#Authentication

I need to perform additional checks before Cache user logins (let's say in a terminal for simplicity) and allow access only to those, who passed them. How do I do it?

I am working on an ZAUTHENTICATE.mac to move us from local cache users to Delegated Authentication against LDAP. 

I have created a user role within my instance of Ensemble that matches the AD Group that I will be assigning everyone in my group to.  Is there a way to query the list of available Roles within Ensemble, and if one of my AD groups matches that role, set the role for that user?

How would I compare the AD Group against the Role listing?

Thanks

Scott

Hi, 

Hi, Community!

Suppose If you develop a client js application which works with Caché server via REST API (CSP Gateway).

What are the options for Authentication and working with Caché session then?

We are building a bunch of rest based services using Ens 2016.2 to serve our browser based application (Angular 4).

Two questions:

1. The initial authentication seems only work if credentials are placed in the url parameters.  Trying to use the Authorization header instead, the client code immediately complains about Access-Control-Allow-Origin. How can I resolve this?

2. After initial authentication, what is the proper way to send subsequent rest calls without having to include credential every time?

I have Parameter UseSession As Integer = 1 in my service class, but what else do I need to do?

I am using MDX2JSON do display data, it uses CSP REST to retrieve data and uses Password Authentication. I enabled LDAP authentication for this applicaiton, but it does not work.

I'm trying to sign an xml but this is showing an Id attribute in the Signature tag and the xmlns attribute is not appearing.

This is the xml generated:

<Signature Id="Id-80170FF0-0678-47D5-8C8B-771AA4E334E6">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                <SignatureMethod Algorithm="http://www.w3.

Hello everyone,

I'm trying to authenticate a user(Health Share clinician) from a Java Application. 

I 'm already connected to Caché and able to run SQL commands.

My question is: How can I authenticate a user using only SQL? In fact, what I want is verify if the users exists in the base and if the given password is the same used in Health Share.

There is a column 'password' in Security.users table but I'm not able to see its content, even so, I don't know which hash function to use to compare with.

Does anyone have any experience with getting, unfortunately, an older version of Cache to authenticate via SMTP to send email? I have verified that the settings are set up properly on the mailbox as I have successfully sent an email from a LAMP server, which comes from the same IP address.

If you have any thoughts, I would greatly appreciate it.

This is the error I receive

ERROR #6034: SMTP server connection failed during MAIL FROM command: <READ>zSend+105^%Net.SMTP.1.

when I run the following.

S() Public {
s server=##class(%Net.SMTP).%New()
s server.smtpserver="smtp.office365.com"
s server.

Hi!

I have a qeustion if it possible to let Ensemble manage user rights from AD-user group?

What i want is to let external user have access to certain CPS-pages to read information. But not let them have access to Ensemble it self. And instead to set up individual accounts in Ensemble for each one of them i rather want to have dem in an AD-securitygroup.

Is that possible and also limit them only to choosen CSP-pages?

I'm not a administrator of our platform, i'm just develope productions so i would be greatful for information i could bring to our tech-guys and ask them to set it tup, if possible.

Hello everybody,

I am creating a WS as a server, but when I ask for the WSDL it is giving me an error because it cannot find the class.
I have added the following instructions:

set ^SYS("Security","CSP","AllowClass","MiProyecto.MiClaseWS","%SOAP.WebServiceInfo")=1 
set ^SYS("Security","CSP","AllowClass","MiProyecto.MiClaseWS","%SOAP.

If a user simply closes a tab (running a web application), is there any good way to ensure that the license is released AND the login cookie is destroyed?  

I found that if the tab is simply closed without first logging out of the application, then 1) the license hangs around forever, and 2) if the user then opens a tab, he is already logged in.

For #2, I understand that there might be some grace period to allow the user to log in automatically again using the same session Id (where is that documentation again?) but what about destroying the license?  Who/what is supposed to clean that up?

Currently, I am working on a CSP application that is supposed to generate reports. Users will have varying access to said reports. To achieve that, I plan to use LDAP (because it's used in other systems where those users already exist). Documentation does not provide enough information, so I'd like a clarification:
Do I need to enable LDAP authentication for the whole Cache instance to use LDAP authentication in a single CSP application in that instance?

Hello, has anyone tried to use Caché as a reverse proxy ?

We are trying to embed a dashboard server (Plotly Dash in this case, but it could be anything which runs on its application server) inside our application which is written in Caché.  
The dashboard/report server runs locally (for example, or inside a LAN) on port 8080, and has no authentication features, so we have to implement them on a different layer, and we'd like to use Caché for it.

I am looking for a solution with Ensemble to talk to a old NTLM based SOAP Service. Does anyone has done this before?

We have the webservice calls working via SOAPUI but we are looking how we can make it work with Ensemble.

Is there a ready to use Outbound Adapter for NTLM ?

Thx.

Hello everyone :-)

I would like to update Atelier from version 1.0.262 to the 1.3 one. So I clicked on Help --> Check for updates, and I get these first error messages:

"No updates were found in available software sites."

"Some sites could not be found. See the error log for more detail." etc. cf picture below talking about Proxy Authentication.

I am setting up a new Caché instance and I have managed to configure it where Caché username/password is required to initiate the Caché session:

csdfalsdkfjf@fra23e234sco:/opt/labmed/test/test81/proc$ csession cache1

Node: frxxco, Instance: CACHE1

Username: 

I cannot find the setting in the management console that allows for unauthenticated login to a Caché session.  Any help is much appreciated.

Hello all,

In my ZEN login page, I found a way  to bypass the submit button and force a user to click on the Sign In button, thus forcing the code to call my OnSubmit(), like this:

<!--ondefault="return true;"--><!-- this removes the ability to use "return" to login - forces button click to login -->

<loginForm id="loginForm"   ondefault="return true;">

<text name="CacheUserName" />
<password name="CachePassword" />
<!-- the submit button is special, and submits automatically without checking first -->
<!

Hi folks!

Could you please share your experience on how do you create REST API with InterSystems IRIS that uses bearer authentication?

How do you generate tokens? How do you maintain it (how much time tokens exist?).

Thanks in advance!

Hi! I'm banging my head to the wall with HMAC authentication. I have tried to implement this various ways but nothing seems to work.

If someone could help on this it would be great!

Here is a code that I have tried and working Javascript example, tested on Postman. 

Hi,

We need to implement Oauth2 Code Flow + PKCE. Any experience with InterSystems OAuth2 Server on this would be welcome.
What parameters did you setup on OAuth 2 server configuration page  to make it work?

Thanks!

Has anyone successfully implemented Multi-factor Authentication for TrakCare?

Hi,

Does calling the BIND method of %SYS.LDAP, with the username, domain and password of the user that  needs to be authenticated- the right way to authenticate him/her ?

Also - am I correct in assuming that something like this is independant to (and I don't  need to specify setting for),  System Security -> LDAP Options 

Thanks

Steve

Hi,

I use Caché COS and I'm having trouble doing a POP3 on the Microsoft email server using OAuth 2.0 authentication.

I'm using the following program to accomplish this task:

QGPOP ; Recebe e-mail da Microsoft Office 365
  Set server=##class(%Net.POP3).%New()
  Set server.port=995
  Set server.StoreAttachToFile=1
  Set server.AttachDir="D:\HOME\CNTIRET"
  Set servername="outlook.office365.com"
  Set user="importacao@ferrolene.com.br",pass="xxxxxx"
  Set AccessToken="exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  set server.SSLConfiguration="Transnovag"
  Set status=server.

I generated a REST API from a Swagger document with basic security.

When I send a request to that API, I now get an authentication error 401 always.

I entered a user api and a password and gave it the role %All.

I tried to call the API with the URL

http://solidara.net:52773/csp/solidara/get_components/solidara?username…;

What's am I doing wrong there?

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:  

https://52773b-62955584.labs.learning.intersystems.com/oauth2/authorize?response_type=code&client_id=nHCv5A-u_5T1YAwk_tJ7xpi1ky-s2AnRQMaL6YHsUgU&redirect_uri=https%3A//52773b-99792125.labs.learning.intersystems.com/csp/sys/oauth2/OAuth2.Response.

Unless I'm mistaken, 2017.1 doesn't appear to support RFC 7523 (JSON Web Token Profile for OAuth 2.0 Client Authentication and Authorization Grants).  Is that coming in 2017.2?

In order to support it in 2017.1, I'd have to override the OAuth 2.0 token endpoint to cater for the additional grant types - what's the best way to do this?

Thanks.

Hi -

I know that when specifying Caché password rules (i.e. what constitutes a valid password definition) that the "Pattern Matching" logic is what is getting leveraged under the covers to enforce the "A Password Must conform to X" rule. I was hoping that people could share some more sophisticated pattern matching rules. (in particular, I was wondering what a rule that would require non-repeating mixture of letter, numbers, & punctuation of an overall minimal size)

Hi everyone! My company has a Zen ERP application with CSP delegated authentication. Now, we're developing a separated BI application, using Angular, which consumes DeepSee REST API services. Both applications access the same Caché database.

How to implement single sign-on strategy in order to allow an already authenticated ERP user to access DeepSee REST services? Has anyone already implemented something like that?

Thanks in advanced.

I am trying to set up a web application with Delegated Authentication via IPM. It is possible to give a specific application Delegated Authentication:

<WebApplication
        Name="/${namespaceLower}/api"
        NameSpace="${namespace}"
        DispatchClass="pkg.isc.genai.rest.Handler"
        MatchRoles=":%All"
        AutheEnabled="#{$$$AutheDelegated}"
        Recurse="1"
        CookiePath="/${namespaceLower}/"
        />

with the AutheEnabled field.