Teneo Developers

Teneo Manager

Introduction

Various Teneo Platform application settings and users, groups and permissions are managed in a centralized manner with Teneo Manager, which also handles user authentication and authorization following the OAuth2 protocol.
The managed data is stored in a local database and exposed to applications via an HTTP REST API. Group and user data may optionally be synchronized with an Active Directory server as well as crated using the said HTTP REST API.

Basic concepts

Users and user access rights are organized in Teneo Manager by the following entities:

  • A User: represents a particular user that logs on to a Teneo Platform application; it stores the user's Id, password and name. A user item may be backed by an Active Directory user entry.

  • Group: a Group item usually represents a company. User items are organized in groups; a user can be member of one or more groups. A group item may be backed by an Active Directory group entry.
    Active Directory supports "nested groups" (a group which is assigned to another group which holds a certain permission). In Teneo Manager, nested group memberships are not directly reflected, but Teneo Manager keeps track of direct and indirect membership (from a nested group) of a user in a company group.

  • Account: an Account is assigned to one application instance, e.g., Teneo Studio, and contains a certain amount of per-user access permissions to the resources provided by said application. Typically, an account is associated with a specific customer.
    Though an account stores access permissions per user, access to an account is granted on a group level. That is, in order to grant access to an account for a certain user, a group where said user is a member needs to be connected to the account. Consequently, all members (users) of that group get access to the account.
    In the Studio backend, one or more solutions are assigned to an account. Thus, a user who is assigned to a Studio backend account gets access to all solutions assigned to that account.

  • A Log Archive: represents a data warehouse entity stored in the Teneo Inquire component. Its main configuration is stored in Teneo Manager and assigned to one and only one Teneo Inquire instance. It's aim is to be an archive for log data and the source for a number of Log Data Sources.

  • Log Data Source: a Log Data Source (LDS) represents a data source entity stored in the Teneo Inquire application which other components can use to obtain log data. Its main configuration is stored in Teneo Manager and assigned to one and only one Teneo Inquire instance.
    Several users or groups may be assigned access to the LDS; if a user is assigned both as an individual and as part of a group, the effective user's role is the aggregation of both.

  • A Client: represents a Teneo Platform application instance. It stores the application's Id, secret and redirect URL.

Teneo Manager GUI

System requirements

In order to access Teneo Manager, one of the following browsers is required:

  • Chrome version 81 onwards
  • Firefox 76 onwards (on Windows or Ubuntu)
  • Edge 44 onwards
  • Safari 12 onwards

Cookies must be enabled in the browser

Login

Login to Teneo Manager requires a user account with an Administrator role. A built-in user account with the administrator role is provided, with a username and password that is specified by the Teneo Manager installation (more information available in the Installation Guide). The administrator role may be granted to standard user accounts (see User management for details).

The login starts a web session with a 30 minutes' timeout. If the session timeout occurs, the user will be sent back to the login page.

Teneo Manager window

Teneo Manager is divided in a top ribbon, a left-side navigation panel and the central space for the management pages. The top ribbon displays the name of the currently logged in user (upper right corner) and the Logout button.
The navigation panel is divided into groups of related management functions: Commons, OAuth2, Teneo Studio and Admin; all of these are described further in sections following further below.

Teneo Manager

General management

The management pages related to client settings require a client context. Thus, on the first navigation after login to a client settings page, a client selection dialogue is displayed. After selecting a client, the target client settings management page is displayed. The select client name is displayed at the top of the page, besides a button to re-open the client selection dialogue. The client selection is saved in the session context and applies to all settings management pages of the client type.

Tables displayed in Teneo Manager are editable by clicking the icon available in the Edit column of the row. Some tables allow for inline editing in the table, and while a row is in edit mode, a check mark and a cross icon are displayed to save or discard changes, respectively. Most tables, when Edit is clicked, opens a separate window allowing for editing; in this case the window presents an Update and a Cancel button in order to either save or discard changes.

Some tables allow for the null value for displayed settings, which is shown as null. In edit mode, an additionally displayed Null button allows to toggle the value between null and not-null. If a setting is null, the setting's edit field is disabled.

The tables may be sortable by one or more columns, visualized by an arrow besides the column header. Clicking on the column header selects the sorting column and changes the sorting order. A table may also be filterable by a certain column, visualized by a text field (for the filter expression) or a combo-box displayed under the column header. The filtering is not case sensitive.

Common

The Common section in the left-side navigation panel contains the Main (or Start) page and management pages for the data shared between the clients:

  • Main
  • Users (User Management)
  • Groups (Group Management)
  • Log Archives (Log Archive Management)
  • Log Data Sources (LDS Management)

Each of these are described further in the following sub-sections.

Main

After logging into Teneo Manager, the Main page is displayed. It shows a Statistics panel in the right-hand side of the view and an individual panel for the following tasks:

  • DbChecker: this task checks the health of the DB connection; it is executed every minute. The Start button allows to manually run the task. Time and result of the latest task execution are displayed next to the button.
  • LdapChecker: this task checks the health of the LDAP (Active Directory) connection; it is executed every minute. The Start button allows to manually run the task. Time and result of the latest task execution are displayed next to the button. This task is hidden if Teneo Manager is not running in LDAP mode.
  • Sync: this task synchronizes the Teneo Manager users and groups' data with the LDAP; it is executed every minute. The Start button allows to manually run the task. Time and result of the latest task execution are displayed next to the button. This task is hidden if Teneo Manager is not running in LDAP mode.
  • Unblock: this task unlocks locked users (see User Management for details on locked users), and is executed every 15 minutes. The Start button allows to manually run the task. Time and result of the latest task execution are displayed next to the button.

User Management

The User Management page lists the existing users and allows to create new users, as well as edit and delete existing users.

If Teneo Manager runs in LDAP mode, the user data is synchronized from the LDAP every minute. In order to avoid interference with manual updates in the table, the table is not updated automatically and the page must be reloaded manually to see any changes.

Create a User allows to create a new user with the following properties:

  • Id a unique internal user ID; this is a UUID value in the hexadecimal format and the value is fixed and generated by Teneo Manager.
  • LDAP Base DN: this is the LDAP location of the new user; this property is hidden if Teneo Manager is not running in LDAP mode.
  • Name: free-text name of the user; user name must be unique and match the regular expression defined by the "user name regex" setting (see Manager Settings Management). If Teneo Manager runs in LDAP mode, the user name restrictions of the LDAP also applies.
  • Logon: the logon name of the user; the logon name must be unique and match the regular expression defined by the "user logon regex" setting (see Manager Settings Management). If Teneo Manager runs in LDAP mode, the logon name restrictions of the LDAP also applies.
  • Enabled: toggle to enable/disable login of the user; if Teneo Manager runs in LDAP mode, this flag also enables/disables the user in LDAP.
  • Email: value used only by client applications.
  • Password: the user password must match the regular expression defined by the "user password regex" setting (see Manager Settings Management). If Teneo Manager runs in LDAP mode, the password restrictions of the LDAP also applies.
  • Assigned roles: roles to assign to the user; in order to enabled the user for Teneo Manager administration login, the user must have the Administrator role assigned.
  • Assigned groups: groups to which the user should be assigned; user access to clients is granted only via groups.

Mandatory properties are marked with asterisk in the New user dialogue in Teneo Manager.
Creating a new user adds the user to the local database. If Teneo Manager runs in LDAP mode, the user is also created in the LDAP. If the new user is assigned to a group which is assigned to a client, then the new user immediately gets access to that client.

Existing users are displayed in the User List; the action links in the Roles, Groups, LDS access roles, Password reset and Edit columns open dialogues for editing the related data.
The action link in the Accessible Accounts column opens a dialogue which visualizes the relation between the selected user and the client accounts to which the user is assigned (via groups).

The action link in the Delete column opens a confirmation dialogue for deletion of the selected user.
When a user is deleted, the user will be removed immediately from the local database and all REST interface tokens currently issued for hte user will be revoked. If Teneo Manager runs in LDAP mode, the user is also deleted from the LDAP.

Group Management

The Group Management page lists the existing groups and allows to add, modify and delete groups.

If Teneo Manager runs in LDAP mode, the group data is synchronized from the LDAP every minute. In order to avoid interference with manual updates, the Group List table is not updated automatically.

Create a Group allows to create a new group with the following properties:

  • Id: the unique, internal Id of the group; this is a UUID value in hexadecimal format. The value is fixed and generated by Teneo Manager.
  • LDAP Base DN: this is the LDAP location of the new group; this field is hidden when Teneo Manager is not running in LDAP mode.
  • Name: free-text, name of the group. The name must be unique and match the regular expression defined by the "group name regex" setting (see Manager Settings Management). If Teneo Manager runs in LDAP mode, the group name restrictions of the LDAP also applies.
  • Assigned users: the users assigned to the group; access to clients is granted to all users in the group.

Mandatory properties are marked with asterisk in the New group dialogue in Teneo Manager.
Creating a group adds it to the local database and if Teneo Manager runs in LDAP mode, the group is also created in LDAP.

The Group List table displays the existing groups. The following actions are available:

  • Users: edit users assigned to the selected group
  • LDS access roles: allows to modify the LDS access roles for the selected group
  • Accessible Accounts: opens a dialogue which displays an image of the relation between the selected group and the client accounts to which the group is assigned.
  • Edit: allows to edit the selected group
  • Delete: opens a confirmation dialogue for deletion of the selected group. Upon deletion the group is removed immediately from the local database; if Teneo Manager runs in LDAP mode, the group is also deleted from the LDAP.

Log Archive Management

The Log Archive Management page lists the Log Archives that may be assigned to the managed clients. Here Log Archives can be created, modified and deleted.

Before a new Log Archive can be added to a client, the target client needs to exist

Create a Log Archive allows to create a new Log Archive with the following properties:

  • Id: unique identifier of the Log Archive using an UUID format; the field is set when creating the Log Archive and cannot be modified afterwards.
  • Client: the Inquire client for which the Log Archive is being created; this is a mandatory field as no Log Archive can be created without being assigned to a client; the client cannot be reassigned.
  • Name: free text field for the name of the Log Archive. The value must be unique within the selected Inquire client.
    The name must be 2-60 characters long with characters from any of the following categories: letters (upper or lower case), numbers (0-9), dot (.) and special characters (for example, #@&!%).
  • Description: optional field to add a brief description of the Log Archive
  • Keyspace: this field is generated automatically after the Log Archive's Id and cannot be modified.
  • Replicas: the amount of replicas (r), that is, the amount of copies of the Log Archive that will be generated; r must be lower than the number of nodes - in such event, it will be automatically adjusted.
    This field is set when creating the Log Archive and cannot be modified afterwards.

Mandatory properties are marked with asterisk in the New Log Archive dialogue in Teneo Manager.
Deleting a Log Archive from the management page also deletes all access roles assigned to it.

The Log Archive list displays the existing Log Archives. The following actions are available:

  • Overview: provides an overview of the selected Log Archive
  • Import: allows to import log files in the Teneo Log Engine format (.tle or .tle.gz).
  • Edit: update the description or the name of the selected Log Archive.
  • Delete: opens a confirmation dialogue for deletion of the selected Log Archive.

Import

To import log files to a Log Archive, follow the below steps:

Log files must be in the Teneo Log Engine format (.tle or .tle.gz)

  • Open the Log Archive Management page
  • In the Import column, click the icon for the Log Archive where the logs should be imported
  • The Import Log files dialogue opens, in the upper right corner click Import
  • Specify the Server path from the the files should be read
  • Click Import to confirm
Import errors

Sessions which, for any reason, fail to import to a Log Archive will be listed on the Import Log Files dialogue.

Example of import errors

LDS Management

The LDS Management page lists the Log Data Sources (LDSs) that may be assigned to the managed clients. Here LDSs can be created, modified or deleted.

Before a new Log Data Source can be added to a client, the target client needs to exist

Create a LDS allows to create a new Log Data Source with the following properties:

  • Id: only displayed when updating the LDS The unique internal Id of the LDS; this is a UUID value in hexadecimal format. The value is fixed and generated by Teneo Manager. Client applications may use this value to identify an LDS.
  • Client: the Inquire client for which the LDS is being created. This is a mandatory field as no LDS can be created without being assigned to a client.
  • Name: free-text name of the LDS. The value must be unique within the selected Inquire client.
    Note: the field cannot contain the following characters: \, /, *, ?, ", #, <, >, |, %, :, space nor upper case letters, neither may it start with a dot nor an underscore. Elasticsearch index name is derived from it and limits the format.
  • Description: optional field to add a brief description of the LDS
  • Log Archive: the Log Archive the LDS will be reading the logs from
  • Weeks: the week span of the data to be imported to Elasticsearch, ending at the selected week at the Until date (see the next point). By default, the amount of weeks is pre-set to 12, but it can be modified at any time, even after the LDS has been created.
    Week numbers use the ISO8601 format (i.e., week starts on a Monday)
    Weeks are imported as "calendar weeks" in full, even if the week has not yet ended.
  • Until: date until data is imported, in Year-Week format.
    Default is "Now", which means the LDS window frame will be dynamic, i.e., that the log data weeks included in the LDS will shift to always include the most recent log data; this update is executed automatically.
    Deselecting "Now" allows to set the LDS to always contain the same weeks.
  • Shards: the amount of Elasticsearch shards.
  • Replicas: the amount of Elasticsearch replicas.
  • Locale: the locale of the LDS language (and country), usually the published solution's language.

Mandatory properties are marked with asterisk in the New LDS dialogue in Teneo Manager.

The LDS list displays the existing Log Data Sources. The following actions are available:

  • User access roles: edit the user access permissions; see Access Roles
  • Group access roles: edit the group access permissions; see Access Roles
  • Edit: allows to update the settings of the LDS
  • Delete: opens a confirmation dialogue for deletion of the selected LDS; deleting an LDS from the LDS management page also deletes all access roles assigned to it.

Access Roles

Users and groups may have different access roles for accessing the data available in a Log Data Source. The follow access roles are available:

  • Augmenter: the user can manage augmenters
  • Data: the user may manipulate data
  • Export: the user may export datasets
  • Importer: the user may import log data
  • Sysadmin: the user may administrate the system
  • TQL: the user may run queries

The User and Group access roles dialogues allows to add, update and delete access roles for users and groups. Both can be searched using the text box with autocomplete functionality. Once a user or group is selected, the different roles can be enabled/disabled by using the checkboxes. Multiple uses and groups may be added in a single operations. Once a user or group is added to the table, the edit and delete actions can be used to edit or delete these.

Elasticsearch cluster: shards and replicas

Each week of data is divided into shards which are distributed across the cluster. Replicas are duplicated shards distributed across the cluster. Each TQL query will run on 1 CPU core per shard in the Elasticsearch cluster.
Therefore, adding shards lets each TQL query run across more shards in the cluster which in turn increases the performance per query.
Adding replicas means that more than 1 machine can run queries against that shard. In turn, this increases the performance of concurrent queries. Replicas also increase the resilience of the cluster as data is replicated.
Adding more machines or more cores does not automatically increase performance until there are more shards where queries can run on.

Recommended configuration is therefore 2 shards per node in the Elasticsearch cluster with the number of replicas set to number_of_nodes - 1. If Elasticsearch has not been setup as a cluster then leave the pre-configured defaults.

The following table can be used as a reference:

NodesShardsReplicas
120
3 (recommended)62
5104

OAuth2

The OAuth2 section in the left-side navigation panel contains the Client Management and Token Management pages; both are described further in the following sub-sections.

Client Management

The Client Management page lists the existing client instances managed by Teneo Manager and allows to create, edit and delete Client instances.

A Client has the following properties:

  • Client Id: the unique identifier of the Client. This is a UUID value in hexadecimal format. The value is fixed and generated by Teneo Manager. The Client Id is used to identify a client for authentication with the REST interface.
  • Client Secret: a text string ("password") used for authentication with the REST interface. The value is fixed and generated by Teneo Manager.
  • Name: free-text name of the Client instance. The value must be unique.
  • Client Type: eligible values at creation: Inquire or Studio; the value is fixed as it is selected before the New Client dialogue opens.
  • Description: optional, free-text description of the Client instance.
  • Redirect URI: the Client application's URI to be opened after successful login; the value is needed only if the OAuth2 authentication flow "Implicit" is enabled.
  • OAuth2 flows: OAuth2 authentication flow types which should be enabled for the client:
    • Resource owner password credentials
    • Client credentials.

Additionally, if the client type is Inquire, the follow two properties are also available:

  • Inquire Query URL: the query URL Inquire Clients must use for querying the data.
  • Inquire DM URL: the Data Management URL Inquire Clients must use for managing the data.

The Client List table on the Client Management page lists existing Clients; the following options are available:

  • OAuth2 flows: allows to modify the authentication flows enabled in the selected Client
  • Edit: allows to edit the selected Client
  • Delete: opens a confirmation dialogue for deletion of the selected Client instance.

At the top of the Client List, the New Client button allows to create a new client by selecting the type (Inquire or Studio). After the selection of client type, the dialogue for the creation of a new Client instance is opened and the Common attributes should be provided. Mandatory fields are marked with an asterisk.

When the New Client dialogue has been completed, Teneo Manager generates a unique Client Id and the Client Secret (password) for the new Client instance and it is added to the table.

When a Client is deleted, the Client instance and all its settings are removed immediately from the local database and all the currently issued REST interface tokens for the Client instance are revoked.

Token Management

The Token Management page is divided in three tabs: Access tokens listing the currently issued access tokens for users and Clients, the API tokens tab and the Refresh tokens for user access tokens.

API tokens are basically persistent Access tokens for a particular Client additionally linked to a user as well. The API tokens survive restarts of Teneo Manager since they are stored in the local database; their usage is basically for running scripts where tokens can be provided in script code.

The Create an API token button opens a dialogue with the following properties: Name, Client, User and Description. The mandatory fields are marked with asterisk.

Only API tokens can be created through Teneo Manager, Access tokens are create via the API

The Access tokens and Refresh tokens panels work in a similar way; the displayed data is refreshed automatically every 30 seconds or immediately by clicking the Refresh button.

The Revoke filtered access tokens and Revoke filtered refresh tokens buttons revoke (delete) all tokens that match the current table filtering. IF no filter is set, then all currently existing tokens are revoked.
With the action link in the Revoke column of the tables, a single token may be revoked (deleted).

Usage example

Across the Teneo Platform, the way authorization is passed between components is aligned with the OAuth2 Standard (i.e., OAuth2: Bearer Token); below please find an example of the format of the request when calling the Inquire API REST endpoints directly in JavaScript.

The Authorization header value must be Bearer authentication_token_value and, for example, starting a query (assuming the authentication variable contains the result of a successful login call) can be done with the following JavaScript:

javascript

1fetch(`${server}/teneo-inquire-query/rest/tql/submit?index=${encodeURI(lds)}&timeout=1200`, {
2    method: 'post',
3    headers: {
4        "Authorization": `Bearer ${authentication}`,
5        "Content-type": "application/x-www-form-urlencoded"
6    },
7    body: `query=${encodeURIComponent(query)}&index=${encodeURI(lds)}`
8})
9

Teneo Studio

This section contains the management pages for the Teneo Studio application instance. The pages require a client selection, as described in the Teneo Manager GUI section.

Account Management

The Account Management page allows to mange Teneo Studio accounts (former customer ).

A Teneo Studio account has the following properties:

  • Id: unique identifier of the account to be used by Teneo Studio; the value is a UUID in hexadecimal format. In the New Account dialogue (also see below), this field is preset with a randomly generated value. In case the account is created for an already existing Teneo Studio customer, its Id must be entered.
  • Name: name of the account; the value must be unique within the Teneo Studio client instance.
  • Enabled: allows to temporarily disable an account (if unchecked) in order to hide it from Teneo Studio users. A disabled account is not removed form the managed Teneo Studio instance.
  • Log Archives: the Log Archives assigned to the account. The user can select one of those when publishing a solution in order to store and archive the logs.
  • LDSs: the Log Data Source(s) assigned to the account which users can later link to a solution or query.
  • User permissions: a set of permissions that enable/disable certain actions for the Teneo Studio user in the related account. User permissions can also be inherited from all groups the user is member of.
  • Group permissions: a set of permissions passed on to groups' members which enable/disable/ certain actions for the Teneo Studio users related to the account.

The Account List table lists the existing accounts. The action links in the Log Archives, LDSs, User permissions and Group permissions each open a dialogue for editing the related properties of the selected account.
The action link in the Edit column starts the editing of the selected account while the action link in the Delete column opens a confirmation dialogue for deletion of the selected account.

The Create an Account button opens a dialogue to create a new account; mandatory properties are marked with an asterisk. User and Group permissions are not assignable in the dialogue and must be assigned from the Accounts List after creation of the new account. As soon as the account is created, the related customer in the managed Teneo Studio client instance is available to users.

Removing an account firstly removes it from Teneo Manager only; the related customer is removed from the managed Teneo Studio instance after a grace period of 24 hours, but only if it does not contain any solutions.

Admin

The Teneo Manager administration sections (in the left-side menu of Teneo Manager) includes the management pages for settings that apply to Teneo Manager itself or all clients in general.

This section is only displayed for admin users and users granted the Administrator role.

Manager Setting Management

The Manager Setting Management page displays the settings that control the Teneo Manager instance itself. This does not include the settings provided as Java system properties (see the Installation Guide for details on these properties).

This view provides the following options and properties:

  • Save and restart: this button persists the changes done in any tab of the view. Execution will restart some internal services and also revoke all OAuth2 tokens, thus all currently existing user logons will be invalidated.
  • General tab: this tab is always visible and contains the General settings:
    • Authentication: dropdown menu, choose authentication type between: DB, Delegated and LDAP.
    • Users and Groups source: dropdown menu, choose the source of users and groups between: DB and LDAP.
    • Table with the following list of settings:
      • groupNameRegex: a Java regular expression which defines the validness of a group. If Teneo Manager runs in LDAP mode, the group name must also match the LDAP restrictions.
      • groupNameRegexInfo: error message shown to the user if the groupNameRegex does not match the chose Group name.
      • maxLoginAttempts: maximum allowed counts of failed login attempts for a user within the unblock period (15 minutes). If the failed logon count of a user exceeds the limit, the user is prevented from logon to the GUI and REST interface until the next execution of the user unblock task.
      • oauth2.accessTokenTimeout: lifespan of OAuth2 access tokens, provided in minutes. The value must be a positive integer.
      • oauth2.refreshTokenTimeout: minimum lifespan of OAuth2 refresh tokens, provided in days. The lifespan restarts each time the refresh token is used. The value must be a positive integer.
      • oauth2.stateTimeout: timeout for the OAuth2 implicit flow state parameter, provided in seconds. This value must be a positive integer.
      • public.url: defines a public URL in order to expose the access of the API through this external URL instead of using the internal one.
      • userLogonRegex: a Java regular expression that defines the validness of a user logon name. If Teneo Manager runs in LDAP mode, the logon name must also match the LDAP restrictions.
      • userLogonRegexInfo: error message shown to the user if the userLogonRegex doesn't match the chosen Login name.
      • userNameRegex: a Java regular expression that defines the validness of a user name. If Teneo Manager runs in LDAP mode, the user name must also match the LDAP restrictions.
      • userNameRegexInfo: error message shown to the user if the userNameRegex doesn't match the chose Username.
      • userPasswordRegex: a Java regular expression that defines the validness of a user password.
      • userPasswordRegexInfo: error message shown to the user if the userPasswordRegex doesn't match the chose Password.
  • Ldap tab: this tab is only shown if either Authentication or Source is LDAP; its settings and configurations are explained in the LDAP section further below.
  • Delegated tab: this tab is only shown if Authentication is delegated; its settings and configurations are explained in the Delegated section further below.

Client Setting Management

The Client Setting Management page is organized in multiple tabs that each display the settings defined for a particular client (sub-module) type. It offers to create, edit or delete setting definitions.

On each tab, the settings table displays the setting's name, initial value and description, furthermore it contains action links to open the edit dialogue and to delete a setting definition.

The Create setting button opens a dialogue for the creation of a new setting definition. The following properties must be entered:

  • Name: free-text name of the setting. The name must be unique within a Client (sub-module) type. This name is also used in the REST interface to identify the setting.
  • Initial Value: the initial value of the setting. The initial value may be set to null with the Null button toggle.
  • Description: free-text description of the setting.

The creation of a new setting definition adds the setting to each instance of the related Client (sub-module) type and sets it to the initial value. After that, changing the initial value will not affect the values of the settings of already existing Client instances, but it will affect the setting value of a newly created client instance.

After the creation of the setting definition its name is fixed, thus renaming an existing setting definition requires to first delete it and then re-add it with the new name.

Deleting a setting definition also removes the setting from all instances of the related client (sub-module) type.

LDAP

LDAP (Lightweight Directory Access Protocol) is supported in Teneo Manager is a user and group source as well as an authentication method. Selection of the LDAP for one or the other is done in the Manager Settings Management page and its configuration parameters and test are done in the LDAP tab.

Once on the LDAP tab, the following settings are available:

  • Implementation: a dropdown to choose the implementation type, currently only Active Directory option is available
  • Test button: opens the LDAP Tester dialogue; description of this dialogue is provided in the next section
  • Table with the following settings:
    • ldap.bindDN: name of the user account Teneo Manager will use for the connection to the LDAP; this is usually given in the format domain\logon.
    • ldap.bindPassword: password of the user account Teneo Manager will use when connecting to the LDAP.
    • ldap.connectTimeout: timeout for the LDAP connection, provided in seconds. The value must be a positive integer.
    • ldap.fullManagement: switch to allow (value = true) or disable (value = false) creation of users and groups within Teneo Manager.
    • ldap.groupBaseDNs: one or more DNs of LDAP OUs where groups will be retrieved from/created in. The DNs must be separated by semi-colon. Teneo Manager internally adds any sub-OUs of these and displays them on the Group Management page.
    • ldap.groupType: group type to be used when creating a group in the LDAP. The value defines the groupType attribute of the LDAP group item; it must be an integer.
    • ldap.host: host name of the LDAP server, to be given in the format: ldap://hostname or ldaps://hostname.
    • ldap.maxConnections: maximum size of the LDAP connection pool maintained by Teneo Manager. The value must be a positive integer.
    • ldap.minConnections: minimum size of the LDAP connection pool maintained by Teneo Manager. The value must be a positive integer.
    • ldap.port: socket port number of the LDAP server; usually 389 for LDAP and 636 for LDAPs. The value must be a positive integer.
    • ldap.responseTimeout: timeout for a response to an LDAP request, provided in seconds. The value must be a positive integer.
    • ldap.teneoGroupDN: DN of the LDAP group that all Teneo Manager manged users and groups must be member of, it may be empty.
    • ldap.userAccountControl: user access control value to be used when creating a user in the LDAP. The value defines the userAccountControl attribute of the LDAP user item; it must be a positive integer.
    • ldap.userBaseDNs: one or more DNs of LDAP OUs where users will be retrieved from/created in. The DNs must be separated by semicolon. Teneo Manager internally adds any sub-OUs of these and displays them on the User Management page.
    • ldap.userLogonSuffix: suffix to append to the user logon when creating a user in the LDAP. Usually given in the form @domain-name.

LDAP tester

The LDAP Tester dialogue is basically a dialogue which allow users to test and verify the correct settings for the LDAP connection.
The first step is to list all the LDAP connection settings where admin can adjust values depending on the desired configuration. Once the values have been set, admin can click on Fetch users & groups and the connection to the LDAP is verified if the correct list of users and groups is returned.
If an error occurs during connecting or no entities are returned, the button Ldap Settings can be used to go back to re-set them. If the settings are correct, the Apply settings button allows to propagate the settings' values to the main window. Click Save and restart at the top of the view in order to save and apply the new configuration.

Delegated

Delegated authentication is supported in Teneo Manager as a user authentication method. Currently the only supported delegated authentication type is SAML2 (Security Assertion Markup Language 2).

When opening the Delegated tab, the following options appear:

  • Implementation: dropdown to choose implementation type, currently only SAML2 option is available
  • Check button: allows to check if the entered values for Delegated (SAML2) are correct.
  • IdP Metadata: dropdown to choose the source of the IdP metadata, options included are Settings and URL
    • If Settings is selected, settings are read from the settings table which follows. Import IdP metadata settings (XML file) defined in SAML2 standard using the Import IdP Metadata button.
    • If URL is selected, a new text box appears where the URL to read the IdP metadata must be provided. IdP metadata is then read on every user authentication.
  • SP Metadata / Export SP Metadata: button to export SP metadata as an XML file defined in the SAML2 standard. Before export creation, the settings are checked for errors.
  • Table with the following list of settings:
    • contacts.support.email_address: email address to support
    • contacts.support.given_name: Name of support contact
    • contacts.technical.email_address: email address to technical team
    • contacts.technical.given_name: Name of technical contact
    • debug: enable debug mode
    • idp.certfingerprint: an unformatted fingerprint. If provided, then certFingerprintAlgorithm is required.
    • idp.certfingerprint_algorithm: possible values: sha1, sha256, sha384 and sha512
    • idp.entityid: identifier of the IdP entity (must be URI)
    • idp.single_logout_service.binding: SAML2 protocol binding to be used when returning the <Response> message. Logout functionality not supported.
    • idp.single_logout_service.response.url: optional SLO Response endpoint info of the IdP. Logout functionality not supported.
    • idp.single_logout_service.url: SLO endpoint info of the IdP.
    • idp.single_sign_on_service.binding: SAML2 protocol binding to be used when returning the <Response> message.
    • idp.single_sign_on_service.url: SSO endpoint info of the IdP.
    • idp.x509cert: public x509 certificate of the IdP.
    • login_timeout: timeout for delegated login in seconds.
    • logon_prefix: prefix automatically removed from user logon during the delegated login.
    • logon_suffix: suffix automatically removed from user logon during the delegated login.
    • security.authnrequest_signed: 'true or 'false' value indicating whether or not the <samlp:AuthnRequest> messages sent by this SP will be signed.
    • security.logoutrequest_signed: 'true' or 'false' value indicating whether or not the <samlp:logoutRequest> messages sent by this SP will be signed.
    • security.logoutresponse_signed:'true' or 'false' value indicating whether or not the <samlp:logoutResponse> messages sent by this SP will be signed.
    • security.nameid_encrypted: 'true' or 'false' value indicating whether or not the nameID of the <samlp:logoutRequest> sent by this SP will be encrypted.
    • security.requested_authncontext: if empty no AuthContext will be sent in the AuthNRequest.
    • security.requested_authncontextcomparison: allows the authn comparison parameter to be set.
    • security.sign_metadata: 'true' or empty value indicating whether or not the Metadata of this SP requires to be signed.
    • security.signature_algorithm: algorithm which the toolkit uses on the signing process; options are:
    • security.want_assertions_encrypted: 'true' or 'false' value indicating whether or not the Assertions received by this SP requires to be encrypted.
    • security.want_assertions_signed: 'true' or 'false' value indicating whether or not the <saml:Assertion> elements received by this SP requires to be signed.
    • security.want_messages_signed: 'true' or 'false' value indicating whether or not the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements received by this SP require to be signed.
    • security.want_nameid_encrypted: 'true' or 'false' value indicating whether or not the NameID received by this SP requires to be encrypted.
    • security.want_xml_validation: 'true' or 'false' value indicating whether or not the SP will validate all received XMLs (In order to validate the XML, 'strict' and 'wantXMLValidation' must be true).
    • sp.assertion_consumer_service.binding: SAML2 protocol binding to be used when returning the <Response> message.
    • sp.assertion_consumer_service.url: specifies info about where and how the <AuthnResponse> message must be returned to the requester. It must contain the full endpoint specification: hostname, port and '/teneo-manager/rest/oauth2/delegated/saml2'.
    • sp.entityid: identifier of the SP entity (must be a URI).
    • sp.nameidformat: specifies constraints on the name identifier to be used to represent the requested subject.
    • sp.privatekey: privateKey of the SP (Required format PKCS#8).
    • sp.single_logout_service.binding: SAML2 protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest> message.
    • sp.single_logout_service.url: specifies info about where and how the <Logout Response> message must be returned to the requester.
      • sp.x509cert: x509cert of the SP.
      • strict: 'true' or 'false' value indicating whether or not the Java Toolkit will reject messages if these do not strictly follow the SAML2, are unsigned or unencrypted messages (when singed or encrypted is expected).

Delegated SAML2

Teneo Manager and therefore the Teneo Platform supports SAML2 SP-Initiated login authentication. Logout is not supported yet, but is is planned to be in future releases.

The easiest way to configure SAML2 is to exchange the SAML2 metadata files between SP (Teneo Manager) and the IdP. They come with all the information needed to setup the connection.
Once the IdP metadata file is acquired, it is just as simple as uploading it using the Import SAML2 IdP metadata button in the Delegated tab. The Metadata settings are then verified and set to the settings table.
Then, once the SP settings have been entered in the settings table, they must be exported using the SP metadata export button and delivered to the IdP admins to setup the connection on their side.
In case the IdP metadata is dynamic, that is, changes on a regular basis, another way of providing it is supported via URL. If the URL option is selected in the IdP metadata dropdown, it will be read on every user login, making this use case fully supported.
Finally, to apply the settings, the administrator must click on Save and restart.

As the delegated login flow requires interacting with backend components from the users browser, some additional configurations should be made at a Platform deployment level for it to properly work (please see the Installation Guide for further instructions). Then, all should be configured and working. To test it, the admin user just need to go to any Platform component and check that the login method is actually delegated and working.

REST API

The Teneo Manager REST API allows for creation of entities through the API; API endpoints and specifications are described in the Manager Server REST API Endpoints - Swagger page. In order to call any endpoint, admin would need to obtain a valid admin access token. Admin access tokens can be obtained using the client credentials OAuth2 flow, applying the admin user as client_id and admin password as client_secret. They share the same expiration time as normal access tokens.

Also see Logins, Sessions, and Authentication in Studio