security.manager

By connecting to security.manager, the following possibilities exist:

  • Assignment of roles for the use of the map.apps Manager

  • Protection of apps

  • Protection of tools

  • Use of secured services without logging on again (Single Sign-On)

Configuration of the connection

Operation of map.apps and security.manager on the same host

The following parameters must be added or changed in map.apps Configuration.

security.mode=ONLY_AUTHN

# security.manager adminstration service location
security.administration.url=https://<yourserver>/administration

# Key Store Location.
# This is the path to the keystore (`.keystore` file) shared by security.manager and map.apps
security.keystore.location=C:/data/conterra/.keystore

If further settings for the keystore are changed in security.manager (for example password), these must also be added in the map.apps configuration.

Operation of map.apps and security.manager on different hosts

If security.manager is installed on a different server than map.apps, the keystore file must be copied to the map.apps server.

In addition to the settings described in the previous section, the following parameter must be added or changed in security.manager configuration (whereas example.com is the name of the host where map.apps is installed).

security.allowed.hostnames=example.com

For map.apps, it may be required to set the proxy.cors.trustedServers property as well.

# comma separated list of servers like:
proxy.cors.trustedServers=https://securitymanager.example.com:8443

Using self-registration and password recovery

In order to use the self-registration and/or password recovery options of security.manager, map.apps can be pointed to the security.manager login page (instead of using the integrated login dialog).

Change the following property:

security.login.service.url=https://yourserver/administration/account/login

Use of the map.apps Manager

To be able to use the map.apps Manager in a SSO scenario with security.manager, it is mandatory to assign the role of a map.apps administrator to the user that should be able to use the map.apps Manager application. To achieve this, it is necessary to create the role maAdmin in security.manager and assign it to the dedicated user.

Use of protected services

Services protected by security.manager are configured similar to unprotected services in an app. Instead of the original URL of the service, the SSO endpoint provided by security.manager must be used.

When the user logs in, the domain cookie is added to each request sent by the browser. The SSO endpoint of security.manager applies all rights defined in the rights management for the respective user (for example displaying certain layers of a service).

After the user has logged out, the domain cookie is destroyed and access to the protected services is no longer possible.

Service definition of a protected service
 ...
 {
   "id":"secured_countries",
   "type":"AGS_DYNAMIC",
   "url":"https://myserver:443/wss/service/myAGS/sso/MyData/MapServer",
   "layers":[{
     "id":"3",
     "title":"Countries"
   }]
 }
 ...