How do I set up TLS authentication for FeatureBase Community?
Secure your FeatureBase server with TLS authentication.
Table of contents
Before you begin
- Learn about TLS (Transport Layer Security)
- Generate a
secret-key - Add FeatureBase as an Azure AD application
- Set up FeatureBase Group permissions
FeatureBase configuration file location
Add authentication parameters to the /featurebase/opt/featurebase.conf TOML file.
Earlier versions of FeatureBase saved the /featurebase.conf file in the Operating System /etc folder.
Authentication syntax
[auth]
enable = true
{client-id = "<SAML IdP value>"}
{client-secret = "<SAML IdP value>"}
{authorize-url = "<SAML IdP value>"}
{token-url = "<SAML IdP value>"}
{group-endpoint-url = "<SAML IdP value>"}
{redirect-base-url = "<SAML IdP value>"}
{logout-url = "<SAML IdP value>"}
{scopes = <SAML IdP value>}
{secret-key = "<featurebase-auth-key>"}
{permissions = "/featurebase-directory/permissions.yaml"}
[query-log-path = "/log/directory/"]
[configured-ips = []]
Keys
| Key | Description | Required | Additional information |
|---|---|---|---|
enable=true | Activate IdP authentication for FeatureBase | ||
client-id | SAML 2.0 Identity Provider (IdP) obtained from Azure AD Applications Overview | Yes | |
client-secret | As for client-id. | Yes | Obtain from the IdP |
authorize-url | IdP obtained from Applications Overview > Endpoints. | Yes | Use v2 links if there are two versions available. |
token-url | As for authorize-url | Yes | |
group-endpoint-url | SAML IdP API value | Yes | SAML 2.0 IdP API documentation |
redirect-base-url | IdP URL that corresponds to your primary FeatureBase node. | Yes | Example: https://featurebase-hostname-or-ip:10101 |
logout-url | SAML IdP API value | Yes | [Single sign-out SAML protocol] documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol){:target=”_blank”} |
scopes | SAML IdP API value | Yes | SAML 2.0 scopes and permissions |
secret-key | Secret key used to secure inter-node communication in a FeatureBase cluster. | Yes | Generate a secret key |
permissions | Path for group permissions file that maps group IDs to index-level access. | Yes | Add group permissions |
query-log-path | Set path for query audit log | Optional | |
configured-ips | Admin permissions are granted for any IP or subnet in this list. If not included or not set, no IPs are allow-listed. | Optional | Domain names and 0.0.0.0/0 are not allowed. |
Additional information
- When TLS is enabled, the scheme must be explicitly defined as
httpsinfeaturebase.confand in the command-line. /featurebase.confand/featurebase-install-directory/opt/parameters.yamlmust be duplicated on all nodes of a FeatureBase cluster.
Examples
Azure Active Directory configuration
[auth]
enable = true
{client-id = "<SAML IdP value>"}
{client-secret = "<SAML IdP value>"}
{authorize-url = "<SAML IdP value>"}
{token-url = "<SAML IdP value>"}
group-endpoint-url = "https://graph.microsoft.com/v1.0/me/transitiveMemberOf/"
{redirect-base-url = "<SAML IdP value>"}
logout-url = "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
scopes = ["https://graph.microsoft.com/.default", "offline_access"]
{secret-key = "<AZURE-AD-SECRET-KEY"}
{permissions = "/featurebase-directory/permissions.yaml"}