Add external Directory Services or Multifactor Authentication providers to Cirro.

Syntax

[ADD | ALTER] AUTHENTICATION PROVIDER 'name' OF TYPE provider_type_clause;

where provider_type_clause can be one of:

ldap OPTIONS (
  LDAP_SERVER 'servername',
  SEARCH_BASE 'searchbase',
  [SEARCH_FILTER 'searchfilter',]
  AUTH_DN 'searchuserDN',
  AUTH_PASSWORD 'searchuserpassword'
  USERNAME_PATTERN 'regularexpression'
  SYNCHRONIZE_USERS
)

azure OPTIONS (
  AZURE_AD_AUTHORITY 'url',
  AZURE_AD_CLIENT_ID 'appid',
  AZURE_AD_RESOURCE 'resourceid',
  AZURE_AD_MODE [password | mfa],
  [AZURE_AD_USERNAME 'masteruser',
    AZURE_AD_PASSWORD 'masteruserpass',
    AZURE_AD_EMAIL_DOMAIN 'overrideemaildomain',
    AZURE_AD_REDIRECT_SERVICE 'get-to-post-redirect'
  ]
  USERNAME_PATTERN 'regularexpression'
)

duo OPTIONS (
  INTEGRATION KEY 'duo_integration_key',
  API_HOSTNAME 'duo_api_hostname',
  SECRET_KEY 'duo_secret_key'
  AUTHENTICATION_TIMEOUT 'timeseconds'
  CACHE_AUTHENTICATION_TIMEOUT 'timeseconds'
)

okta OPTIONS (
  URL 'Okta_service_URL',
  API KEY 'Okta_API_key',
  APP_ID 'Okta_Application_ID'
  USERNAME 'Okta_username',
  USERNAME_PATTERN 'regularexpression'
)

[saaspass_push | saaspass_otp] OPTIONS (
  DOMAIN 'SaasPass_Domain',
  APIKEY 'SaasPass_API_key',
  PASSWORD 'SaasPass_API_password'
  AUTHENTICATION_TIMEOUT 'timeseconds'
  CACHE_AUTHENTICATION_TIMEOUT 'timeseconds'
)

unloq OPTIONS (
  EMAIL DOMAIN 'Email_domain',
  SECRET KEY 'Secret_Key',
  AUTHENTICATION_TIMEOUT 'timeseconds',
  CACHE_AUTHENTICATION_TIMEOUT 'timeseconds'
)

yubikey OPTIONS (
  SECRET 'SecretKey',
  USER_ID 'PublicId',
  AUTHENTICATION_TIMEOUT 'timeseconds',
  CACHE_AUTHENTICATION_TIMEOUT 'timeseconds'
)

Arguments

  • name - user defined name for the authentication provider.

ldap

Argument Description MANDATORY SECRET
LDAP_SERVER LDAP server address true false
SEARCH_BASE Search base used to find relevant users true false
SEARCH_FILTER An LDAP expression which matches users. The default expression is:
(&(|(objectClass=user)(objectClass=inetOrgPerson)(|(sAMAccountName=%USERNAME%)(uid=%USERNAME%)))
%USERNAME% will be replaced with the name of the user being search for.
false false
AUTH_DN Search user’s distinguished name (DN) true false
AUTH_PASSWORD Search user’s password true true

azure options

Argument Description MANDATORY SECRET
AZURE_AD_AUTHORITY The URL used to authenticate the Azure tenant. This defaults to https://login.microsoftonline.com/common/oauth2/authorize but for multi-tenant sites the word ‘common’ must be replaced with the site’s tenant id. true false
AZURE_AD_CLIENT_ID The id of the Azure Application associated with Azure Cirro users. true false
AZURE_AD_RESOURCE Azure resource ID. The Microsoft Graph resource id used to specify users. This defaults to 00000003-0000-0000-c000-000000000000 and usually does not need to be changed. true false
AZURE_AD_MODE Authentication mode - password only (password) or email-based MFA (mfa) true false
AZURE_AD_USERNAME Azure master user false false
AZURE_AD_PASSWORD Azure master user password false true
AZURE_AD_EMAIL_DOMAIN When sending MFA emails, optionally override the user’s email domain with this domain. false false
AZURE_AD_REDIRECT_SERVICE GET-to-POST redirect service URL. An optional redirect service that converts HTTP GETs into HTTP POSTs. The default value is for a Cirro customer service at https://cirro.com/ false false

duo options

Argument Description MANDATORY SECRET
INTEGRATION_KEY The integration key for your DUO host true true
API_HOSTNAME DUO API hostname true true
SECRET_KEY DUO secret key true true

okta options

Argument Description MANDATORY SECRET  
URL Okta service URL - https://yourcompany.okta.com true false  
API_KEY The API key for your Okta site. true true  
APP_ID An optional Okta application ID. If set, then the Okta authentication rules for that application will be followed. If not set, then the default site rules will be followed. false false false

pingid

Argument Description MANDATORY SECRET USER_OPTION
ORG_ALIAS PingID property - org_alias true false  
TOKEN PingID property - token true true  
USE_BASE64_KEY PingID property - use_base64_key true true  
URL PingID property - idp_url (if not https://idpxnyl3m.pingidentity.com/pingid) false false  

saaspass_push

Argument Description MANDATORY SECRET
DOMAIN SaasPass Domain false false
API_KEY SaasPass API key true false
API_PASSWORD SaasPass API password true true

Unloq options

Argument Description MANDATORY SECRET
EMAIL_DOMAIN Your unloq email domain true false
SECRET_KEY Your unloq secret key value true true

MFA Options

These options apply to all Multifactor Authentication providers, duo, pingid, saaspass and unloq.

Argument Description
AUTHENTICATION_TIMEOUT For MFA providers, the time in seconds between logging in and acknowledging the MFA request
CACHE_AUTHENTICATION_TIMEOUT For MFA providers, the time in seconds that subsequent logins on the same device must occur within before another MFA request is made

Directory Service Options

These options apply only to Directory Service providers azure, ldap and okta.

Argument Description
USERNAME_PATTERN A regular expression applied to usernames. Usernames that match this expression will be authenticated by this provider. This can be used for providers in an Authentication Chain to prevent unnecessary authentication checks.
SYNCHRONIZE_USERS For Directory providers, synchronize all users in the remote directory and make them ‘virtual’ Cirro users. These users will still be authenticated remotely, but can have roles and priviliges applied directly within Cirro. Currently, only the LDAP provider supports synchronization.

Examples

Add an LDAP/Active Directory service.

ADD AUTHENTICATION PROVIDER 'ad_provider' OF TYPE ldap OPTIONS (
  ldap_server 'ldap://192.168.1.124:389/',
  search_base 'CN=Users,DC=home,DC=network',
  search_filter '(&(objectClass=user)(sAMAccountName=%USERNAME%))',
  auth_dn 'CN=Bindey McBindFace,CN=Users,DC=home,DC=network',
  auth_password '0FpJX!!^5@485#v'
);

Add a Duo MFA provider.

ADD AUTHENTICATION PROVIDER 'duo-provider' of TYPE duo OPTIONS (
INTEGRATION_KEY 'DI4ETYDF1ZW998M1Y5E4',
SECRET_KEY 'juwdUyBOCrVIYjIOqHLFv1C6YzsWQACOXGWvFkDK',
API_HOSTNAME 'api-a34762f0.duosecurity.com',
CACHE_AUTHENTICATION_TIMEOUT '900'
);

Add a saaspass MFA provider.

ADD AUTHENTICATION PROVIDER 'saaspass-push' of TYPE saaspass_push OPTIONS (
API_PASSWORD 'KSOEFKSU8EMJC9EWJKF09KSJUKMODUPWQ',
DOMAIN '@mycompany.com',
API_KEY 'DAMS8DX3WG5H8L1M',
CACHE_AUTHENTICATION_TIMEOUT '900'
);

Add a saaspass MFA provider as one-time password.

ADD AUTHENTICATION PROVIDER saaspass-otp of TYPE saaspass_otp OPTIONS (
API_KEY '5EM2X2I3DH3TK9KX',
API_PASSWORD '5S3V1YC19NS8MNAFOS9LHTEAAY3AXYH0',
DOMAIN '@mycompany.com'
);