Home
Home
German Version
Support
Impressum
25.2 Release ►

Start Chat with Collection

    Main Navigation

    • Preparation
      • Connectors
      • Create an InSpire VM on Hyper-V
      • Initial Startup for G7 appliances
      • Setup InSpire G7 primary and Standby Appliances
    • Datasources
      • Configuration - Atlassian Confluence Connector
      • Configuration - Best Bets Connector
      • Configuration - Box Connector
      • Configuration - COYO Connector
      • Configuration - Data Integration Connector
      • Configuration - Documentum Connector
      • Configuration - Dropbox Connector
      • Configuration - Egnyte Connector
      • Configuration - GitHub Connector
      • Configuration - Google Drive Connector
      • Configuration - GSA Adapter Service
      • Configuration - HL7 Connector
      • Configuration - IBM Connections Connector
      • Configuration - IBM Lotus Connector
      • Configuration - Jira Connector
      • Configuration - JVM Launcher Service
      • Configuration - LDAP Connector
      • Configuration - Microsoft Azure Principal Resolution Service
      • Configuration - Microsoft Dynamics CRM Connector
      • Configuration - Microsoft Exchange Connector
      • Configuration - Microsoft File Connector (Legacy)
      • Configuration - Microsoft File Connector
      • Configuration - Microsoft Graph Connector
      • Configuration - Microsoft Loop Connector
      • Configuration - Microsoft Project Connector
      • Configuration - Microsoft SharePoint Connector
      • Configuration - Microsoft SharePoint Online Connector
      • Configuration - Microsoft Stream Connector
      • Configuration - Microsoft Teams Connector
      • Configuration - Salesforce Connector
      • Configuration - SCIM Principal Resolution Service
      • Configuration - SemanticWeb Connector
      • Configuration - ServiceNow Connector
      • Configuration - Web Connector
      • Configuration - Yammer Connector
      • Data Integration Guide with SQL Database by Example
      • Indexing user-specific properties (Documentum)
      • Installation & Configuration - Atlassian Confluence Sitemap Generator Add-On
      • Installation & Configuration - Caching Principal Resolution Service
      • Installation & Configuration - Mindbreeze InSpire Insight Apps in Microsoft SharePoint On-Prem
      • Mindbreeze InSpire Insight Apps in Microsoft SharePoint Online
      • Mindbreeze Web Parts for Microsoft SharePoint
      • User Defined Properties (SharePoint 2013 Connector)
      • Whitepaper - Mindbreeze InSpire Insight Apps in Salesforce
      • Whitepaper - Web Connector - Setting Up Advanced Javascript Usecases
    • Configuration
      • CAS_Authentication
      • Configuration - Alerts
      • Configuration - Alternative Search Suggestions and Automatic Search Expansion
      • Configuration - Back-End Credentials
      • Configuration - Chinese Tokenization Plugin (Jieba)
      • Configuration - CJK Tokenizer Plugin
      • Configuration - Collected Results
      • Configuration - CSV Metadata Mapping Item Transformation Service
      • Configuration - Entity Recognition
      • Configuration - Exporting Results
      • Configuration - External Query Service
      • Configuration - Filter Plugins
      • Configuration - GSA Late Binding Authentication
      • Configuration - Identity Conversion Service - Replacement Conversion
      • Configuration - InceptionImageFilter
      • Configuration - Index-Servlets
      • Configuration - InSpire AI Chat and Insight Services for Retrieval Augmented Generation
      • Configuration - Item Property Generator
      • Configuration - Japanese Language Tokenizer
      • Configuration - Kerberos Authentication
      • Configuration - Management Center Menu
      • Configuration - Metadata Enrichment
      • Configuration - Metadata Reference Builder Plugin
      • Configuration - Mindbreeze Proxy Environment (Remote Connector)
      • Configuration - Personalized Relevance
      • Configuration - Plugin Installation
      • Configuration - Principal Validation Plugin
      • Configuration - Profile
      • Configuration - Reporting Query Logs
      • Configuration - Reporting Query Performance Tests
      • Configuration - Request Header Session Authentication
      • Configuration - Shared Configuration (Windows)
      • Configuration - Vocabularies for Synonyms and Suggest
      • Configuration of Thumbnail Images
      • Cookie-Authentication
      • Documentation - Mindbreeze InSpire
      • I18n Item Transformation
      • Installation & Configuration - Outlook Add-In
      • Installation - GSA Base Configuration Package
      • JWT Authentication
      • Language detection - LanguageDetector Plugin
      • Mindbreeze Personalization
      • Mindbreeze Property Expression Language
      • Mindbreeze Query Expression Transformation
      • SAML-based Authentication
      • Trusted Peer Authentication for Mindbreeze InSpire
      • Using the InSpire Snapshot for Development in a CI_CD Scenario
      • Whitepaper - AI Chat
      • Whitepaper - Create a Google Compute Cloud Virtual Machine InSpire Appliance
      • Whitepaper - Create a Microsoft Azure Virtual Machine InSpire Appliance
      • Whitepaper - Create AWS 10M InSpire Appliance
      • Whitepaper - Create AWS 1M InSpire Appliance
      • Whitepaper - Create AWS 2M InSpire Appliance
      • Whitepaper - Create Oracle Cloud 10M InSpire Application
      • Whitepaper - Create Oracle Cloud 1M InSpire Application
      • Whitepaper - MMC_ Services
      • Whitepaper - Natural Language Question Answering (NLQA)
      • Whitepaper - SSO with Microsoft AAD or AD FS
      • Whitepaper - Text Classification Insight Services
    • Operations
      • Adjusting the InSpire Host OpenSSH Settings - Set LoginGraceTime to 0 (Mitigation for CVE-2024-6387)
      • app.telemetry Statistics Regarding Search Queries
      • CIS Level 2 Hardening - Setting SELinux to Enforcing mode
      • Configuration - app.telemetry dashboards for usage analysis
      • Configuration - Usage Analysis
      • Deletion of Hard Disks
      • Handbook - Backup & Restore
      • Handbook - Command Line Tools
      • Handbook - Distributed Operation (G7)
      • Handbook - Filemanager
      • Handbook - Indexing and Search Logs
      • Handbook - Updates and Downgrades
      • Index Operating Concepts
      • Inspire Diagnostics and Resource Monitoring
      • Provision of app.telemetry Information on G7 Appliances via SNMPv3
      • Restoring to As-Delivered Condition
      • Whitepaper - Administration of Insight Services for Retrieval Augmented Generation
    • User Manual
      • Browser Extension
      • Cheat Sheet
      • iOS App
      • Keyboard Operation
    • SDK
      • api.chat.v1beta.generate Interface Description
      • api.v2.alertstrigger Interface Description
      • api.v2.export Interface Description
      • api.v2.personalization Interface Description
      • api.v2.search Interface Description
      • api.v2.suggest Interface Description
      • api.v3.admin.SnapshotService Interface Description
      • Debugging (Eclipse)
      • Developing an API V2 search request response transformer
      • Developing Item Transformation and Post Filter Plugins with the Mindbreeze SDK
      • Development of a Query Expression Transformer
      • Development of Insight Apps
      • Embedding the Insight App Designer
      • Java API Interface Description
      • OpenAPI Interface Description
    • Release Notes
      • Release Notes 20.1 Release - Mindbreeze InSpire
      • Release Notes 20.2 Release - Mindbreeze InSpire
      • Release Notes 20.3 Release - Mindbreeze InSpire
      • Release Notes 20.4 Release - Mindbreeze InSpire
      • Release Notes 20.5 Release - Mindbreeze InSpire
      • Release Notes 21.1 Release - Mindbreeze InSpire
      • Release Notes 21.2 Release - Mindbreeze InSpire
      • Release Notes 21.3 Release - Mindbreeze InSpire
      • Release Notes 22.1 Release - Mindbreeze InSpire
      • Release Notes 22.2 Release - Mindbreeze InSpire
      • Release Notes 22.3 Release - Mindbreeze InSpire
      • Release Notes 23.1 Release - Mindbreeze InSpire
      • Release Notes 23.2 Release - Mindbreeze InSpire
      • Release Notes 23.3 Release - Mindbreeze InSpire
      • Release Notes 23.4 Release - Mindbreeze InSpire
      • Release Notes 23.5 Release - Mindbreeze InSpire
      • Release Notes 23.6 Release - Mindbreeze InSpire
      • Release Notes 23.7 Release - Mindbreeze InSpire
      • Release Notes 24.1 Release - Mindbreeze InSpire
      • Release Notes 24.2 Release - Mindbreeze InSpire
      • Release Notes 24.3 Release - Mindbreeze InSpire
      • Release Notes 24.4 Release - Mindbreeze InSpire
      • Release Notes 24.5 Release - Mindbreeze InSpire
      • Release Notes 24.6 Release - Mindbreeze InSpire
      • Release Notes 24.7 Release - Mindbreeze InSpire
      • Release Notes 24.8 Release - Mindbreeze InSpire
      • Release Notes 25.1 Release - Mindbreeze InSpire
      • Release Notes 25.2 Release - Mindbreeze InSpire
    • Security
      • Known Vulnerablities
    • Product Information
      • Product Information - Mindbreeze InSpire - Standby
      • Product Information - Mindbreeze InSpire
    Home

    Path

    Sure, you can handle it. But should you?
    Let our experts manage the tech maintenance while you focus on your business.
    See Consulting Packages

    Configuring Trusted Peer Authentication

    IntroductionPermanent link for this heading

    Users typically log in directly to the client service when searching. To do this, one of the authentication methods, Kerberos, SAML, or CAS is used.

    With trusted peer authentication, it is possible to send the user name used for the authorization check of the search results along with the query. In order to prevent a user from searching in the name of another user, the caller must provide proof that he or she can be trusted.

    There are two ways to do this:

    1. The request uses a client certificate signed by a CA certificate stored in the configuration.
    2. The request contains an OAuth 2.0 Bearer Token from a configured OAuth server.

    Trusted peer authentication can be used, for instance

    • when the search is integrated into an existing application where authentication already takes place, or
    • when the API is used directly.

    RequirementsPermanent link for this heading

    In order for client services to be able to use trusted peer authentication, communication between client service and query service has to be secured using trusted peer authentication with certificates.

    Trusted peer authentication with certificatesPermanent link for this heading

    If certificates are used for the trust relationship between requester and service, the following conditions must be met:

    • A CA certificate is installed on the appliance and labeled asTrusted Peer.
    • The requester sends the request with a client certificate signed by this CA certificate.
    • The property Subject of the client certificate matches a configured regular expression (only for client services).

    Requirements for the certificatesPermanent link for this heading

    Important: The CA certificate may only be used for the trust relationship. Each requester receives a client certificate signed with this CA certificate. This reduces the potential for improper use. For example, it is negligent to use the CA certificate that is used for SSL server certificates in the company, otherwise every SSL server certificate would be trusted.

    The CA certificate must be available as a PEM file. The private key does not have to be included.

    For communication between client service and query service, a client certificate in PKCS #12 format and without password must be installed.

    Only one CA certificate per installation can be used as a trusted peer certificate.

    Installation and selection of certificatesPermanent link for this heading

    1. Open the configuration interface
    2. Navigate to the Certificates tab
    3. Under Certificate, select CA from the menu.
    4. Under Certificate, select the CA certificate (.pem) to be installed.
    5. Click Upload
    6. Under Available CAs, enable the Trusted Peer option for the newly installed certificate so that the certificate is automatically used for all query services.
    7. Under Certificate, select SSL.
    8. Under Certificate, select the client certificate (.pem) to be installed.
    9. Click Upload
    10. Navigate to the Client Services tab
    11. Under Trusted Peer Communication To Query Services – Credential Certificate, select the installed client certificate.
    12. Enable the setting Trusted Peer Communication To Query Services – Authentication Generates Trusted Peer Credentials

    Enable the trusted peer authentication with certificates on the client service.Permanent link for this heading

    1. Navigate to the Client Services tab
    2. Open the settings of the desired client service
    3. Enable Trusted Peer Access Using Certificates – Enable Trusted Peer Access Using Certificates
    4. UnderTrusted Peer Access Using Certificates – Certificate Subjects Trusted for Identity Delegation, enter a regular expression to check the Subject property of the client certificate (Java, case-sensitive). The option must be selected.

    Trusted peer authentication with OAuth 2.0 bearer tokenPermanent link for this heading

    When authenticating with OAuth 2.0 bearer token, the OAuth server must be stored. Trusted peer authentication is only allowed for users who have been assigned a configured role. The individual configuration values are best obtained from your OAuth server administrator.

    1. Navigate to the Client Services tab
    2. Open the settings of the desired client service
    3. Enable Trusted Peer Access Using OAuth 2.0 Bearer Token – Enable Trusted Peer Access Using OAuth 2.0 Bearer Token
    4. Store the address of the OAuth server in Auth Server URL
    5. Check the rest of the settings in Trusted Peer Access Using OAuth 2.0 Bearer Token and change the following if desired:

    Realm

    the OAuth Realm to be used; see your OAuth server for details

    Resource

    the OAuth resource to be used; details can be found on your OAuth server (in some OAuth servers also called client)

    SSL Security for Communication with Auth Server

    determines how the HTTPS connection to the Auth Server will be checked:

    Validate Certificate and Hostname

    The server certificate of the Auth Server must be issued by a trusted certificate and the host name must match the Auth Server URL option.

    Validate Hostname

    The host name in the server certificate of the Auth Server must match the Auth Server URL option.

    No Validation (do not use in production)

    The server certificate of the Auth Server is always accepted

    Role Trusted for Identity Delegation

    Only users assigned to this role are allowed to perform trusted peer authentication.

    Sending the user namePermanent link for this heading

    The user name can be sent either as an HTTP header or in the request.

    User name as HTTP headerPermanent link for this heading

    The user name is transmitted as HTTP header X-Auth-User.

    Example of sending the user name as HTTP header

    X-Auth-User: max.mustermann

    User name as part of the requestPermanent link for this heading

    For api.v2 queries, the user name can be transmitted in the user_context.username property.

    Example of sending the user name as part of an api.v2.search query

    {

      "user_context": {

        "user_name": "max.mustermann"

      },

      "properties": [

        {

          "formats": [

            "HTML"

          ],

          "name": "title"

        }

      ],

      "count": 5,

      "query": {

        "unparsed": "mindbreeze"

      }

    }

    Selecting the source of the user namePermanent link for this heading

    The option Trusted Peer Identity Extraction – Identity Extraction Order determines how the user name can be sent. The following options are available:

    Header, request

    The user name is used if it is set in the X-Auth-User HTTP header. If not, the user name from the query is used.

    Header

    The user name in the X-Auth-User HTTP header is used. The request will not be considered.

    Request

    The user name from the query is used. The X-Auth-User HTTP header will not be considered.

    Request, header

    If the user name is set in the query, it is used. If not, the user name from the X-Auth-user HTTP header is used.

    Sending User GroupsPermanent link for this heading

    User groups can be transferred as HTTP header X-Auth-Groups.

    The user groups must be comma-separated and then HTML form encoded.

    Example for sending user groups as HTTP header:

    X-Auth-Groups: marketing%2Cauthors%2Cquality%20assurance

    This results in the following user groups:

    marketing

    authors

    quality assurance

    Sending User PropertiesPermanent link for this heading

    With HTTP headers it is possible to add additional attributes to the user identity.

    HTTP headers can be sent according to the following patterns:

    X-Identity-Property-{{key}}: {{value}}

    For example, the following headers

    X-Identity-Property-mail: user@example.com

    X-Identity-Property-color: light%20blue

    create this properties:

    "mail": "user@example.com"

    "color": "light blue"

    Note: The {{value}} must be HTML form encoded.

    These attributes are internally linked to the user identity (Identity Property) and can then be used in other services.

    Download PDF

    • Trusted Peer Authentication for Mindbreeze InSpire

    Content

    • Introduction
    • Requirements
    • Trusted peer authentication with certificates
    • Trusted peer authentication with OAuth 2.0 bearer token
    • Sending the user name
    • Sending User Groups
    • Sending User Properties

    Download PDF

    • Trusted Peer Authentication for Mindbreeze InSpire