Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
png
app_reg_auth_config.png 160.8 kB 1 05-Dec-2023 05:32 krivacsz
png
app_reg_config.png 173.1 kB 1 05-Dec-2023 05:32 krivacsz
png
b2c_azure_settings.png 184.4 kB 1 05-Dec-2023 05:32 krivacsz
png
b2c_client_id.png 127.2 kB 1 05-Dec-2023 05:32 krivacsz
png
b2c_id_token.png 207.0 kB 1 05-Dec-2023 05:32 krivacsz
png
cognito_client_id_secret.png 66.4 kB 2 05-Dec-2023 05:32 krivacsz
png
cognito_user_pool.png 82.3 kB 2 05-Dec-2023 05:32 krivacsz
png
cognito_user_pool_app_client_1... 244.9 kB 1 05-Dec-2023 05:32 krivacsz
png
cognito_user_pool_app_client_2... 340.5 kB 1 05-Dec-2023 05:32 krivacsz
png
dmz_template_user_internal_por... 94.7 kB 1 05-Dec-2023 05:32 krivacsz
png
g_sign_origin_redirect_url.png 85.4 kB 1 05-Dec-2023 05:32 krivacsz
png
gsign_in_button.png 204.4 kB 1 05-Dec-2023 05:32 krivacsz
png
http_port_oauth_item_settings.... 43.5 kB 1 05-Dec-2023 05:32 krivacsz
png
plugin_settings.png 99.6 kB 7 05-Dec-2023 05:32 krivacsz
png
port_item_settings.png 76.4 kB 2 05-Dec-2023 05:32 krivacsz
png
port_item_settings_b2c.png 105.6 kB 1 05-Dec-2023 05:32 krivacsz
png
port_item_settings_cognito.png 14.1 kB 2 05-Dec-2023 05:32 krivacsz
png
port_item_settings_ms.png 75.3 kB 1 05-Dec-2023 05:32 krivacsz

This page (revision-220) was last changed on 05-Dec-2023 05:32 by krivacsz

This page was created on 05-Dec-2023 05:32 by krivacsz

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed 3 lines
!!Enterprise Licenses Only\\
This plugin allows you to delegate access of OAuth providers. On the CrushFTP's login page next to the login button will appear the enabled provider's "__Signed in"__ button".\\
Currently __Google Sign-In__, __Microsoft Sign-In__, __Azure Active Directory B2C Sign in__ and __Amazon Cognito Sign in__ are supported.\\
Constraint: __Enterprise Licenses Only__\\
This plugin allows you to delegate access to OAuth ([https://en.wikipedia.org/wiki/OAuth]) providers. On the CrushFTP's login page next to the login button will appear the enabled provider's "__Signed in"__ button".\\
Currently __Google Sign-In__([Google Sign in Configuration]), __Microsoft Sign-In__([Microsoft Sign in Configuration]), __Azure Active Directory B2C Sign in__([Azure Active Directory B2C Configuration]) and __Amazon Cognito Sign in__([Amazon Cognito Configuration]) are supported.\\
At line 5 changed one line
!!1. Google Sign-In\\
It only works through __HTTP__ or __HTTPS__ protocol.\\
First configure an HTTP(S) port item with OAuth Sign In configuration.\\
[attachments|http_port_oauth_item_settings.png]\\
At line 9 added 2 lines
!!Supported types:\\
!1. Google Sign-In\\
At line 12 added 6 lines
!2. Microsoft Sign-In\\
See [Microsoft Sign in Configuration]\\
!3. Azure Active Directory B2C\\
See [Azure Active Directory B2C Configuration]\\
!4. Amazon Cognito\\
See [Amazon Cognito Configuration]\\
At line 9 changed one line
!!2. Microsoft Sign-In\\
!!Plugin Settings\\
At line 11 changed 2 lines
It requires Microsoft Graph Application registration. Start at the Microsoft azure portal:\\
[https://azure.microsoft.com/en-us/features/azure-portal/]\\
__1.__ __Username matching__ -> It filters the OAuth user name (Google Auth: email address, Microsoft Auth: user principal name). Allow multiple values separated by a comma. Domain filter is allowed (like *mydomain.com).\\
At line 14 changed one line
__Application registration__: Go to the App registrations and click on New registration:\\
__2.__ __Allowed authentication types__: Google Sign-In, Microsoft Sign-In, Azure Active Directory B2C Sign in and Amazon Cognito Sign. Configure the sign-in button on HTTP(S) server.\\
At line 16 changed one line
[attachments|SMTP Microsoft Graph XOAUTH 2 Integration/new_registration.png]\\
__3.__\\
__a.__ __Skip OTP processing__: CrushOAuth plugin is not compatible with [OTP Settings] as IDP (identity provider) can have its own two-factor authentication. Turning the flag to true will skip OAuth users from CrushFTP's OTP process.\\
__b.__ __Remove email suffix from username__: It removes the email suffix of the user name. Like username "my_user@email.com" will be "my_user".\\
__c.__ __Get Cognito user info__: Gets more info about Amazon Cognito users (like custom attributes). It is related only to __Amazon Cognito Sign in__.\\
At line 18 changed one line
Name it. Select __Single-page Application__ as platform. The redirect url must ends with :__WebInterface/login.html__. Then click on register.\\
__4.__ OAuth only used for Authentication ([User Manager] defines user's access.) -> If users already exist in CrushFTP's User Manager, you can use the CrushOAuth plugin __just for authentication__.\\
At line 20 changed one line
[CrushOAuth/app_reg_config.png]\\
__5.__ __Template Username__ -> The signed-in user inherits not just the settings, but the VFS items too (as Linked [VFS]).
At line 22 changed one line
Make sure that MSAL.js 2.0, Implicit grant (Access Token, ID Token) grant types are permitted.\\
__Import settings from CrushFTP user__ -> The signed-in user inherits just the settings from this user. __It must have a value! __Default value would be : __default__ -> the default user of CrushFTP\\
At line 24 changed 36 lines
[CrushOAuth/app_reg_auth_config.png]\\
\\
Get Client Id and Tenant Id from App registration -> Overview.\\
\\
[MicrosoftMails/client_id.png]\\
\\
Go to the __Preferences__-> __Ip/Servers__ and select the __HTTP or HTTPS__ port item(__OAuth Sign in__ Tab) where you want to enable the __Microsoft Sing-In__ button. Check the __"Enable Microsoft Sign in"__ flag and provide the __Client ID__ and __Tenant ID__ of your App registration(mentioned above).\\
[CrushOAuth/port_item_settings_ms.png]\\
\\
!!3. Azure Active Directory B2C\\
\\
About Azure Directory B2C : [https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview]\\
CrushFTP requires : __Tenant name__, __User flow name__, __Client ID__ of the App registration.\\
[CrushOAuth/b2c_azure_settings.png]\\
\\
__Application registration__: Go to the App registrations and click on New registration:\\
\\
[attachments|SMTP Microsoft Graph XOAUTH 2 Integration/new_registration.png]\\
\\
Name it. Select __Single-page Application__ as platform. The redirect url must ends with :__WebInterface/login.html__. Then click on register.\\
\\
[CrushOAuth/app_reg_config.png]\\
\\
Check the flag "__ID tokens (used for implicit and hybrid flows)__" at __Platform configurations__.\\
[CrushOAuth/b2c_id_token.png]\\
\\
Get __Application (client) ID__ from App registration -> Overview\\
\\
[CrushOAuth/b2c_client_id.png]\\
\\
Go to the __Preferences-> Ip/Servers__ and select the HTTP or HTTPS port item(__OAuth Sign in__ Tab) where you want to enable the __Azure Active Directory B2C__ button. Check the "__Enable Azure Active Directory B2C Sign in__" flag and provide the __Tenant name__, __User flow name__, __Client ID__ of the App registration (mentioned above).\\
[CrushOAuth/port_item_settings_b2c.png]\\
\\
Configure the CrushOAuth plugin and enable the flag: "__Enable Azure Active Directory B2C Auth__".\\
\\
!!4. Amazon Cognito\\
__6__ __OAuth Roles__ -> You can configure different Template Users (see 5.) based on IDP's (identity provider) attributes.\\
IDP Attribute examples:\\
{{{
At line 61 changed 18 lines
About __Amazon Cognito__ : [https://aws.amazon.com/cognito/]\\
Create ([https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html]) or use one of your existing __Amazon Cognito user pool__: [https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html]\\
\\
Create or configure __app client__ of the user pool ([https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html]). \\
\\
App type : Select __Confidential client__.\\
Enable __Generate client secret__.\\
Allowed callback URLs: https://your.CrushFTP.domain.com__/WebInterface/login.html__\\
OAuth 2.0 grant types : __Authorization code grant__\\
OpenID Connect scopes : __OpenID__\\
\\
[CrushOAuth/cognito_user_pool_app_client_1.png]\\
[CrushOAuth/cognito_user_pool_app_client_2.png]\\
\\
Go to the __Preferences__-> __Ip/Servers__ and select the __HTTP or HTTPS__ port item(__OAuth Sign in__ Tab) where you want to enable the Amazon Cognito Sing-In button. Check the "Enable Amazon Cognito Sign in" flag.\\
Required info from __App client__ of the __User Pool__ : __Client ID__ and __Client Secret__.\\
Required info from __User Pool__ :\\
Cognito Domain Prefix: It is part of the __Cognito domain__ (Amazon console -> Amazon Cognito -> User Pools -> __User poll__ -> __App integration__ tab). It also contains the region of the User Pool.\\
Google Sign-In:
email_verified, idp_user_info, given_name, family_name, email_verified, group
Microsoft Sign-In:
mail, idp_user_info, displayName, jobTitle, businessPhones, mobilePhone, officeLocation, group
Amazon Cognito Sign-in:
email, username, identities, cognito:username, cognito:groups, custom:<<defined custom attributes>>
}}}
Role examples :
{{{
<<IDP attribute name>>=<<IDP attribute value>>,<<IDP attribute name>>=<<IDP attribute value>> : tmeplate user name
At line 80 changed 2 lines
{{{[domain_name].auth.[amazon region]}}}\\
User pool ID\\
cognito:groups=Azure_SAML,custom:groups:test_group_one
or
cognito:groups=*SAML*,custom:groups:test_group_one
or
cognito:groups=REGEX:.*SAML$,custom:groups:test_group_one
}}}
At line 83 changed 3 lines
[CrushOAuth/cognito_client_id_secret.png]\\
[CrushOAuth/cognito_user_pool.png]\\
[CrushOAuth/port_item_settings_cognito.png]\\
IDP attribute value: Exact match, Simple Match (like *mail.com*), Regex match (like REGEX:<<the regular expression>>), if the value is an array you can reference only one of the array element (exact match only). Like (IDP Attribute value -> __groups:[["group1","group2"]__ -> you can match with __group1__)\\
\\
At line 87 changed one line
Configure the __CrushOAuth__ plugin and enable the flag: __Enable Amazon Cognito Auth__.
__7.__ VFS-related settings -> You can set custom [VFS] for CrushOAuth users.\\
At line 89 changed one line
!!5. Plugin Settings\\
[attachments|plugin_settings.png]\\
At line 91 changed 2 lines
__1.__ Username matching -> It filters the OAuth user name (Google Auth: email address, Microsoft Auth: user principle name). You can put multiple value separated by comma. Domain filter is allowed to (like *mydomain.com).\\
!!DMZ\\
At line 94 changed one line
__2.__ Allowed authentication types\\
__1.__ Configure your OAuth Sign In settings on the DMZ's HTTP(S) port item.\\
__2.__ Configure the same OAuth Sign In settings on the Internal (Main) HTTP(S) port item. This port item must match with the port item configured at the DMZ template user's VFS. (See [DMZ])\\
At line 96 changed one line
__3.__ OAuth only used for Authentication (User manager then defines user's access.) -> If the users already exists with username of the OAuth, you can use the plugin just for authentication.\\
[attachments|dmz_template_user_internal_port.png]\\
At line 98 changed one line
__4.__ Template Username -> The signed in user inherits no just the settings, but the VFS items too (as Linked VFS).\\
__3.__ Configure the OAuth plugin __only on the Internal (Main) instance__. !!!Do not configure the OAuth plugin on the DMZ too. See __Plugin Settings__ on the current page.\\
At line 100 removed 6 lines
Import settings from CrushFTP user -> The signed in user inherits just the settings from this user. __It must have a value! __Default value would be : __default__ -> the default user of CrushFTP\\
\\
__5.__ VFS related settings : You can also assign a VFS item for the signed in user.\\
\\
[attachments|plugin_settings.png]\\
\\
Version Date Modified Size Author Changes ... Change note
220 05-Dec-2023 05:32 4.404 kB krivacsz to previous
219 05-Dec-2023 05:32 4.4 kB krivacsz to previous | to last
218 05-Dec-2023 05:32 4.392 kB krivacsz to previous | to last
217 05-Dec-2023 05:32 4.467 kB krivacsz to previous | to last
216 05-Dec-2023 05:32 4.368 kB krivacsz to previous | to last
215 05-Dec-2023 05:32 4.354 kB krivacsz to previous | to last
214 05-Dec-2023 05:32 4.347 kB krivacsz to previous | to last
213 05-Dec-2023 05:32 4.347 kB krivacsz to previous | to last
212 05-Dec-2023 05:32 4.344 kB krivacsz to previous | to last
211 05-Dec-2023 05:32 4.341 kB krivacsz to previous | to last
210 05-Dec-2023 05:32 4.337 kB krivacsz to previous | to last
209 05-Dec-2023 05:32 4.284 kB krivacsz to previous | to last
208 05-Dec-2023 05:32 4.263 kB krivacsz to previous | to last
207 05-Dec-2023 05:32 4.27 kB krivacsz to previous | to last
206 05-Dec-2023 05:32 4.273 kB krivacsz to previous | to last
205 05-Dec-2023 05:32 4.268 kB krivacsz to previous | to last
204 05-Dec-2023 05:32 3.963 kB krivacsz to previous | to last
203 05-Dec-2023 05:32 3.953 kB krivacsz to previous | to last
202 05-Dec-2023 05:32 3.949 kB krivacsz to previous | to last
201 05-Dec-2023 05:32 3.946 kB krivacsz to previous | to last
« This page (revision-220) was last changed on 05-Dec-2023 05:32 by krivacsz
G’day (anonymous guest)
CrushFTP11 | What's New

Referenced by
LeftMenu

JSPWiki