#Authentication

Hi Guys,

For Login in CSP application, I am displaying custom Login page which is rendered from subclass CSS.CSP.Login that extends %CSP.Login, and also got IBA.CSP.Page that extends %CSP.Page with overridden method OnPreHTTP(). This setup is working perfectly for normal login.  

When I define Invalid login limit and enable Disable account if login limit reached in System > Security Management > System-wide Security Parameters, the users get disabled after certain invalid login attempts.

Since, cache do not have time period field to disable the account for certain time eg: enable after 15 mins

Hello,

I have a EnsLib.HL7.Operation.FTPOperation that uses SFTP protocol and public/private key to connect to an external vendor moveitcloud.

Issue: The vendor is planning to enable Multi Factor Authentication for this file transfer account.

Question: Have you configured a SFTP operation to use Multi factor Authentication? If not, is there another way?

Thank you,

Hi community,

I have an incorrect InterSystems Server Credentials password stored by the Workstation Keychain in VS Code. VS Code is trying to use this incorrect stored credential to access the server and does not prompt or allow me to input a different password. I do not see any settings associated with the Keychain or resetting those credentials. Does anyone know of the process to delete or replace a stored password here? 

Thanks!

Hannah 

Hi guys, 

I want to develop a web application in which a user can log in through the user credential of intersystems that is created in Management Portal for a specific role. How can I authenticate the user and get any token or login cookie through which user can call other apis

We've implemented SAML authentication for our application where we are the service provider and various other entities are the identity providers.We've done successful connections with several identity providers including Okta, Duo Mobile, Ping Identity, and Azure.Validating the SAML response with signed assertions has been working great.Now, I am trying implement support for the SAML assertions in the response being encrypted for a new identity provider and struggling to understand procedurally how to go about this.

It is a recommended security practice to login into sensitive Administrator Portals without any input passwords. Thus, it is necessary to identify and authenticate the users correctly. A common technique employed by web portals and mobile applications is to use Google social login. Today, Google Gmail has 2 billion users (source:https://www.usesignhouse.com/blog/gmail-stats). Therefore, it is a perfect shared login service to utilize to login InterSystems IRIS users when they need to manage their instances. This article will detail all the steps to embed Google Login into your InterSystems Management Portal.

Register your InterSystems instance in the Google Console

1. Go to https://console.cloud.google.com and log in with your Google user account.
2. On the header click Select a project:

Hi guys, I defined a subclass to %CSP.Login and assigned csp/sys login page to this subclass:

But did not work, I get this error:

And more, the default %CSP.Login continues to be called to login when the user not logged yet
So, how can I do to replace the default %CSP.Login by my subclass?

Hey Community,

Tired of entering login-password during the docker build with your InterSystems IRIS every time?

There is a handy way to turn it on and off – use the passwordless zpm module.

Watch this video to explore how to use the passwordless ipm module to turn on and off entering login-password during docker build with your InterSystems IRIS:

⏯️ Passwordless mode for development with InterSystems IRIS

Hey Developers,

Enjoy watching the new video on InterSystems Developers YouTube:

⏯ Achieving Single Sign-On: External Providers, HealthShare Unified Care Record, Clinical Viewer @ Global Summit 2022

I've been trying for a while now to get OS authentication working on IRIS running on Ubuntu 20.04 and subsequently 22.04. I have the following authentication methods enabled for %Service_Terminal:

• Operating System
• Password
• Operating System Delegated Authorization

And i have these options selected in Authentication/Web Session Options:

But when logging in via iris session <instancename> I am always prompted for a username and password. I am logged into the operating system with a username that matches my IRIS username, and the same configuration and login method works fine on Red Hat 8.5.

Is

Recently i've been using Restforms2 to create a CRUD API for a project. But it lacks some advanced functionality that we need, so we have created a production with a REST WS which handles those advanced methods. That works great but there's a drawback, it does not have authentication. 
I would want to use the same authentication method as Restforms2 which is a basic auth using IRIS users and passwords. 
Searching for this, i have found a similar topic.It uses $SYSTEM.Security.Login(user, pass) in a similar manner to create a token.

Does anyone happen to have a sample Configuration (CPF) Merge file that includes Action parameters setting up authentication methods (e.g. Password, Kerberos) for certain Services and Web Applications (e.g. via the ModifyService or Modify/CreateApplication AutheEnabled property)?

Thanks!

Has anyone successfully implemented Multi-factor Authentication for TrakCare?

Why I decided to write this

Recently I had the challenge to create a secure authentication method to authorize access to some data, but unfortunately I had zero experience with those security configurations and I felt that I was missing some basic concepts to have a better understanding of the official documentation.

After studying and managing to deliver the classes that I was asked to develop, I'd like to share a little bit of my new knowledge, which helped me follow the topics in the documentation.

Starting with the basics: the holy trinity of servers

First, it's important to understand what

In our current UCR arhcitecture, we use two installations. We have one machine with Access, Registry and Edges and one machine with the ODS. On the machine with the Registry, I can create a user/clinician. When I log into the management portal with this user, a so-called delegated user is created in the cached users table. So far everything is going well. 

When I try the same on the machine with the ODS I get the message : 'ERROR #822: Access Denied' . so no delegated user is created.... Does anyone have any idea where I can find the solution?

I have to create a SOAP WebService that receives the username/password as part of a field in the Request. I have no control of the client's application.

<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:tem="http://tempuri.org"><soapenv:Body><tem:ProcessRequest><!--Optional:--><tem:myRequest><tem:NomUtilisateur>ACGendron</tem:NomUtilisateur><tem:MotDePasse>MyPassword</tem:MotDePasse><!-- Other request fields --><tem:PrenomMere>?</tem:PrenomMere><tem:NumeroTele

Getting proctect error on csp custom login page. 

It says to add role to CSPSYSTEM i have given role to db (rw i would like to change to R once working). It has not solved issue 

I am trying to secure a rest service but I lack the understanding of how to achieve this if anyone will explain  in details how I could achieve the following:

Securing The REST Service with Basic Auth (username and password)

if any one has a sample code on this will appreciate 

While the documentation of configuring authentication with Kerberos for IRIS on Linux servers is sparse, for docker i found no docs at all. Assuming I would be able to adapt the requirements from linux to docker (on linux host) I had no success at all. Has anyone successfully done this?

Even with "do ^REDEBUG" set to FFFFFFFF the log did not help much, I always get "Kerberos error getting initial credentials with password; KDC reply did not match expectations".

Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.

I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?

Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?

Many password requirements can be enforced using a password validation routine which is available to implement in System Management Portal. But how about this one:

Check that at least 50% of the characters changed from old password to new password.

We need to have access to the old password to check this, currently password validation routine only gets the new password.

We can create a new form to update the password where user must enter the old password and new password. I think I can block users from changing the password the usual way by having a password routine reject all passwords. 

Is

I am still working on iris-for-money app: https://github.com/oliverwilms/iris-for-money

Account.csp posts a rest call with _SYSTEM username and the password.

xhttp.open("POST", "/restapi/sql/" + query, true,"_SYSTEM","SYS");
xhttp.send();

/restapi web application has Password Authentication Method enabled.

SYS is the correct password for _SYSTEM user.

I do not understand why I see login failure in Audit database.

I am working on iris-for-money app: https://github.com/oliverwilms/iris-for-money

Account.csp posts a rest call with _SYSTEM username and the password.

xhttp.open("POST", "/restapi/sql/" + query, true,"_SYSTEM","SYS");
xhttp.send();

The error is logged in Riches.REST for this line:

Set tSC = tStatement.%Prepare(pQuery)

ClassMethod PostSQL(pQuery As %String = "", pIndex As %String = -1) As %Status
{
    Do ..DebugTEST("Riches.REST - PostSQL")
    Do ..DebugTEST("pQuery = "_pQuery)
    Set tSC = ..TestQuery(pQuery,.pQuery)
    Do ..DebugTEST("TestQuery = "_pQuery)
    Set tStatement =

Since the ObjectScript plug-ins for VS Code use web services to connect to IRIS, is it possible for a VS Code user to authenticate against IRIS using OAuth?

Hi! I'm banging my head to the wall with HMAC authentication. I have tried to implement this various ways but nothing seems to work.

If someone could help on this it would be great!

Here is a code that I have tried and working Javascript example, tested on Postman. 

Hi,

Working on integrating with O365 Sharepoint REST API. I would want to know if anyone can share their experience with integration with Sharepoint REST API and how they implemented security?

Thanks
Kiran Kumar

I am doing an implementation of a SAML 2.0 SingleSignOn protocol integration which requires a signed message with the signature element in the body of the SOAP message, not the header as is default SOAP security handling. Any suggestions for how to do this would be greatly appreciated. When it is passed in the header, it is not processed by our partner and we just get a "Signature Required" response. Presumably I will have to go through the steps outlined in Signing XML Documents but I am not sure the best place within the outbound web-client flow in which to do this.

I'm VERY novice on all things "OpenAM", and beyond knowing that Caché supports working with OpenAM, I have nothing else to go on.

The documentation doesn't seem to be very deep on the nature of how this works beyond a single paragraph saying it's supported for Single Sign On (SSO).

For Caché to use this, I get that there is an environment variable (REMOTE_USER) which is set to "something", but it's not clear to me how this ends up mapping to a provisioned caché user (or LDAP provisioned user for that matter) and ultimately to the %Roles in effect and subsequent system access.

Can someone please

In this article I will demonstrate basics of OAuth2 authentication with GitHub account with the help of online demo 
https://dappsecurity.demo.community.intersystems.com/csp/user/index.csp by using SuperUser | SYS

Created by Daniel Kutac, Sales Engineer, InterSystems

Warning: if you get confused by URLs used: the original series used screens from machine called dk-gs2016. The new screenshots are taken from a different machine. You can safely treat url WIN-U9J96QBJSAG as if it was dk-gs2016.

Part 2. Authorization server, OpenID Connect server

In the previous part of this short series, we have learned about simple use case – acting as an OAUTH[1] client.Now, it’s time to bring our experience to a whole new level.