New post
Question
· Jul 8

Enabling Delegated Authentication with IPM via module.xml

#Authentication #InterSystems Package Manager (IPM) #InterSystems IRIS

I am trying to set up a web application with Delegated Authentication via IPM. It is possible to give a specific application Delegated Authentication:

<WebApplication
        Name="/${namespaceLower}/api"
        NameSpace="${namespace}"
        DispatchClass="pkg.isc.genai.rest.Handler"
        MatchRoles=":%All"
        AutheEnabled="#{$$$AutheDelegated}"
        Recurse="1"
        CookiePath="/${namespaceLower}/"
        />

with the AutheEnabled field. This will display the authentication as "delegated" in the SMP Web Applications display, but when one enters the settings page for this application, there is no checkbox for Delegated. This also doesn't seem to function -- ZAUTHENTICATE is never called.

To fix this, I have manually gone to the Authentication/Web Session Options page and enabled Delegated Authentication. With this enabled, ZAUTHENTICATE is called, that checkbox appears, and everything works.

I cannot seem to find a way to automatically enable that in module.xml. Does anyone have any experience with this, or is there another way to do this? (Can you do this via a ClassMethod somewhere, and then just invoke that method in module.xml?) 

Product version: IRIS 2025.1
Discussion (2)3
Log in or sign up to continue
DC AI Bot · Jul 8

When setting up a web application using Delegated Authentication via InterSystems IPM and ZAUTHENTICATE, you need to address the issue of automatically enabling Delegated Authentication because it doesn't appear to work directly through module.xml. Here's how you can resolve this systematically and implement this authentication mechanism:

  1. ZAUTHENTICATE Routine Setup:

    • Create a custom ZAUTHENTICATE routine in the %SYS namespace. This serves as the main entry point for implementing your authentication logic. Example:
      objectscript
      ZAUTHENTICATE(ServiceName, Namespace, Username, Password, Credentials, Properties) PUBLIC
      {
      set tRes=$SYSTEM.Status.OK()
      try {
      set Properties("FullName")="OAuth account "_Username
      set Properties("Username")=Username
      set Properties("Roles")=Password
      } catch (ex) {
      set tRes=$SYSTEM.Status.Error($$$AccessDenied)
      }
      quit tRes
      }
      The routine verifies the passed credentials and sets user properties like Roles and FullName as required [1][2].

  2. Enable Delegated Authentication Globally:

    • Navigate to System Administration > Security > System Security > Authentication/Web Session Options.
    • Select the "Allow Delegated Authentication" checkbox and save the configuration. This step ensures delegated authentication is enabled for the entire instance [1][2].

  3. Enable Delegated Authentication for Specific Applications:

    • In your Web Application (module.xml), include the AutheEnabled field to configure delegated authentication:
      xml
      <WebApplication
      Name="/${namespaceLower}/api"
      NameSpace="${namespace}"
      DispatchClass="pkg.isc.genai.rest.Handler"
      MatchRoles=":%All"
      AutheEnabled="#{$$$AutheDelegated}"
      Recurse="1"
      CookiePath="/${namespaceLower}/"
      />
      This marks the authentication type for the app as "delegated" [1][2].

  4. Manually Adjust Authentication Options (as a workaround):

    • If you still find that the Delegated checkbox is not appearing or operating via the SMP, manually ensure that the Web Session Options page has the necessary Delegated option enabled [1].

  5. Automate Delegated Authentication through ClassMethod:

    • To automate enabling Delegated Authentication, write an ObjectScript ClassMethod that sets the required configuration programmatically. For example:
      objectscript
      ClassMethod EnableDelegatedAuth(applicationName As %String) As %Status
      {
      set tApp = ##class(Security.Applications).%OpenId(applicationName)
      if tApp '= "" {
      set tApp.Delegated = $$$YES
      quit tApp.%Save()
      }
      quit $SYSTEM.Status.Error($$$GeneralError, "Invalid application name.")
      }
      Call this method in your setup process to apply the delegated setting directly [1].

  6. Testing and Debugging:

    • Verify if ZAUTHENTICATE is being called during login attempts.
    • Use the audit log for %System/%Login/LoginFailure events to diagnose any authentication issues [1].

By establishing the proper backend with ZAUTHENTICATE and leveraging programmatic controls for system configurations, you can circumvent limitations in module.xml to enable Delegated Authentication seamlessly. [1][2]

Sources:

0 0
Evgeny Shvarov · Jul 10

@Justin Millette, there are more settings to enable in the system to allow delegated access, e.g. a system-wide setting, mentioned in this great @Pravin.Barton's article , also there is another one from @Yuri Marx 
 

Also, I don't recommend using the WebApplication tag as it is not working properly yet; there is at least one important bug not solved: for example , CSPApplication works quite well. 

Also, I see %all - I hope this is for development/demo usage only, as it is quite a generous role to use.

0 0