Skip to main content

Securing MarkLogic Server

Terms Used in This Section

GENERAL TO EXTERNAL SECURITY:

  • Authentication: The process of verifying user credentials such as username-and-password combinations, certificates, tickets, or tokens with an external agent then associating the current session with that authenticated user. However, it does not grant any access or authority to perform any actions on the system. Authentication can be done either internally through internal users or externally through an external agent.

  • Authorization: The process of assigning a pre-configured role to the authenticated user. Roles define what an authenticated user is allowed to do on MarkLogic Server. Once a user is externally authenticated, then MarkLogic Server matches the user information that the external agent provides to either an internal user (internal authorization) or role (external authorization).

  • External agent: A third-party user information provider. External agents can authenticate user credentials across multiple servers and applications.

  • External authorization: The process by which MarkLogic Server searches the Security database for a role whose external name matches certain information extracted from the external agent’s authentication response. Occurs when the authorization field within the external security object is set to an option other than internal.

  • External name: A string value that MarkLogic Server uses during authorization to match information from the external agent’s authentication response to the proper user (internal authorization) or role (external authorization).

  • External security object: A named configuration that you create to assign to an app server. This object specifies which authentication protocol and authorization scheme that app server should use, along with any other parameters necessary for integration with the external agent. Multiple app servers can use the same object.

  • External security name: The name that you give to the external security object when you configure it. You use this name when you assign a particular external security object to an app server.

  • External user: A user that exists in an external agent’s system rather than in the MarkLogic Server Security Database.

  • Internal authorization: The process by which MarkLogic Server searches the Security database for a user whose external name matches certain information extracted from the external agent’s authentication response. Occurs when the authorization field within the external security object is set to internal.

  • Internal user: A user that exists in the MarkLogic Server Security Database.

  • Temporary user: An in-memory user that MarkLogic Server temporarily creates for external authorization. Its username and roles depend upon how the external security object and external name are configured.

SPECIFIC TO AUTHENTICATION METHODS:

  • Lightweight Directory Access Protocol (LDAP): An authentication protocol for accessing server resources over an internet or intranet network. An LDAP server provides a centralized user database where one password can be used to authenticate a user for access to multiple servers in the network. LDAP is supported on Active Directory on Windows Server 2008 and OpenLDAP 2.4 on Linux and other Unix platforms.

    Note

    If running MarkLogic Server on Windows and using LDAP authentication to authenticate users, the username must include the domain name in this form: userName@domainName.

  • Kerberos: A ticket-based authentication protocol for trusted hosts on untrusted networks. Kerberos provides users with encrypted tickets that can be used to request access to particular servers. Because Kerberos uses tickets, both the user and the server can verify each other's identity and user passwords do not have to pass through the network.

    Note

    When application-level authentication is enabled with Kerberos authentication, an application can use xdmp:gss-server-negotiate() to obtain a username that can be passed to xdmp:login() to log into MarkLogic Server.

  • Distinguished Name (DN): A sequence of Relative Distinguished Names (RDNs), which are attributes with associated values expressed by the form attribute=value. Each RDN is separated by a comma in a DN. For example, to identify the user, joe, as having access to the server MARKLOGIC1.COM, the DN for joe would look like this: UID=joe,CN=Users,DC=MARKLOGIC1,DC=COM.

    Note

    The attributes after UID make up what is known as the Base DN.

    For details on LDAP DNs, see http://www.rfc-editor.org/rfc/rfc4514.txt.

  • Principal: A unique identity to which Kerberos can assign tickets. For example, in Kerberos, a user is a principal that consists of a username and a server resource, described as a realm. Each user or service that participates in a Kerberos authentication realm must have a principal defined in the Kerberos database.

    A user principal is defined by the format: username@REALM.NAME. For example, to identify the user, joe, as having access to the server MARKLOGIC1.COM, the principal might look like this: joe@MARKLOGIC1.COM.

    For details on Kerberos principals, see http://www.kerberos.org/software/tutorial.html#1.3.2.

  • Certificate Authentication: An authentication method that enables HTTPS clients to authenticate themselves to MarkLogic Server via a client certificate, either in addition to, or instead of, a password.

  • SAML (Security Assertion Markup Language): An authentication method that defines a Principal (such as a user), an Identity Provider (IDP), and a Service Provider (SP). In this scheme, the Principal requests a service from the Service Provider, which accesses the Identity Provider to authorize the Principal. MarkLogic Server supports SAML, version 2.0.

    Note

    MarkLogic Server currently only supports SOAP binding over HTTPS.

  • SAML Entity: An XML document located in the MarkLogic Server Security database that serves as the SAML Identity Provider.

In this section: