I'm interested in different approaches on how to store user data in Caché. I'm assuming that application uses Caché security/Caché users and not a self-made authentication system.
How do you determine what namespace to use for your custom SAML attributes? We want to receive patient context (first name, last name, dob, gender, etc.)
OASIS has resource-id but none of the other attributes. urn:oasis:names:tc:xacml:1.0:resource:resource-id
I need to offer new users on our system a temporary password that is valid for only 48 hours. This is different than a 60-day password expiration window for existing users' passwords (where a password needs to be changed every 60 days), and is different than a "user expiration date", where you can set a date where the user's account expires and is disabled on that date, and different than the inactivity expiration date where a user becomes active if his account is not used within, say, 30 days.
I'm hoping to get some feedback on the OAuth process flow for Payer-to-Payer authorization. It doesn't seem that "Authorization Code Flow" is needed as there will not be a need for a login. I am leaning towards recommending "Client Credentials Flow", but wanted to get some community feedback before making a decision. I prefer to follow what the standard will be if possible. What would you recommend? Thank you in advance for your input.
I am trying to create a %Installer script and I noticed from our documentation that %Installer's <CSPAuthentication> will only accept:
<CSPApplication>
Optional; within <Namespace>. Defines one or more CSP applications; the supported authentication flags are 4 (Kerberos), 32 (Password), and 64 (Unauthenticated).
Is "Delegated" authentication supported? What is it's code?
I am trying to use postman to start the restapi classes from a json openapi2.0.0 file.
POST: https://myserver.com/api/mgmnt/v2/requestAPI. The body contains the openapi2.0.0. The application api/mgmnt has in security settings: password. JWT is not selected. I set postman authentication to basis authentication and gave username and password. I also set in headers IRISUsername and IRISPassword. I have 401 Unauthorized.
Is the only way to go through is to build an oauth token? or do I miss something?
When a company is quite large and many different applications used by employees. But while those applications are mostly completely different, how to make it possible to not force users to enter credentials as many times as many applications they would like to use. The best way is to use SSO, so, it will be possible to have a portal, where users could launch any application used in a company. There are many different ways how to give access to your application by using the SSO mechanism, and some of them are:
OAuth2
Kerberos
SAML
InterSystems already supports OAuth2 and can be quite easily deal with Kerberos. But I would like to discuss about using SAML (Security Assertion Markup Language).
I've been trying for a while now to get OS authentication working on IRIS running on Ubuntu 20.04 and subsequently 22.04. I have the following authentication methods enabled for %Service_Terminal:
Operating System
Password
Operating System Delegated Authorization
And i have these options selected in Authentication/Web Session Options:
Our client says the call to send email (method (%Net.SMTP).Send) started returning error # 6167 (Authentication expected but failed.) after installing IRIS 2022.1.2; email had worked before. Properties (%Net.Authenticator).UserName and .Password were configured. We can get email to work when we don't set property (%Net.SMTP).authenticator.
I have productions running in several different namespaces. They all use a common credentials ID for sending email, which is set up in only one of the namespaces. The documentation says that credentials are entered by namespace. When I ran a production in a second namespace, the error log said that credentials were not found (expected), but later attempts to send a file thorugh the production did successfully send an email. I'm wondering if Ensemble is able to look in other namespaces for the same credentials ID?
I'm trying to consume a REST Service that use Digest authentication, I'm trying to implement the authentication but I'm don't know where is my mistake.
Someone have already used this type of authentication.
Below the code I wrote to try to generate the response hash:
I'm new to Iris for Health and I'm trying to get some experience using it. I've subscribed to the Intersystems Iris for Health software in AWS marketplace. I successfully spun up the EC2 instance with the default security group. The try-iris instance is healthy and successfully starts within EC2. I've also successfully changed the default password too.
However, I'm unable to authenticate into the management portal. The portal launches okay though I keep getting an access denied. I'm also unable to authenticate into a session from the EC2 instance.
We are trying to implement a client side data provider as a component (ZEN) that will use JQuery to do rest calls to a desired URL, in this case, a %CSP.Rest service implemented by ourselves.
This component will be used within our application that is authenticated with a correct user configured on Caché management portal and therefore using one license unit. As we are using a Ajax call from client side this connection creates a new session that will use a new license.
is there a possibility to implement a "remember password" feature in a ZEN Application?
In the management portal I added a web-application for a ZEN application with password authentification. I created an own login page, and now I want to implement a "remember password" feature (User should not have to login again after the session times out or when the browser window is closed).
I have accidentally clicked the remember password option in my Ensemble studio. So it is now not asking for username and password and even the authentication popup is not showing every time i open the studio.
Is there anyway to remove the remember password option for the cache studio.
Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.
I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?
Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?
I want to develop a web application in which a user can log in through the user credential of intersystems that is created in Management Portal for a specific role. How can I authenticate the user and get any token or login cookie through which user can call other apis
As many of you, our partners, are more widely using modern UI frameworks to create client front-end, you may have encountered a question, "So how do I secure my data when I just finished developing all new fancy browser based client experience?"
The answer is easy. Use a standard, proven OAuth2 and OpenID!
"OK, but how can I do it? I have never done it before."
No problem, just have a look here, if your client is Angular (not AngularJS) based, there is a demo project available for you to review and get inspired!
Imagine that your .NET project uses the Caché DBMS and you need a fully-functional and reliable authorization system. Writing such a system from scratch would not make much sense, and you will clearly want to use something that already exists in .NET, e.g. ASP.NET Identity. By default, however, this framework supports only its native DBMS – MS SQL. Our task was to create an adaptor that would let us quickly and easily port Identity to the InterSystems Caché DBMS. This work resulted in creation of the ASP.NET Identity Caché Provider.
I have an incorrect InterSystems Server Credentials password stored by the Workstation Keychain in VS Code. VS Code is trying to use this incorrect stored credential to access the server and does not prompt or allow me to input a different password. I do not see any settings associated with the Keychain or resetting those credentials. Does anyone know of the process to delete or replace a stored password here?
In preparation for a presentation I need a real-world LDAP schema that has been customized a bit beyond the basics. Perferably this would be based on an OpenLDAP system which would make it easier to merge into this presentation.
If you have such a schema you would be willing to share please respond or contact my directly at Rich.Taylor@InterSystems.com
We are using AWS SSO authentication in our application to validate the users. For validating the users, we are passing the username and password from AWS SSO to our application. We need to validate the user in our application without using the password.
We developed the login class using zenPage. We used <loginForm> tag in the login page which is used for the automatic validation. Is there any possible way to achieve this?
In our current UCR arhcitecture, we use two installations. We have one machine with Access, Registry and Edges and one machine with the ODS. On the machine with the Registry, I can create a user/clinician. When I log into the management portal with this user, a so-called delegated user is created in the cached users table. So far everything is going well.
When I try the same on the machine with the ODS I get the message : 'ERROR #822: Access Denied' . so no delegated user is created.... Does anyone have any idea where I can find the solution?
Hopefully this is a simple questions to respond to. Can you do Delegated Authentication for SOAP web service calls. I ask as I am not seeing this work as expected. I have this authentication turned on and enabled in for he CSP Web Application yet I keep getting a "Security Token could not be Authenticated. And a global I was setting to capture some of the available data is not being loaded.
By replies.png)
Open Exchange app.png)
.png)