@ The attribute mapping is used to identify attributes of OpenProject with attribu
- **Email:** The attribute name in the LDAP that maps to the user’s mail address. This will usually be *mail.* If left empty, user will be prompted to enter upon registration if **automatic user creation** is true.
- **Admin:** Specify an attribute that if it has a truthy value, results in the user in OpenProject becoming an admin account. Leave empty to never set admin status from LDAP attributes.

Lastly, click on *Create* to save the LDAP authentication mode. You will be redirected to the index page with the created authentication mode. Click the *test* button to create a test connection using the system user’s bind credentials.
Lastly, click on *Create* to save the LDAP authentication mode. You will be redirected to the index page with the created LDAP connection. Click the *test* button to create a test connection using the system user’s bind credentials.

![LDAP authentication mode created](ldap-index-page.png)
![New LDAP connection created in OpenProject administration](openproject_system_guide_ldap_connections_new_created.png)

With the [OpenProject Enterprise edition](https://www.openproject.org/enterprise-edition/) it is possible to [synchronize LDAP and OpenProject groups](./ldap-group-synchronization).

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ In OpenProject Enterprise on-premises, you can synchronize LDAP group membership
- have set up your LDAP authentication source (See the “[Manage LDAP authentication](../../ldap-authentication/)” guide)
- have at least one LDAP entry with a *groupOfNames* object class and members of that group to contain the *`memberOf: <DN of the group>`* attribute to determine the members of a group entry. Right now we do not support LDAP instances that only have *member* attributes, but not the inverse *memberOf* property.

> **Please note**: OpenProject does not support other attributes other than the `memberOf` property to define groups. Please make sure that user objects have the `memberOf` property for the synchronization to work.
> [!NOTE]
> OpenProject does not support other attributes other than the `memberOf` property to define groups. Please make sure that user objects have the `memberOf` property for the synchronization to work.
For the sake of simplicity, we assume that in this guide, your LDAP structure looks like the following:

Expand Down
File renamed without changes
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,13 @@ keywords: OAuth application settings
---
# OAuth applications

To configure OpenProject to act as a server to an
OAuth client applications, please navigate to *Administration* -> *Authentication* -> *OAuth applications*.
To configure OpenProject to act as a server to an OAuth client applications, please navigate to *Administration* -> *Authentication* -> *OAuth applications*.

## Add a new authentication application for OAuth

To add a new OAuth application, click the green **+ Add** button.
To add a new OAuth application, click the green **+ OAuth application** button.

![Sys-admin-authentication-OAuth-applications](Sys-admin-authentication-oauth-applications.png)
![OAuth applications in OpenProject system administration](openproject_system_admin_guide_oauth_application_button.png)

You can configure the following options to add your OAuth application:

Expand All @@ -40,9 +39,10 @@ You can configure the following options to add your OAuth application:
user on whose behalf requests will be performed.
6. Press **Create** to add your OAuth application.

![add-new-oauth-application](add-new-oauth-application.png)
![Add a new OAuth application in OpenProject administration](openproject_system_admin_guide_oauth_application_new.png)

Don't forget to note down your `Client ID` and your `Client secret`
> [!TIP]
> Don't forget to note down your `Client ID` and your `Client secret`
in a safe space. You will need them later.

## OAuth endpoints
Expand Down
Binary file not shown.
Diff not rendered.
Loading

0 comments on commit 97d79c7

Please sign in to comment.