User Authentication Methods¶
VOSS-4-UC supports the following authentication modes for administrators or end users when accessing the system:
- Local authentication
- LDAP Authentication
- Single-Sign-on (SSO)
The type of authentication used for a given user to access the system is determined by the user setup. The Auth Method setting determines the authentication method:
Automatic: the authentication method is determined by the system setup; the presence and viability of LDAP servers, SSO IdPs, and so on.
Viability is determined by the Scope, User Type and Auth Enabled settings on the server:
- If a viable IdP server is detected authentication will default to SSO. Since this requires using the special SSO Login URL, login from the VOSS-4-UC login page will fail.
- If viable LDAP servers are found, authentication will be attempted against each server until one is successful or all fail.
- If neither of the above external servers are found, local authentication will occur.
Authentication is done in the following order of precedence in the user’s hierarchy or above:
- Local user only if no LDAP, SSO IdP in this hierarchy or above.
- LDAP server
- SSO identity provider (IdP)
Local: the authentication of the user is based on a password set and stored locally in VOSS-4-UC. The VOSS-4-UC credential policy is fully utilized in this method and defines the rules for the password (complexity, aging, etc) as well as further limits on session length, and so on.
Local authentication can be done using username or email address. Local authentication will be blocked if there are external authentication servers higher in the path. Currently these are SSO IdP and LDAP servers. If these are found and are viable authentication server in terms of the server’s Scope, User Type and Authentication Enabled settings, then local authentication will be bypassed.
LDAP: the authentication method is LDAP authentication. Additional details can be provided to tie the user to a specific LDAP server or an alternate username can match to the one in LDAP (default is the VOSS-4-UC username). When using LDAP Authentication, the password rules that are a part of the credential policy in VOSS-4-UC do not apply, since the password is managed in the LDAP directory. Other credential policy rules like session length are however applied, since these are managed by VOSS-4-UC.
SSO: the authentication method is be Single Sign-on (SSO). Additional details can be provided to tie the user to a specific SSO IdP server or alternate username can match to the one in the IdP (default is the VOSS-4-UC username). The VOSS-4-UC credential policy is not relevant, since password rules, session length, and so on are all managed by the IdP outside of VOSS-4UC.
Single Sign-on support is for authentication only. It does not make use of authorization capabilities that are possible via SAML to control the user’s permissions within the application.
No logout is supported when using SSO (single sign-out). In other words, VOSS-4-UC will not initiate the termination of a session with the IdP - the VOSS session stays active as long as there is an active IdP session.
See also: Single Sign On (SSO) Overview.
Authentication Method Setting Rules¶
When adding or modifying users, the user’s Authentication Method is set according to:
the rules below
the User Default Auth Method setting in the system Global Settings.
See: Global Settings.
Action | Auth Method Setting Rule |
---|---|
Add user from GUI | GUI default to Global Setting, but can be changed. |
Modify user from GUI | GUI default to current user Auth Method, but can be changed. |
LDAP Add user sync | Automatic |
LDAP modify user sync | Leave setting as is. |
Unified CM add user | Apply setting from Global Settings. |
Unified CM modify user | Leave setting as is. |
Quick Add Subscriber add user | Apply setting from Global Settings. |
Quick Add Subscriber modify user | Leave setting as is. |