3

I am using MarkLogic server 10. The admin interface has authentication setup as "Digest". So, when I open https://localhost:8001, it prompts for user id/password and opens the admin interface.

I need to do this authentication using Azure AD. So, I opted to go for SAML integration instead of "Digest". SAML integration is done and I set the "internal security" to false.

The issue is that when the https://localhost:8001 URL is hit after the azure authentication is completed, I get an error. It says "SEC-NOADMIN: (err:FOER0000) User does not have the admin role.".

My understanding is that it is happening because my Azure AD user is not being recognized in Marklogic. I believe I have to do a mapping between existing MarkLogic user and my AD user. Though the problem is that I am not able to do it. I explored documentation. There are solutions for LDAP and Kerberos but nothing for Azure AD.

Can somebody please confirm if Azure authentication is doable on Marklogic admin or not? If yes, please help me know the solution.

Thanks all in advance.

MarsTelnet
  • 471
  • 7
  • 18

1 Answers1

1

When you use external authentication like Azure AD, that service will authenticate, but it will also tell MarkLogic something about who you are. The SAML information that comes back will come back with the names or IDs (depending on configuration) of groups that you belong to. The part you're probably missing is the connection between these groups and the MarkLogic roles.

In the MarkLogic Admin UI, take a look at a role definition. You'll see there's a section called "external name". You need to add an external name for the admin role that matches up with an AD group that should grant access to this role. Again, that might be a name or ID, depending on how your external security object is configured.

References:

Dave Cassel
  • 8,352
  • 20
  • 38