ADD or ALTER AUTHENTICATION allows an admin to add external authentication providers like Okta and Azure AD to Cirro.

Syntax

[ADD | ALTER] AUTHENTICATION PROVIDER 'name' OF TYPE provider_type OPTIONS ( options... );

Arguments

  • provider_type - choose ldap, azure, duo, saaspass, okta.

General Options

These options apply to all provider types.

Argument Description
AUTHENTICATION_TIMEOUT For MFA providers, the time in seconds between logging in and acknowledging the MFA request
CACHE_AUTHENTICATION_TIMEOUT For MFA providers, the time in seconds that subsequent logins on the same device must occur within before another MFA request is made
USERNAME_PATTERN A regular expression applied to usernames. Usernames that match this expression will be authenticated by this provider. This can be used for providers in an Authentication Chain to prevent unnecessary authentication checks.
SYNCHRONIZE_USERS For Directory providers, synchronize all users in the remote directory and make them ‘virtual’ Cirro users. These users will still be authenticated remotely, but can have roles and priviliges applied directly within Cirro. Currently, only the LDAP provider supports synchronization.

LDAP options

Argument Description
LDAP_SERVER The domain name of the LDAP server
SEARCH_BASE The LDAP base from which user’s matching SEARCH_FILTER will searched
SEARCH_FILTER An LDAP expression which matches users. The default expression is:
(&(|(objectClass=user)(objectClass=inetOrgPerson)(|(sAMAccountName=%USERNAME%)(uid=%USERNAME%)))
%USERNAME% will be replaced with the name of the user being search for.
AUTH_DN The Distinguished Name (DN) of an LDAP user that has permissions to browse the LDAP directory.
AUTH_PASSWORD The password for AUTH_DN

Azure options

Argument Description
AZURE_AD_AUTHORITY The URL used to authenticate the Azure tenant. This defaults to https://login.microsoftonline.com/common/oauth2/authorize but for multi-tenant sites the word ‘common’ must be replaced with the site’s tenant id.
AZURE_AD_CLIENT_ID The id of the Azure Application associated with Azure Cirro users.
AZURE_AD_RESOURCE The Microsoft Graph resource id used to specify users. This defaults to 00000003-0000-0000-c000-000000000000 and usually does not need to be changed.
AZURE_AD_USERNAME The name of a user that has permissions to browse the Azure tenant’s Microsoft Graph (currently unused).
AZURE_AD_PASSWORD The password for AZURE_AD_USERNAME
AZURE_AD_EMAIL_DOMAIN When sending MFA emails, optionally override the user’s email domain with this domain.
AZURE_AD_MODE “mfa” or “password”
AZURE_AD_REDIRECT_SERVICE An optional redirect service that converts HTTP GETs into HTTP POSTs. The default value is for a Cirro customer service at https://cirro.com/

Duo options

Argument Description
API_HOSTNAME Your DUO API hostname
INTEGRATION_KEY The integration key for your DUO host
SECRET_KEY The secret key for your DUO host

Saaspass options

Argument Description
saaspass Provider type.
DOMAIN Your sasspass domain name
API_KEY Your sasspass API key
API_PASSWORD Your sasspass API password

Unloq options

Argument Description
unloq Provider type.
EMAIL_DOMAIN Your unloq email domain
SECRET_KEY Your unloq secret key value

Okta options

Argument Description
okta Provider type.
URL The URL of your okta site for example: mycompany.okta.com
APP_ID An optional Okta application ID. If set, then the Okta authentication rules for that application will be followed. If not set, then the default site rules will be followed.
API_KEY The API key for your Okta site.

Yubikey

Yubikey authentication is supported by Cirro through the ALTER USER statement.

Examples

These commands set-up an LDAP/Active Directory authentication source named ‘ad_provider’.

ADD AUTHENTICATION PROVIDER 'ad_provider' OF TYPE ldap OPTIONS (
  ldap_server 'ldap://192.168.1.124:389/',
  search_base 'CN=Users,DC=home,DC=network',
  search_filter '(&(objectClass=user)(sAMAccountName=%USERNAME%))',
  auth_dn 'CN=Bindey McBindFace,CN=Users,DC=home,DC=network',
  auth_password '0FpJX!!^5@485#v'
);

These commands set up a Duo provider named ‘duo-provider’

ADD AUTHENTICATION PROVIDER duo-provider of TYPE duo OPTIONS (
INTEGRATION_KEY 'DI4ETYDF1ZW998M1Y5E4',
SECRET_KEY 'juwdUyBOCrVIYjIOqHLFv1C6YzsWQACOXGWvFkDK',
API_HOSTNAME 'api-a34762f0.duosecurity.com',
CACHE_AUTHENTICATION_TIMEOUT '900'
);

These commands set up a saaspass provider of name ‘saaspass-push’

ADD AUTHENTICATION PROVIDER saaspass-push of TYPE saaspass_push OPTIONS (
API_PASSWORD 'KSOEFKSU8EMJC9EWJKF09KSJUKMODUPWQ',
DOMAIN '@mycompany.com',
API_KEY 'DAMS8DX3WG5H8L1M',
CACHE_AUTHENTICATION_TIMEOUT '900'
);

These commands set up a saaspass provider of name ‘saaspass-otp’

ADD AUTHENTICATION PROVIDER saaspass-otp of TYPE saaspass_otp OPTIONS (
API_KEY '5EM2X2I3DH3TK9KX',
API_PASSWORD '5S3V1YC19NS8MNAFOS9LHTEAAY3AXYH0',
DOMAIN '@mycompany.com'
);