ADD or ALTER AUTHENTICATION allows an admin to add external authentication providers to Cirro.

Syntax

LDAP/Active Directory


ADD AUTHENTICATION PROVIDER 'name' OF TYPE ldap OPTIONS (
  ldap_server 'ldap://nnn.nnn.nnn.nnn:port/',
  search_base 'CN=Users,DC=home,DC=network',
  search_filter '(&(objectClass=user)(sAMAccountName=%USERNAME%))',
  auth_dn 'CN=username,CN=Users,DC=home,DC=network',
  auth_password '0FpJX!!^5@485#v'
);

Duo services


ADD AUTHENTICATION PROVIDER duo of TYPE duo options (
INTEGRATION_KEY 'publickey',
SECRET_KEY 'secretkey',
API_HOSTNAME 'hostname',
CACHE_AUTHENTICATION_TIMEOUT 'nnn'
);

Saaspass services


ADD AUTHENTICATION PROVIDER saaspass of TYPE saaspass_push/saaspass_otp OPTIONS (
API_PASSWORD 'KSOEFKSU8EMJC9EWJKF09KSJUKMODUPWQ',
DOMAIN '@mycompany.com',
API_KEY 'DAMS8DX3WG5H8L1M',
CACHE_AUTHENTICATION_TIMEOUT '900'
AUTHENTICATION_TIMEOUT '60'
);

Arguments

LDAP/Active Directory

  • ‘name’: arbitrary user-specified name for LDAP/Active Directory provider.

  • ldap options: the settings required for LDAP/Active Directory setup within Cirro.

  • ldap_server: ip address and port of LDAP server on the network.

  • search_base: LDAP search parameters CN (Common Name), DC (Domain Component) which takes form ‘CN=Users,DC=home,DC=network’.

  • search_filter: LDAP search filter.

  • auth_dn: Name of authorisation domain component.

  • auth_password: Password for authorization domain component.

Duo and Saaspass

  • PROVIDER: the service name, either duo saaspass, or spotp

  • TYPE: the type of service being used. Duo’s service is called “duo”, while saaspass has two types, “saaspass_push” for push authentication, or spotp for “saaspass one time password”.

  • INTEGRATION KEY ‘publickey’: the public key provided by Duo.

  • SECRET_KEY ‘secretkey’: the secret key provided by Duo.

  • API_HOSTNAME: Duo provides a user-specific hostname for their service.

  • API_PASSWORD: Password privided by saaspass API.

  • DOMAIN: Domain name entered into saaspass. Used only for saaspass_push.

  • API_KEY: key provided through saaspass system. Used only for saaspass_push.

  • CACHE_AUTHENTICATION_TIMEOUT ‘nnn’: how long before the authentication times out.

  • AUTHENTICATION_TIMEOUT”: defaults to 60 seconds

Examples

LDAP/Active Directory


--These commands set-up an LDAP/Active Directory authentication source named 'ad_provider'.

ADD AUTHENTICATION PROVIDER 'ad_provider' OF TYPE ldap OPTIONS (
  ldap_server 'ldap://192.168.1.124:389/',
  search_base 'CN=Users,DC=home,DC=network',
  search_filter '(&(objectClass=user)(sAMAccountName=%USERNAME%))',
  auth_dn 'CN=Bindey McBindFace,CN=Users,DC=home,DC=network',
  auth_password '0FpJX!!^5@485#v'
);

Duo


ADD AUTHENTICATION PROVIDER duo of TYPE duo OPTIONS (
INTEGRATION_KEY 'DI4ETYDF1ZW998M1Y5E4',
SECRET_KEY 'juwdUyBOCrVIYjIOqHLFv1C6YzsWQACOXGWvFkDK',
API_HOSTNAME 'api-a34762f0.duosecurity.com',
CACHE_AUTHENTICATION_TIMEOUT '900'
);

Saaspass


ADD AUTHENTICATION PROVIDER saaspass of TYPE saaspass_push OPTIONS (
API_PASSWORD 'KSOEFKSU8EMJC9EWJKF09KSJUKMODUPWQ',
DOMAIN '@mycompany.com',
API_KEY 'DAMS8DX3WG5H8L1M',
CACHE_AUTHENTICATION_TIMEOUT '900'
);

Saaspass One Time Password


ADD AUTHENTICATION PROVIDER spotp of TYPE saaspass_otp OPTIONS (
API_KEY '5EM2X2I3DH3TK9KX',
API_PASSWORD '5S3V1YC19NS8MNAFOS9LHTEAAY3AXYH0',
DOMAIN '@mycompany.com'
);

See also