Authentication section¶
Assemblyline comes with a built-in user management database, so no external identity sources are required. However, to facilitate user management in larger organizations you can integrate Assemblyline with external identity providers.
The authentication section (auth:) of the configuration files contains all the different parameters that you can change to turn on/off the different authentication features that Assemblyline supports.
Default values for the authentication section
...
auth:
allow_2fa: true
allow_apikeys: true
allow_extended_apikeys: true
allow_security_tokens: true
internal:
enabled: true
failure_ttl: 60
max_failures: 5
password_requirements:
lower: false
min_length: 12
number: false
special: false
upper: false
signup:
enabled: false
notify:
activated_template: null
api_key: null
authorization_template: null
base_url: null
password_reset_template: null
registration_template: null
smtp:
from_adr: null
host: null
password: null
port: 587
tls: true
user: null
valid_email_patterns:
- .*
- .*@localhost
ldap:
admin_dn: null
auto_create: true
auto_sync: true
base: ou=people,dc=assemblyline,dc=local
bind_pass: null
bind_user: null
classification_mappings: {}
email_field: mail
enabled: false
group_lookup_query: (&(objectClass=Group)(member=%s))
image_field: jpegPhoto
image_format: jpeg
name_field: cn
signature_importer_dn: null
signature_manager_dn: null
uid_field: uid
uri: ldap://localhost:389
oauth:
enabled: false
gravatar_enabled: true
providers:
auth0:
access_token_url: https://{TENANT}.auth0.com/oauth/token
api_base_url: https://{TENANT}.auth0.com/
authorize_url: https://{TENANT}.auth0.com/authorize
client_id: null
client_kwargs:
scope: openid email profile
client_secret: null
jwks_uri: https://{TENANT}.auth0.com/.well-known/jwks.json
user_get: userinfo
azure_ad:
access_token_url: https://login.microsoftonline.com/common/oauth2/token
api_base_url: https://login.microsoft.com/common/
authorize_url: https://login.microsoftonline.com/common/oauth2/authorize
client_id: null
client_kwargs:
scope: openid email profile
client_secret: null
jwks_uri: https://login.microsoftonline.com/common/discovery/v2.0/keys
user_get: openid/userinfo
google:
access_token_url: https://oauth2.googleapis.com/token
api_base_url: https://openidconnect.googleapis.com/
authorize_url: https://accounts.google.com/o/oauth2/v2/auth
client_id: null
client_kwargs:
scope: openid email profile
client_secret: null
jwks_uri: https://www.googleapis.com/oauth2/v3/certs
user_get: v1/userinfo
...
Tip
Refer to the changing the configuration file documentation for more detail on where and how to change the configuration of the system.
Parameter definitions¶
The auth configuration block has a few parameters at the top level that help you turn on or off a few security features supported in the system.
Here is an example of a configuration block with those top-level parameters and an explanation of what they do:
Top-level parameters
auth:
# Turns on/off two-factor authentication in the system
allow_2fa: true
# Turn on/off usage of API Keys in the system
# NOTE: if you turn this off, this will severely limit API access
allow_apikeys: true
# Turn on/off usage of extended API via the API keys
allow_extended_apikeys: true
# Turn on/off usage of security token as two-factor authentication (ex: yubikeys)
allow_security_tokens: true
Internal authenticator¶
The configuration block at auth.internal allows you to configure the Assemblyline internal authenticator.
Here is an example of a configuration block with inline comments about the purpose of every single parameter:
Internal auth configuration example
auth:
internal:
# Enable or disable the internal authenticator
enabled: true
# Time in seconds the user will have to wait after
# too many authentication failures
failure_ttl: 60
# Number of authentication failures before temporarily
# locking down the user
max_failures: 5
# Password complexity requirements for the system
password_requirements:
# Are lowercase characters mandatory?
lower: false
# What is the minimal password length
min_length: 12
# Are numbers mandatory?
number: false
# Are special characters mandatory?
special: false
# Are uppercase characters mandatory?
upper: false
signup:
# Can a user automatically signup for the system
enabled: false
# Configuration block for GC Notify signup and password reset
# see: https://notification.canada.ca/
notify:
activated_template: null
api_key: null
authorization_template: null
base_url: null
password_reset_template: null
registration_template: null
# Configuration block for SMTP signup and password reset
smtp:
# Email address used for sender
from_adr: null
# Host of the SMTP server
host: null
# Password for the SMTP server
password: null
# Port of the SMTP server
port: 587
# Should we communicate with SMTP server via TLS?
tls: true
# User to authenticate to the SMTP server
user: null
# Email patterns that will be allowed to
# automatically signup for an account
valid_email_patterns:
- .*
- .*@localhost
LDAP Authentication¶
The configuration block at auth.ldap allows you to easily add authentication via your LDAP server. The LDAP authentication module will be able to automatically assign roles, classification, avatar, name, and email address based on the properties of the LDAP user and the groups it is a member of.
Here is an example configuration block to add to your configuration file that will allow you to connect to the docker-test-openldap server from: https://github.com/rroemhild/docker-test-openldap
LDAP configuration example
auth:
internal:
# Disable internal login, you could also leave it on if you want
enabled: false
ldap:
# Should LDAP be enabled or not?
enabled: true
# DN of the group or the user who will get admin privileges
admin_dn: cn=admin_staff,ou=people,dc=planetexpress,dc=com
# Auto-create users if they are missing, this means
# that if a user exists in LDAP, Assemblyline will create an
# account for it upon the first login
auto_create: true
# Should we automatically sync roles, classification, avatar
# email, name... with the LDAP server upon each login?
auto_sync: true
# Base DN for the users
base: ou=people,dc=planetexpress,dc=com
# Password used to query the LDAP server
bind_pass: null
# User use to query the LDAP server
bind_user: null
classification_mappings: {}
# Name of the field containing the email address
email_field: mail
# How the group lookup is queried
group_lookup_query: (&(objectClass=Group)(member=%s))
# Name of the field containing the user's avatar
image_field: jpegPhoto
# Type of image used to store the avatar
image_format: jpeg
# Name of the field containing the user's name
name_field: cn
# DN of the group or the user who will get signature_importer role
signature_importer_dn: null
# DN of the group or the user who will get signature_manager role
signature_manager_dn: null
# Field name for the UID
uid_field: uid
# URI to the LDAP server
uri: ldaps://<ldap_ip_or_domain>:636
OAuth Authentication¶
The configuration block at auth.oauth allows you to add OAuth authentication to your system. Assemblyline OAuth module is configurable enough to allow you to use almost any OAuth provider.
It has been thoroughly tested with:
Here is an exhaustive configuration block that explains every single parameter from the OAuth configuration block:
Exhaustive OAuth configuration example
auth:
internal:
# Disable internal login, you could also leave it on if you want
enabled: false
oauth:
# Should OAuth authentication be enabled or not
enabled: true
# Should we try to pull the user's avatar using gravatar
gravatar_enabled: false
# OAuth providers configuration block, you can have as many OAuth
# providers as you want
providers:
# Name of the provider displayed in the UI
local_provider:
# Auto-create users if they are missing, this means
# that if a user exists in the OAuth provider, Assemblyline
# will create an account for it upon the first login
# WARNING: If you set it to true for let's say Google's
# OAuth provider, anyone with a google account
# essentially has access to your system
auto_create: true
# Should we automatically sync roles, classification, avatar
# email, name... with the OAuth provider upon each login?
auto_sync: true
# Automatic role and classification assignments
auto_properties:
# any user with a @localhost.local email will be given
# TLP:Amber classification
- field: email
pattern: .*@localhost\.local$
type: classification
value: "TLP:A"
# any user within the admins-sg will be made
# administrator in the system
- field: groups
pattern: ^admins-sg$
type: role
value: admin
# URL used to get the access token
access_token_url: https://oauth2.localhost/token
# Base URL for downloading the user's and groups info
api_base_url: https://openidconnect.localhost/
# URL used to authorize access to a resource
authorize_url: https://localhost/oauth2/auth
# ID of your application to authenticate to the OAuth
# provider
client_id: null
# Password to your application to authenticate to the
# OAuth provider
client_secret: null
# Keyword arguments passed to the different URLs
# (to set the scope for example)
client_kwargs:
scope: openid email profile
# URL used to verify if a returned JWKS token is valid
jwks_uri: https://localhost/oauth2/certs
# Name of the field that will contain the user ID
uid_field: uid
# Should we generate a random username for the
# authenticated user?
uid_randomize: false
# How many digits should we add at the end of the username?
uid_randomize_digits: 0
# What is the delimiter used by the random name generator?
uid_randomize_delimiter: "-"
# Reged used to parse and email address and capture parts
# to create a user ID out of it
uid_regex: ^(.*)@(\w*).*$
# Format of the user ID based on the captured parts from the regex
uid_format: '{}-{}'
# Should we use the new callback method?
use_new_callback_format: true
# Path from the base_url to fetch the user info
user_get: user/info
# Path from the base to fetch the group info
user_groups: group/info
# Field return by the group info API call that contains the
# list of groups
user_groups_data_field: null
# Name of the field in the list of groups that contains the
# name of the group
user_groups_name_field: null
Here is an example configuration block that would let you use Auth0 if you would change your client_id and client_secret and that you would change the tenant_name to yours:
Auth0 configuration example
auth:
internal:
# Disable internal login, you could also leave it on if you want
enabled: false
oauth:
# Enable oAuth
enabled: true
# Setup the auto0 provider
providers:
auth0:
# It is safe to auto-create users here
# because it is your OAuth tenant
auto_create: true
auto_sync: true
# Put your client ID and secret here
client_id: <YOUR_CLIENT_ID>
client_secret: <YOUR_CLIENT_SECRET>
client_kwargs:
scope: openid email profile
# Set your tenant's name in the following URLs
access_token_url: https://<TENANT_NAME>.auth0.com/oauth/token
api_base_url: https://<TENANT_NAME>.auth0.com/
authorize_url: https://<TENANT_NAME>.auth0.com/authorize
jwks_uri: https://<TENANT_NAME>.auth0.com/.well-known/jwks.json
user_get: userinfo