#Authentication

Hi Guys,

For Login in CSP application, I am displaying custom Login page which is rendered from subclass CSS.CSP.Login that extends %CSP.Login, and also got IBA.CSP.Page that extends %CSP.Page with overridden method OnPreHTTP(). This setup is working perfectly for normal login.  

When I define Invalid login limit and enable Disable account if login limit reached in System > Security Management > System-wide Security Parameters, the users get disabled after certain invalid login attempts.

Hi community,

I have an incorrect InterSystems Server Credentials password stored by the Workstation Keychain in VS Code. VS Code is trying to use this incorrect stored credential to access the server and does not prompt or allow me to input a different password. I do not see any settings associated with the Keychain or resetting those credentials. Does anyone know of the process to delete or replace a stored password here? 

Thanks!

Hannah 

Hello,

I have a EnsLib.HL7.Operation.FTPOperation that uses SFTP protocol and public/private key to connect to an external vendor moveitcloud.

Issue: The vendor is planning to enable Multi Factor Authentication for this file transfer account.

Question: Have you configured a SFTP operation to use Multi factor Authentication? If not, is there another way?

Thank you,

We've implemented SAML authentication for our application where we are the service provider and various other entities are the identity providers. We've done successful connections with several identity providers including Okta, Duo Mobile, Ping Identity, and Azure. Validating the SAML response with signed assertions has been working great. Now, I am trying implement support for the SAML assertions in the response being encrypted for a new identity provider and struggling to understand procedurally how to go about this.

Hi guys, 

I want to develop a web application in which a user can log in through the user credential of intersystems that is created in Management Portal for a specific role. How can I authenticate the user and get any token or login cookie through which user can call other apis

Hi experts

I'm trying to configure an IRIS ODBC connection with "Windows NT authentication using the network login ID". I have created the System DSN as below:

and user (PROD\test) in the SQL Gateway connection 

However, as the error message suggests, IRIS is trying to connect with PROD\svc_mist, rather than PROD\test configured above. 

Is there anyway to configure the ODBC connection with specified account with Windows Auth method? 

Hi guys, I defined a subclass to %CSP.Login and assigned csp/sys login page to this subclass:

But did not work, I get this error:

And more, the default %CSP.Login continues to be called to login when the user not logged yet
So, how can I do to replace the default %CSP.Login by my subclass?

I've been trying for a while now to get OS authentication working on IRIS running on Ubuntu 20.04 and subsequently 22.04. I have the following authentication methods enabled for %Service_Terminal:

• Operating System
• Password
• Operating System Delegated Authorization

And i have these options selected in Authentication/Web Session Options:

But when logging in via iris session <instancename> I am always prompted for a username and password. I am logged into the operating system with a username that matches my IRIS username, and the same configuration and login method works fine on Red Hat 8.5.

Does anyone happen to have a sample Configuration (CPF) Merge file that includes Action parameters setting up authentication methods (e.g. Password, Kerberos) for certain Services and Web Applications (e.g. via the ModifyService or Modify/CreateApplication AutheEnabled property)?

Thanks!

Recently i've been using Restforms2 to create a CRUD API for a project. But it lacks some advanced functionality that we need, so we have created a production with a REST WS which handles those advanced methods. That works great but there's a drawback, it does not have authentication. 
I would want to use the same authentication method as Restforms2 which is a basic auth using IRIS users and passwords. 
Searching for this, i have found a similar topic. It uses $SYSTEM.Security.Login(user, pass) in a similar manner to create a token.

Hi,

I use Caché COS and I'm having trouble doing a POP3 on the Microsoft email server using OAuth 2.0 authentication.

I'm using the following program to accomplish this task:

QGPOP ; Recebe e-mail da Microsoft Office 365
  Set server=##class(%Net.POP3).%New()
  Set server.port=995
  Set server.StoreAttachToFile=1
  Set server.AttachDir="D:\HOME\CNTIRET"
  Set servername="outlook.office365.com"
  Set user="importacao@ferrolene.com.br",pass="xxxxxx"
  Set AccessToken="exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  set server.SSLConfiguration="Transnovag"
  Set status=server.

In our current UCR arhcitecture, we use two installations. We have one machine with Access, Registry and Edges and one machine with the ODS. On the machine with the Registry, I can create a user/clinician. When I log into the management portal with this user, a so-called delegated user is created in the cached users table. So far everything is going well. 

When I try the same on the machine with the ODS I get the message : 'ERROR #822: Access Denied' . so no delegated user is created.... Does anyone have any idea where I can find the solution?

I have to create a SOAP WebService that receives the username/password as part of a field in the Request. I have no control of the client's application.

<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:tem="http://tempuri.org"><soapenv:Body><tem:ProcessRequest><!--Optional:--><tem:myRequest><tem:NomUtilisateur>ACGendron</tem:NomUtilisateur><tem:MotDePasse>MyPassword</tem:MotDePasse><!-- Other request fields --><tem:PrenomMere>?

Getting proctect error on csp custom login page. 

It says to add role to CSPSYSTEM i have given role to db (rw i would like to change to R once working). It has not solved issue 

I am trying to secure a rest service but I lack the understanding of how to achieve this if anyone will explain  in details how I could achieve the following:

Securing The REST Service with Basic Auth (username and password)

if any one has a sample code on this will appreciate 

While the documentation of configuring authentication with Kerberos for IRIS on Linux servers is sparse, for docker i found no docs at all. Assuming I would be able to adapt the requirements from linux to docker (on linux host) I had no success at all. Has anyone successfully done this?

Even with "do ^REDEBUG" set to FFFFFFFF the log did not help much, I always get "Kerberos error getting initial credentials with password; KDC reply did not match expectations". Since I moved the iris.

Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.

I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?

Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?

Many password requirements can be enforced using a password validation routine which is available to implement in System Management Portal. But how about this one:

Check that at least 50% of the characters changed from old password to new password.

We need to have access to the old password to check this, currently password validation routine only gets the new password.

We can create a new form to update the password where user must enter the old password and new password. I think I can block users from changing the password the usual way by having a password routine reject all passwords.

I am still working on iris-for-money app: https://github.com/oliverwilms/iris-for-money

Account.csp posts a rest call with _SYSTEM username and the password.

xhttp.open("POST", "/restapi/sql/" + query, true,"_SYSTEM","SYS");
xhttp.send();

/restapi web application has Password Authentication Method enabled.

SYS is the correct password for _SYSTEM user.

I do not understand why I see login failure in Audit database.

I am working on iris-for-money app: https://github.com/oliverwilms/iris-for-money

Account.csp posts a rest call with _SYSTEM username and the password.

xhttp.open("POST", "/restapi/sql/" + query, true,"_SYSTEM","SYS");
xhttp.send();

The error is logged in Riches.REST for this line:

Set tSC = tStatement.%Prepare(pQuery)

ClassMethod PostSQL(pQuery As %String = "", pIndex As %String = -1) As %Status
{
    Do ..DebugTEST("Riches.REST - PostSQL")
    Do ..DebugTEST("pQuery = "_pQuery)
    Set tSC = ..TestQuery(pQuery,.pQuery)
    Do ..DebugTEST("TestQuery = "_pQuery)
    Set tStatement =

Since the ObjectScript plug-ins for VS Code use web services to connect to IRIS, is it possible for a VS Code user to authenticate against IRIS using OAuth?

Hi! I'm banging my head to the wall with HMAC authentication. I have tried to implement this various ways but nothing seems to work.

If someone could help on this it would be great!

Here is a code that I have tried and working Javascript example, tested on Postman. 

Hi folks!

Could you please share your experience on how do you create REST API with InterSystems IRIS that uses bearer authentication?

How do you generate tokens? How do you maintain it (how much time tokens exist?).

Thanks in advance!

Hello,

I'm hoping to get some feedback on the OAuth process flow for Payer-to-Payer authorization.  It doesn't seem that "Authorization Code Flow" is needed as there will not be a need for a login.  I am leaning towards recommending "Client Credentials Flow", but wanted to get some community feedback before making a decision. I prefer to follow what the standard will be if possible.  What would you recommend?  Thank you in advance for your input.

Hello,
        
        We are using AWS SSO authentication in our application to validate the users. For validating the users, we are passing the username and password from AWS SSO to our application. We need to validate the user in our application without using the password.

         We developed the login class using zenPage. We used <loginForm> tag in the login page which is used for the automatic validation.
         Is there any possible way to achieve this?
         

Thanks in advance.

How do you determine what namespace to use for your custom SAML attributes? We want to receive patient context (first name, last name, dob, gender, etc.)

OASIS has resource-id but none of the other attributes. urn:oasis:names:tc:xacml:1.0:resource:resource-id

Has anyone successfully implemented Multi-factor Authentication for TrakCare?

I am using MDX2JSON do display data, it uses CSP REST to retrieve data and uses Password Authentication. I enabled LDAP authentication for this applicaiton, but it does not work.

Hello everybody,

I am creating a WS as a server, but when I ask for the WSDL it is giving me an error because it cannot find the class.
I have added the following instructions:

set ^SYS("Security","CSP","AllowClass","MiProyecto.MiClaseWS","%SOAP.WebServiceInfo")=1 
set ^SYS("Security","CSP","AllowClass","MiProyecto.MiClaseWS","%SOAP.

Dear Folks,

I have recently studied deepsee and developed few dashboards needed for our web app users. I am trying to embed them in our existing web app which uses angular with delegated user access. I need to embed the native IRIS dashboard into it. ( I can't use Highcharts or any other js tools). 

How do I setup the dashboards to work with delegated authentication (Without providing access to management portal or other parts) ? Also should I use the default csp/{Namespace}/_DeepSee.UserPortal.DashboardViewer.zen? or any other web application URL ?

Thanks