'gateway-ng' Service

enaio® 11.10

The 'gateway-ng' service integrates identity providers for OAuth2/OIDC authentication for enaio® webclient and enaio® webclient as a desktop application.

The following restrictions currently apply to the integration of identity providers:

enaio® mobile is still not supported.
User administration is not available in enaio® webclient. The featureSwitches.userManagement parameter must be disabled.
The 'Change password' function is not available. The featureSwitches.changePassword parameter must be disabled.
Offline mode is not available for enaio® webclient as a desktop application.
It is not possible for the user to enter his or her password in order to confirm subscriptions, follow-ups, or the forwarding of work items, also via a script.
Web client URL links that are copied and shared by a user who is logged in to enaio® webclient via an identity provider can only be opened by users who are also logged in via the identity provider.
Access tokens such as the session GUID from the osrest/api/session endpoint or via the parameters from the different integration options cannot be used.
enaio® Outlook Add-In NG uses an access token (session GUID) to communicate with enaio® webclient as a desktop application and can therefore not be used.
OAuth2/OIDC authentication cannot be used for enaio® search NG. Only Basic Auth, NTLM, and Kerberos are supported.

The 'gateway-ng' service is not activated during installation. It must be fully configured for authentication using the servicewatcher-sw.yml file, instances: 1, prior to activation. If not, the service cannot be started correctly.

Configuration

The configuration is carried out in the gateway-ng-prod.yml configuration file located in the \services\service-manager\config\ directory.

The following must be specified for the configuration:

the connections to enaio® appconnector, enaio® documentviewer, and enaio® rendition;
the connections to identity providers;
integration via enaio® appconnector;
a profile for enaio® webclient as a desktop application also needs to be created.

Port 80 is the preset port for the 'gateway-ng' service. You can change the port via the servicewatcher-sw.yml file located in the \services\service-manager\config\ directory: If enaio® gateway is installed on the same server and uses port 80, the port must be changed.

Connections to enaio® appconnector, enaio® documentviewer, and enaio® rendition

The connection data containing the default port for connections on the same server is auto-populated.

If this is not the case, you will need to edit the connection data.

spring:
  cloud:
    gateway:
      routes:
        - id: osrest_route
          uri: http://localhost:8060
          predicates:
            - Path=/osrest/**
        - id: osdocumentviewer_route
          uri: http://localhost:8070
          predicates:
            - Path=/osdocumentviewer/**
        - id: osrenditioncache_route
          uri: http://localhost:8070
          predicates:
            - Path=/osrenditioncache/**
                                                            

Connections to Identity Providers

A connection configuration for Azure/Entra ID with placeholders is auto-populated.

Replace the placeholders with your data: tenant ID, client ID, and client secret.

security:
    oauth2:
      resourceserver:
        jwt:
          user-name-attribute: name
          issuer-uri: https://login.microsoftonline.com/<tenant-id>/v2.0
      client:
        registration:
          azure:
            provider: azure
            client-id: <client-Id>
            client-secret: <client-Secret>
            scope: openid
        provider:
          azure:
            issuer-uri: ${spring.security.oauth2.resourceserver.jwt.issuer-uri}
            user-name-attribute: ${spring.security.oauth2.resourceserver.jwt.user-name-attribute} 
                                                            

Example for Keycloak:

security:
  oauth2:
    resourceserver:
      jwt:
        user-name-attribute: preferred_username
        issuer-uri: http://<IP:Port>/realms/<tenant-id>
    client:
      registration:
        keycloak:
          provider: keycloak
          client-id: <client-id>
          authorization-grant-type: authorization_code
          scope: openid
          client-secret: <client-secret>
      provider:
        keycloak:
          issuer-uri: ${spring.security.oauth2.resourceserver.jwt.issuer-uri}
          user-name-attribute: ${spring.security.oauth2.resourceserver.jwt.user-name-attribute} 
                                                            

Gateway Integration

The 'gateway-ng' service is integrated by way of the following parameters in the osrest.properties configuration file.

fileservice.contentviewerurl	http(s)://<gateway-ng>/applet/contentviewer/index.html?osid={OBJECTIDENT}
fileservice.documentviewerurl	http(s)://<gateway-ng>/applet/pdfview/web/viewer.html?osid={OBJECTIDENT}&q={searchterm}
fileservice.detailsviewerurl	http(s)://<gateway-ng>/applet/detailsviewer/index.html?osid={OBJECTIDENT}

Routing Services

If you want services to be routed in the project via the 'gateway-ng' service without authentication, add further entries to the comma-separated list in the gateway-ng-prod.yml configuration file according to the same pattern:

gateway:
   endpoints:
     exposed: '/colab/**,/msteamsactions/**'
                                                            

All accompanying services must always be specified in the comma-separated list. colab and msteamactions are also always required.