Authentication options for ScriptRunner

How to configure and use authentication options in ScriptRunner

The following cmdlets require the AD PowerShell module!

Active Directory (Windows integrated authentication)

  • Suitable for trusted domains in the same forest and trusted domain forests
  • Possible via NTLM or Kerberos
    • NTLM is configured by default
    • Kerberos: This is a browser function, you do not need to configure any settings in SR. To activate Kerberos, follow the Microsoft Doc.
      • app.json and uri.js must have the identical baseuri
      • Service Principal Name must be stored in Active Directory on the computer account of the SR host. More information can be found in Microsoft Docs.

    For non-trusted domains view below: Claim-based-identity

    Cmdlet to get the SID
      • User: Get-ADUser
        • Claim-Type: http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
      • Group: Get-ADGroup
        • Claim-Type: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
      • Claim-Value corresponds to the SID of the user/group 

    Trust Check

    Checks, if the object represents the root of the directory information tree of a directory server. Use the following cmdlet:

    Get-ADRootDSE

    More information can be found in Microsoft Docs.

    AzureAD

    Change the SR accounts to AzureAD accounts. Use AzureAD as an identity provider for SR login. 

    The SR ISE Add-on can't be used with AAD!

    Claim-based identity

    • When to use: In non-trusted domain environments and resource domain environments
    • GroupSID-claims are specified in SR by default for claim-based authentication
      • group claims of non-trusted customer domains to access SR in the "home" domain.
      • SR in resource domain and user (groups) are in "user domain"
      • ADFS for access management
        • Authentication option must be set (cmdlet Set-AsrSTSOptions, select Authmode ADFS) 
        • Default-Claims, Microsoft Doc
        • Custom-Claim-Types are possible

    Local Identity (Windows integrated authentication)

    • Local users (users on the machine)

    Suitable for testing, not recommended for production use