authentication
note
authentication is supported in the standalone matlab® web app server™ product and not the development version included in matlab compiler™. for details, see .
prerequisite
enable ssl on the server. for more information, see .
create webapps_authn.json
file
authentication lets you validate a user's credentials and helps you control which users can access web apps deployed on the server.
matlab web app server supports authentication using lightweight directory access protocol (ldap) and openid connect (oidc).
to enable authentication:
check if ssl is enabled. for more information, see .
create a file named
webapps_authn.json
and place it in thewebapps_private
folder, which is located within theconfig
folder. the format forwebapps_authn.json
depends on whether you are using ldap or oidc for authentication.the
webapps_private
folder can be found in:operating system folder location windows®
%programdata%\mathworks\webapps\r2023a\config\webapps_private
linux®
/local/mathworks/webapps/r2023a/config/webapps_private
macos
/library/application support/mathworks/webapps/r2023a/config/webapps_private
ldap authentication
an ldap directory server stores information about users, groups, and applications. each entry in the directory consists of three components: a distinguished name (dn), a collection of attributes, and a collection of object classes.
to use ldap authentication, create a file named
webapps_authn.json
using the following json schema and
place it in the webapps_private
folder.
{
"version": "1.2.0",
"type": "ldap",
"authnconfig": {
"host": "",
"port": "",
"searcherdn": "",
"searcherpassword": "",
"basedn": "",
"userfilter": ""
},
"appconfig": {
"checksslca": "",
"trustedsslca": "",
"displayname": "",
"tokenexpirationmin": "",
"userattributename": "",
"groupattributename": ""
}
}
version: specify the version of the json schema. default value for r2023a is:
1.2.0
.type: specify the type of authentication to use. set this value to
ldap
.host: specify the ldap directory server host name. for example:
myldap.example.com
.port: (optional) specify the ldap directory server port number. for example:
389
. if a port number is not specified, the default port will be used. the matlab web app server uses ssl/starttls to secure communication with the ldap server. this ensures that usernames and passwords that are transmitted through an encrypted channel between matlab web app server and the ldap server. by default, the server uses the standard port636
for ssl on windows and port389
for starttls on linux and macos. the ldap server must be configured to allow ssl/starttls connection over the specified (or default) ldap port; otherwise, authentication will fail.searcherdn: specify the searcher account's dn in the directory. the default value is
""
. searcher dn refers the account allowed to search the ldap directory server. for example:"cn=admin,dc=example,dc=com"
.searcherpassword: searcher account's password. the default value is
""
.matlab web app server uses the values for
searcherdn
andsearcherpassword
to search for a user's dn using auserfilter
. the discovered dn is subsequently validated against with the entered password through ldap. values forsearcherdn
andsearcherpassword
are not required if the ldap server provides access for anonymous authentication.since the
webapps_authn.json
file lives within thewebapps_private
folder, which is only readable by the server account, the searcher’s credentials are protected from apps or other users who log in to the server.basedn: specify the base dn in the directory. the base dn is the location in the directory where the application starts searching for a user. for example:
dc=myldap,dc=example,dc=com
.userfilter: specify a filter to find a user's dn. matlab web app server uses
userfilter
to find the user’s dn that matches the entered username, represented as {username} in the filter. if no match is found or multiple matches are found, authentication fails. the filter can be specified using standard ldap filter syntax. for example:(&(objectclass=user)(samaccountname={username}))
.checksslca: check whether the ldap server's ssl certificate was signed by a recognized certificate authority (ca). setting this property to
true
checks for a valid ssl certificate and setting it tofalse
with forgo checking. if set totrue
, you need to specify a value for trustedsslca. if set tofalse
, usernames and passwords are still transmitted between matlab web app server and the ldap server through an encrypted channel. however, this check is recommended for additional security.trustedsslca: on linux and macos systems, specify the path to the root certificate issued by the certification authority (ca) that signed the site certificate. on windows systems, you do not need to specify the path. as long as the root certificate is in the trusted root certification authorities certificate store, matlab web app server will automatically find it.
displayname: configure how the user's identity is displayed on the matlab web app server home page by specifying an attribute of a user’s ldap entry. for example, setting this property to
uid
displays the user id. default is the username that is entered during the authentication process.tokenexpirationmin: specify the token expiration duration in minutes. for example:
60
. default value is""
, which means the tokens do not expire.userattributename: specify an attribute name to identify user objects. for example:
uid
. you must set a value for this property if you use policy-based access. otherwise, do not include this property in your json file. for more information, see policy-based access.groupattributename: specify an attribute name to identify group objects. for example:
member
. you must set a value for this property if you use policy-based access. otherwise, do not include this property in your json file. for more information, see policy-based access.
example webapps_authn.json
file for ldap
{
"version": "1.2.0",
"type": "ldap",
"authnconfig": {
"host": "myldap.example.com",
"port": "",
"searcherdn": "",
"searcherpassword": "",
"basedn": "dc=myldap,dc=example,dc=com",
"userfilter": "(&(objectclass=user)(samaccountname={username}))"
},
"appconfig": {
"checksslca": "false",
"trustedsslca": "",
"displayname": "uid",
"tokenexpirationmin": "60"
}
}
example webapps_authn.json
file for ldap when using policy-based access
{
"version": "1.2.0",
"type": "ldap",
"authnconfig": {
"host": "myldap.example.com",
"port": "",
"searcherdn": "",
"searcherpassword": "",
"basedn": "dc=myldap,dc=example,dc=com",
"userfilter": "(&(objectclass=user)(samaccountname={username}))"
},
"appconfig": {
"checksslca": "false",
"trustedsslca": "",
"displayname": "uid",
"tokenexpirationmin": "60",
"userattributename": "uid",
"groupattributename": "memberof"
}
}
oidc authentication
openid connect (oidc) allows matlab web app server to verify the identity of an end user based on the authentication performed by a third-party identity provider (idp). to use oidc authentication on the server, you need to register with an idp such as microsoft® azure® ad, or google® identity platform.
to use oidc authentication, create a file named
webapps_authn.json
using the following json schema and
place it in the webapps_private
folder.
{
"version": "1.3.0",
"type": "oidc",
"authnconfig": {
"issuer": "",
"clientid": "",
"clientsecret": "",
"redirecturl": "",
"scope": [" "]
},
"appconfig": {
"port": "",
"displayname": "",
"tokenexpirationmin": "",
"userattributename": "",
"groupattributename": "",
"prompt":
}
}
version: specify the version of the json schema. the default value for r2023a is:
1.2.0
.type: specify the type of authentication to use. set this value to
oidc
.issuer: specify the oidc idp issuer uri. for example, if using google identity platform:
https://accounts.google.com/.well-known/openid-configuration
.clientid: specify the client id you obtained while registering your credentials with an idp. for example, if using google identity platform:
1234567890-xxxxxxxxxxxx.apps.googleusercontent.com
.clientsecret: specify the client secret you obtained while registering your credentials with an idp. for example, if using google identity platform:
_xxxxxxxxxxxxx_xxxxxx_xx
.since the
webapps_authn.json
file lives within thewebapps_private
folder, which is only readable by the server account, clientid and clientsecret are protected from apps or other users who log in to the server.redirecturl: (optional) specify the redirect url you used while configuring oidc authentication with the idp. if left empty, the host name and port number of the computer running the matlab web app server is used as a callback. the format of the url is:
https://
. for example, if matlab web app server is running on port: /webapps/extauth/callback 9988
, then the redirect url is:https://example.com:9988/webapps/extauth/callback
.prior to r2021a, the format of the redirect url was:
https://
. for example:: /oidc/callback https://example.com:3000/oidc/callback
.scope: specify the identifiers for resources that an administrator wants matlab web app server to access. for example, if using google identity platform:
openid profile email
.port: (optional) specify the port number used by the matlab web app server process internally for oidc authentication. for example:
4000
. this port number must be different from theredirecturl
port number. if a port number is not specified, the matlab web app server process automatically picks a port for oidc authentication.displayname: configure how the user's identity is displayed on the matlab web app server home page, by specifying an attribute name of an authenticated user object. for example, if using google identity platform,
given_name
displays the user's name. the default is thesub
attribute.tokenexpirationmin: specify the token expiration duration in minutes. for example:
60
. the default value is""
, which means the tokens do not expire.userattributename: specify an attribute name to identify user objects. for example:
uid
. you must set a value for this property if you use policy-based access. otherwise, do not include this property in your json file. if you are not using policy-based access but decide to include this property in your json file, set the value to""
. for more information, see policy-based access.groupattributename: specify an attribute name to identify group objects. for example:
member
. you must set a value for this property if you use policy-based access. otherwise, do not include this property in your json file. if you are not using policy-based access but decide to include this property in your json file, set the value to""
. for more information, see policy-based access.prompt: specify whether you want to re-authenticate a user who is already logged-in to an identity provider (idp).
if
"prompt"
is set to"true"
, then a user must re-authenticate even if logged-in to an idp.if
"prompt"
is set to"false"
, and a user is logged-in to an idp, then the idp login screen is avoided. if the user is not logged-in, then a user must re-authenticate by logging-in.if no
"prompt"
field and value is specified, then the"prompt"
field is taken to be"true"
. this is the default.
note
if you use oidc authentication, you need to register matlab web app server as an application with the idp.
during the registration process, you need a redirect url for matlab web app server. the format of the url is:
https://
. for example:: /webapps/extauth/callback https://example.com:9988/webapps/extauth/callback
.
example webapps_authn.json
file for oidc using google identity platform
{
"version": "1.2.0",
"type": "oidc",
"authnconfig": {
"issuer": "https://accounts.google.com/.well-known/openid-configuration",
"clientid": "1234567890-xxxxxxxxxxxx.apps.googleusercontent.com",
"clientsecret": "_xxxxxxxxxxxxx_xxxxxx_xx",
"redirecturl": "https://example.com:9988/webapps/extauth/callback",
"scope": ["openid profile email"]
},
"appconfig": {
"port": "4000",
"displayname": "given_name",
"tokenexpirationmin": "60"
}
}
tip
after setting up authentication, if you are unable to login from your browser, try clearing your browser's cache and cookies, or try a different browser.
caution
the json schema syntax for webapps_authn.json
is
strictly enforced. errors in the schema syntax may result in the server not
starting, or being denied access to the server when you try to login.