Enabling Delegated Authentication with IPM via module.xml

When setting up a web application using Delegated Authentication via InterSystems IPM and ZAUTHENTICATE, you need to address the issue of automatically enabling Delegated Authentication because it doesn't appear to work directly through module.xml. Here's how you can resolve this systematically and implement this authentication mechanism:

1. ZAUTHENTICATE Routine Setup:

   • Create a custom ZAUTHENTICATE routine in the %SYS namespace. This serves as the main entry point for implementing your authentication logic. Example:

     ZAUTHENTICATE(ServiceName, Namespace, Username, Password, Credentials, Properties) PUBLIC
     {
         set tRes=$SYSTEM.Status.OK()
         try {
             set Properties("FullName")="OAuth account "_Username
             set Properties("Username")=Username
             set Properties("Roles")=Password
         } catch (ex) {
             set tRes=$SYSTEM.Status.Error($$$AccessDenied)
         }
         quit tRes
     }
     

     The routine verifies the passed credentials and sets user properties like Roles and FullName as required [1][2].

2. Enable Delegated Authentication Globally:

   • Navigate to System Administration > Security > System Security > Authentication/Web Session Options.
   • Select the "Allow Delegated Authentication" checkbox and save the configuration. This step ensures delegated authentication is enabled for the entire instance [1][2].

3. Enable Delegated Authentication for Specific Applications:

   • In your Web Application (module.xml), include the AutheEnabled field to configure delegated authentication:

     <WebApplication
         Name="/${namespaceLower}/api"
         NameSpace="${namespace}"
         DispatchClass="pkg.isc.genai.rest.Handler"
         MatchRoles=":%All"
         AutheEnabled="#{$$$AutheDelegated}"
         Recurse="1"
         CookiePath="/${namespaceLower}/"
     />
     

     This marks the authentication type for the app as "delegated" [1][2].

4. Manually Adjust Authentication Options (as a workaround):

   • If you still find that the Delegated checkbox is not appearing or operating via the SMP, manually ensure that the Web Session Options page has the necessary Delegated option enabled [1].

5. Automate Delegated Authentication through ClassMethod:

   • To automate enabling Delegated Authentication, write an ObjectScript ClassMethod that sets the required configuration programmatically. For example:

     ClassMethod EnableDelegatedAuth(applicationName As %String) As %Status
     {
         set tApp = ##class(Security.Applications).%OpenId(applicationName)
         if tApp '= "" {
             set tApp.Delegated = $$$YES
             quit tApp.%Save()
         }
         quit $SYSTEM.Status.Error($$$GeneralError, "Invalid application name.")
     }
     

     Call this method in your setup process to apply the delegated setting directly [1].

6. Testing and Debugging:

   • Verify if ZAUTHENTICATE is being called during login attempts.
   • Use the audit log for %System/%Login/LoginFailure events to diagnose any authentication issues [1].

By establishing the proper backend with ZAUTHENTICATE and leveraging programmatic controls for system configurations, you can circumvent limitations in module.xml to enable Delegated Authentication seamlessly. [1][2]

Sources:

@Justin Millette, there are more settings to enable in the system to allow delegated access, e.g. a system-wide setting, mentioned in this great @Pravin Barton's article , also there is another one from @Yuri Marx 
 

Also, I don't recommend using the WebApplication tag as it is not working properly yet; there is at least one important bug not solved: for example , CSPApplication works quite well. 

Also, I see %all - I hope this is for development/demo usage only, as it is quite a generous role to use.