ADD or ALTER AUTHENTICATION allows an admin to add external authentication providers to Cirro.

Syntax

[ADD | ALTER] AUTHENTICATION PROVIDER 'name' OF TYPE provider_type OPTIONS ( options... );

Arguments

  • provider_type - can be LDAP, Azure, Duo, Saaspass, Unloq or Okta. See specific

  • Options - General and provider-specific options follow.

All Providers

Argument Description
AUTHENTICATION_TIMEOUT For MFA providers, the time in seconds between logging in and acknowledging the MFA request
CACHE_AUTHENTICATION_TIMEOUT For MFA providers, the time in seconds that subsequent logins on the same device must occur within before another MFA request is made
USERNAME_PATTERN A regular expression applied to usernames. Usernames that match this expression will be authenticated by this provider. This can be used for providers in an Authentication Chain to prevent unnecessary authentication checks.
SYNCHRONIZE_USERS For Directory providers, synchronize all users in the remote directory and make them ‘virtual’ Cirro users. These users will still be authenticated remotely, but can have roles and priviliges applied directly within Cirro. Currently, only the LDAP provider supports synchronization.

LDAP

Argument Description
LDAP_SERVER The domain name of the LDAP server
SEARCH_BASE The LDAP base from which user’s matching SEARCH_FILTER will searched
SEARCH_FILTER An LDAP expression which matches users. The default expression is:
(&(|(objectClass=user)(objectClass=inetOrgPerson)(|(sAMAccountName=%USERNAME%)(uid=%USERNAME%)))
%USERNAME% will be replaced with the name of the user being search for.
AUTH_DN The Distinguished Name (DN) of an LDAP user that has permissions to browse the LDAP directory.
AUTH_PASSWORD The password for AUTH_DN

Azure

Argument Description
AZURE_AD_AUTHORITY The URL used to authenticate the Azure tenant. This defaults to https://login.microsoftonline.com/common/oauth2/authorize but for multi-tenant sites the word ‘common’ must be replaced with the site’s tenant id.
AZURE_AD_CLIENT_ID The id of the Azure Application associated with Azure Cirro users.
AZURE_AD_RESOURCE The Microsoft Graph resource id used to specify users. This defaults to 00000003-0000-0000-c000-000000000000 and usually does not need to be changed.
AZURE_AD_USERNAME The name of a user that has permissions to browse the Azure tenant’s Microsoft Graph (currently unused).
AZURE_AD_PASSWORD The password for AZURE_AD_USERNAME
AZURE_AD_EMAIL_DOMAIN When sending MFA emails, optionally override the user’s email domain with this domain.
AZURE_AD_MODE “mfa” or “password”
AZURE_AD_REDIRECT_SERVICE An optional redirect service that converts HTTP GETs into HTTP POSTs. The default value is for a Cirro customer service at https://cirro.com/

Duo

Argument Description
API_HOSTNAME Your DUO API hostname
INTEGRATION_KEY The integration key for your DUO host
SECRET_KEY The secret key for your DUO host

Saaspass

Argument Description
DOMAIN Your sasspass domain name
API_KEY Your sasspass API key
API_PASSWORD Your sasspass API password

Unloq

Argument Description
EMAIL_DOMAIN Your unloq email domain
SECRET_KEY Your unloq secret key value

Okta

Argument Description
URL The URL of your okta site for example: mycompany.okta.com
APP_ID An optional Okta application ID. If set, then the Okta authentication rules for that application will be followed. If not set, then the default site rules will be followed.
API_KEY The API key for your Okta site.

Yubikey

See Alter User

Examples

These commands set-up an LDAP/Active Directory authentication source named ‘ad_provider’.

ADD AUTHENTICATION PROVIDER 'ad_provider' OF TYPE ldap OPTIONS (
  ldap_server 'ldap://192.168.1.124:389/',
  search_base 'CN=Users,DC=home,DC=network',
  search_filter '(&(objectClass=user)(sAMAccountName=%USERNAME%))',
  auth_dn 'CN=Bindey McBindFace,CN=Users,DC=home,DC=network',
  auth_password '0FpJX!!^5@485#v'
);

These commands set up a Duo provider named ‘duo-provider’

ADD AUTHENTICATION PROVIDER duo-provider of TYPE duo OPTIONS (
INTEGRATION_KEY 'DI4ETYDF1ZW998M1Y5E4',
SECRET_KEY 'juwdUyBOCrVIYjIOqHLFv1C6YzsWQACOXGWvFkDK',
API_HOSTNAME 'api-a34762f0.duosecurity.com',
CACHE_AUTHENTICATION_TIMEOUT '900'
);

These commands set up a saaspass provider of name ‘saaspass-push’

ADD AUTHENTICATION PROVIDER saaspass-push of TYPE saaspass_push OPTIONS (
API_PASSWORD 'KSOEFKSU8EMJC9EWJKF09KSJUKMODUPWQ',
DOMAIN '@mycompany.com',
API_KEY 'DAMS8DX3WG5H8L1M',
CACHE_AUTHENTICATION_TIMEOUT '900'
);

These commands set up a saaspass provider of name ‘saaspass-otp’

ADD AUTHENTICATION PROVIDER saaspass-otp of TYPE saaspass_otp OPTIONS (
API_KEY '5EM2X2I3DH3TK9KX',
API_PASSWORD '5S3V1YC19NS8MNAFOS9LHTEAAY3AXYH0',
DOMAIN '@mycompany.com'
);