package proto.security.authn
Get desktop application:
View/edit binary Protocol Buffers messages
message
authn.proto:9Configuration of how users authenticate against Spinnaker.
Used in:
optional enabled = 1
Whether to enabled authentication.
optional oauth2 = 2
OAuth 2.0 configuration.
optional saml = 3
SAML configuration.
optional ldap = 4
LDAP configuration.
optional x509 = 5
X509 configuration.
optional iap = 6
Google Cloud Identity-Aware Proxy configuration.
optional basic = 7
Basic username/password authentication.
message
authn.proto:308Configuration for basic username/password authentication
Used in: ,
optional enabled = 1
Whether the authentication method is enabled.
optional user = 2
The username and password used to log in via basic authentication.
message
authn.proto:289Configuration for authentication via Google Cloud Identity-Aware Proxy. Google Cloud Identity-Aware Proxy (IAP) is an authentication model that utilizes Google OAuth 2.0 and an authorization service to provide access control for users of GCP. After a user has been authenticated and authorized by IAP's service, a JWT token is passed along which Spinnaker uses to check for authenticity and to get the user email from the payload and sign the user in. To configure IAP, set the audience field retrieved from the IAP console.
Used in: ,
optional enabled = 1
Whether the authentication method is enabled.
string jwtHeader = 2
The HTTP request header that contains the JWT token.
string issuerId = 3
The Issuer from the ID token payload.
string audience = 4
The Audience from the ID token payload. You can retrieve this field from the IAP console: https://cloud.google.com/iap/docs/signed-headers-howto#verify_the_id_token_header.
string iapVerifyKeyUrl = 5
The URL containing the Cloud IAP public keys in JWK format.
message
authn.proto:225Configuration for authentication via LDAP. Lightweight Directory Access Protocol (LDAP) is a standard way many organizations maintain user credentials and group memberships. Spinnaker uses the standard 'bind' approach for user authentication. This is a fancy way of saying that Gate uses your username and password to login to the LDAP server, and if the connection is successful, you're considered authenticated.
Used in: ,
optional enabled = 1
Whether the authentication method is enabled.
string url = 2
ldap:// or ldaps:// url of the LDAP server.
string userDnPattern = 3
The pattern for finding a user's DN using simple pattern matching. For example, if your LDAP server has the URL ldap://mysite.com/dc=spinnaker,dc=org, and you have the pattern 'uid={0},ou=members', 'me' will map to a DN uid=me,ou=members,dc=spinnaker,dc=org. If no match is found, will try to find the user using user-search-filter, if set.
string userSearchBase = 4
The part of the directory tree under which user searches should be performed. If user-search-base isn't supplied, the search will be performed from the root.
string userSearchFilter = 5
The filter to use when searching for a user's DN. Will search either from user-search-base (if specified) or root for entires matching the filter, then attempt to bind as that user with the login password. For example, the filter 'uid={0}' would apply to any user where uid matched the user's login name. If -user-dn-pattern is also specified, will attempt to find a match using the specified pattern first, before searching with the specified search filter if no match is found from the pattern.
string managerDn = 6
An LDAP manager user is required for binding to the LDAP server for the user authentication process. This property refers to the DN of that entry. I.e. this is not the user which will be authenticated when logging into DHIS2, rather the user which binds to the LDAP server in order to do the authentication.
string managerPassword = 7
The password for the LDAP manager user.
string groupSearchBase = 8
The part of the directory tree under which group searches should be performed.
message
authn.proto:33Configuration for authentication via OAuth 2.0.
Used in: ,
optional enabled = 1
Whether the authentication method is enabled.
optional client = 2
Configuration for your OAuth 2.0 client.
map<string, string> userInfoRequirements = 3
The map of requirements the userInfo request must have. This is used to restrict user login to specific domains or having a specific attribute.
optional resource = 4
Configuration for OAuth 2.0 resources.
optional userInfoMapping = 5
Mapping of user attributes to fields returned by your OAuth 2.0 provider. This field controls how the fields returned from the OAuth 2.0 provider's user info endpoint are translated into a Spinnaker user.
message
authn.proto:54Configuration for an OAuth 2.0 client.
Used in:
string clientId = 1
The OAuth client ID you have configured with your OAuth 2.0 provider.
string clientSecret = 2
The OAuth client secret you have configured with your OAuth provider.
string accessTokenUri = 3
The access token uri for your OAuth provider.
string userAuthorizationUri = 4
The user authorization uri for your OAuth 2.0 provider.
OAuth2Client.AuthenticationScheme clientAuthenticationScheme = 5
The method used to transmit authentication credentials to your OAuth 2.0 provider.
string scope = 6
The scope to request when obtaining an access token from your OAuth 2.0 provider.
string preEstablishedRedirectUri = 7
The externally accessible URL for Gate. For use with load balancers that do any kind of address manipulation for Gate traffic, such as an SSL terminating load balancer.
optional useCurrentUri = 8
Whether the current URI in the request should be preferred over the pre-established redirect URI.
Methods to transmit authentication tokens to an OAuth 2.0 provider.
Used in:
unspecified = 0
Unspecified. Do not directly use, instead omit the field.
header = 1
Token is sent in the request header.
query = 2
Token is sent as a query parameter.
form = 3
Token is sent in the form body.
none = 4
Token is not sent at all.
message
authn.proto:103Configuration for OAuth 2.0 resources.
Used in:
string userInfoUri = 1
The user info URI for your OAuth 2.0 provider.
message
authn.proto:111Mapping of user attributes to fields returned by an OAuth 2.0 provider. This field controls how the fields returned from the OAuth 2.0 provider's user info endpoint are translated into a Spinnaker user.
Used in:
string email = 1
Email.
string firstName = 2
First name.
string lastName = 3
Last name.
string username = 4
Username.
message
authn.proto:132Configuration for authentication via SAML. SAML authenticates users by passing cryptographically signed XML documents between the Gate server and an identity provider. Gate's key is stored and accessed via the -keystore parameters, while the identity provider's keys are included in the metadata.xml. Finally, the identity provider must redirect the control flow (through the user's browser) back to Gate by way of the -serviceAddressUrl. This is likely the address of Gate's load balancer.
Used in: ,
optional enabled = 1
Whether the authentication method is enabled.
string metadataUrl = 2
The path to a local file containing identity provider's metadata XML file; can be either a local file or a URI.
string issuerId = 3
The identity of the Spinnaker application registered with the SAML provider.
string keyStore = 4
Path to the keystore that contains this server's private key. This key is used to cryptographically sign SAML AuthNRequest objects.
string keyStorePassword = 5
The password used to access the file specified in -keystore.
string keyStoreAliasName = 6
The name of the alias under which this server's private key is stored in the -keystore file.
string redirectHostname = 7
The host name of the gate server as accessible by the SAML identity provider. If deployed behind a load balancer, this would be the load balancer's address. (Ex: gate.org.com:8084)
string redirectBasePath = 8
The base path on the gate server to which redirects will be sent. Defaults to '/' if absent.
string redirectProtocol = 9
The protocol to use to when redirecting back to the Gate server. Defaults to 'https' if absent.
optional userAttributeMapping = 10
Configuration for fields returned from your SAML provider.
Saml.SignatureDigest signatureDigest = 11
Digest algorithm to sign SAML messages (optional).
Digest algorithms to sign SAML messages.
Used in:
UNSPECIFIED = 0
Unspecified. Do not directly use, instead omit the field.
SHA1 = 1
Digest algorithm SHA1 (default).
SHA256 = 2
Digest algorithm SHA256.
SHA384 = 3
Digest algorithm SHA384.
SHA512 = 4
Digest algorithm SHA512.
RIPEMD160 = 5
Digest algorithm RIPEMD160.
MD5 = 6
Digest algorithm MD5 (not recommended).
message
authn.proto:174Configuration for fields returned from your SAML provider.
Used in:
string firstName = 1
First name.
string lastName = 2
Last name.
string roles = 3
Roles.
string rolesDelimiter = 4
Roles delimiter.
string username = 5
Username.
string email = 6
Email.
message
authn.proto:317Configuration for a username/password combination.
Used in:
string username = 1
Username.
string password = 2
Password.
message
authn.proto:269Configuration for authentication via X509 certificates. X509 authenticates users via client certificate and a corresponding private key. These certificates optionally provide authorization information via custom OIDs with corresponding group information for the user. This can be configured via -roleOid.
Used in: ,
optional enabled = 1
Whether the authentication method is enabled.
string roleOid = 2
The OID that encodes roles that the user specified in the x509 certificate belongs to.
string subjectPrincipalRegex = 3
The regex used to parse the subject principal name embedded in the x509 certificate if necessary.