Post-Deployment Optional Application Configuration

This section provides details on post-deployment configurations of Syndeia Cloud.

Administrator Access

A Syndeia Cloud installation allows offers at least one super-user administrator account.

The initial setting for the administrator account is name: super.user and password: syn45ia

To prevent accidental system lock-outs, the designated super user account cannot be deleted.   

 We strongly recommend changing the super.user password from the default, and adding to a secure password vault so your admin team can retrieve it later.

Advanced Authentication Methods

Syndeia Cloud (SC) currently supports 3 different types of authentication mechanisms:

  • Local Authentication : best for small-size organizations that do not have a central directory service (supported automatically out-of-the-box and required for administrative operations)

  • LDAP Authentication : best for medium-size organizations that (typically) have an internal-only directory service

  • SAML2 Authentication : best for large-size organizations that have multiple web-based applications needing centralized control over more sophisticated authentication methods (typically supporting 2-Factor Authentication (2FA) / Multi-factor Authentication (MFA), Common Access Control (CAC) cards, SMS, etc. ) and authorization control

A SC administrator should select an authentication mechanism based on their organizational requirements and review the relevant configuration pages below for further steps:

Managing Users

A typical Syndeia Cloud deployment will most likely have application users beyond just the super.user. Take this time to go through the provisioning process for those users. Depending on the Authentication Method chosen, the steps differ slightly. For any of the methods below, please see the https://intercax.atlassian.net/wiki/spaces/SYN36/pages/3395322092 page to perform these operations:

  • Local Authentication : Create accounts individually in the Web Dashboard’s User Management page

  • LDAP Authentication : Once SC has had LDAP successfully configured, you can either:

    • A: invite those users to login to SC. Once the user has logged in for the first time, an LDAP profile will be auto-created for them and the user will appear in the Web Dashboard. You can then go and modify their permissions from the default Read-only permissions.

    • B: Pre-create those users using their email addresses in the Web Dashboard.

  • SAML2 Authentication : Once SC has had SAML successfully configured, you can either:

    • A: invite those users to login to SC. Once the user has logged in for the first time, a SAML2 profile will be auto-created for them and the user will appear in the Web Dashboard. You can then go and modify their permissions from the default Read-only permissions.

    • B: Pre-create those users using their email addresses in the Web Dashboard.

Note, there is currently no bulk user creation operation in SC (this is currently being implemented), however it is possible to bulk modify user permissions

Repository Configuration

A deployed Syndeia Cloud application provides the most benefit when linked to the various supported external Repository types, ex: Aras Innovator, Atlassian Bitbucket/Confluence/JIRA, jFrog Artifactory, GitHub, etc. A super.user by default has the REPOSITORY_CREATE permission to add/define external Repositories. However, depending on who is an administrator for that external repository, you may or may not have access to add them.

Syndeia Cloud only acts as a proxy for each individual user when it accesses any external Repository. Each user has to supply their specific credentials for each repository that they interact with either directly or through Syndeia.

Syndeia Cloud does NOT store those credentials into its database.

To manage your access to individual repositories, see https://intercax.atlassian.net/wiki/spaces/SYN36/pages/3330190729

JWT Token Signing Algorithm 3.6 SP1

Starting with Syndeia 3.6 SP1, Syndeia IT admins may select RS256 instead of the default HS256 as the signing algorithm for JWT tokens generated by Syndeia Cloud during authentication. This may be especially required for enabling FIPS mode.

  1. Open the silhouette.conf file located in web-gateway/conf in the Syndeia Cloud deployment.

  2. Change the default value of the setting authenticator.signingAlgorithm from HS256 to RS256.

  3. Add a valid PEM certificate with both the private and public key as the value of authenticator.sharedSecret setting, as shown in lines 28-33 in the screenshot below. Use triple quotes (“““) to enclose the multi-line value.

  4. Comment out the authenticator.sharedSecret setting shown in line 35. There should be only one entry for authenticator.sharedSecret setting.

  5. Save the file and restart the web-gateway service.

image-20240819-204757.png

Â