.. _user-authentication-methods:
User Authentication Methods
---------------------------
.. _20.1.1|VOSS-551|EKB-7380:
VOSS-4-UC supports the following authentication modes for accessing the system (for administrators and
end users):
* Local authentication
* LDAP Authentication
* Single-Sign-on (SSO)
The user's setup determines the type of authentication required to access the system.
The table describes the **Auth Method** settings that determine the authentication method:
.. tabularcolumns:: |p{5cm}|p{10cm}|
+---------------+-----------------------------------------------------------------------------------+
| Auth Method | Description |
+===============+===================================================================================+
| Automatic | The system setup determines the authentication method, for example, the presence |
| | and viability of LDAP servers, SSO IdPs, and so on. |
| | The scope, user type, and Auth Enabled settings on the server determines |
| | viability: |
| | |
| | * If a viable IdP server is detected, authentication defaults to SSO. Since this |
| | requires using the special SSO Login URL, login from the VOSS-4-UC login page |
| | will fail. |
| | * If viable LDAP servers are found, authentication is attempted against each |
| | server until one is successful or all fail. |
| | * If neither of these external servers are found (IdP or LDAP), local |
| | authentication occurs. |
| | |
| | Authentication is performed in order of preference, in the user's hierarchy, or |
| | above: |
| | |
| | #. Local user *only if* no LDAP, SSO IdP, in this hierarchy or above |
| | #. LDAP server |
| | #. SSO identity provider (IdP) |
+---------------+-----------------------------------------------------------------------------------+
| Local | User authentication is based on the password defined and stored locally in |
| | VOSS-4-UC. The VOSS-4-UC credential policy is fully utilized in this method and |
| | defines the rules for the password (complexity, aging, etc), as well as further |
| | limits on session length, and so on. |
| | Local authentication can be done using username or email address. |
| | Local authentication is blocked if there are external authentication servers |
| | higher in the path. Currently these are SSO IdP and LDAP servers. |
| | If these are found and are viable authentication servers, in terms of the |
| | server's scope, user type and Authentication Enabled settings, then local |
| | authentication is bypassed. |
+---------------+-----------------------------------------------------------------------------------+
| LDAP | The authentication method is LDAP authentication. |
| | Additional details can be provided to tie the user to a specific LDAP server or |
| | an alternate username can match to the one in LDAP (default is the VOSS-4-UC |
| | username). |
| | When using LDAP Authentication, the password rules that are a part of the |
| | credential policy in VOSS-4-UC do not apply, since the password is managed in |
| | the LDAP directory. |
| | Other credential policy rules, such as session length, are however applied, |
| | since these are managed by VOSS-4-UC. |
+---------------+-----------------------------------------------------------------------------------+
| SSO | The authentication method is Single Sign-on (SSO). |
| | Additional details can be provided to tie the user to a specific SSO IdP server |
| | or alternate username can match to the one in the IdP (default is the VOSS-4-UC |
| | username). |
| | The VOSS-4-UC credential policy is irrelevant, since password rules, session |
| | length, and so on are all managed by the IdP outside of VOSS-4UC. |
| | Single Sign-on support is for authentication only. It does not use authorization |
| | capabilities that are possible via SAML to control the user's permissions |
| | *within* the application. |
| | No logout is supported when using SSO (single sign-out); that is, VOSS-4-UC |
| | will not initiate the termination of a session with the IdP (the VOSS session |
| | remains active as long as there is an active IdP session. |
| | |
+---------------+-----------------------------------------------------------------------------------+
For SSO, see also :ref:`sso-overview`.
.. _authentication-method-setting-rules:
Authentication Method Setting Rules
...................................
When adding or modifying users, the user's Authentication Method is based on the
**User Default Auth Method** setting in the system Global Settings, as well as on the rules
outlined in the table below:
.. raw:: latex
For details on these Global Settings, refer to the "Global Settings" topic in the Advanced Configuration Guide.
.. raw:: html
<p>See: <a href="concepts-global-settings.html">Global Settings</a>.</p>
.. tabularcolumns:: |p{5cm}|p{10cm}|
+----------------------------------+---------------------------------------------------------------+
| Action | Auth Method Setting Rule |
+==================================+===============================================================+
| Add user from GUI | GUI default to Global Setting, but can be changed. |
+----------------------------------+---------------------------------------------------------------+
| Modify user from GUI | GUI default to current user Auth Method, but can be changed. |
+----------------------------------+---------------------------------------------------------------+
| LDAP Add user sync | Automatic |
+----------------------------------+---------------------------------------------------------------+
| LDAP modify user sync | Leave setting as is. |
+----------------------------------+---------------------------------------------------------------+
| Unified CM add user | Apply setting from Global Settings. |
+----------------------------------+---------------------------------------------------------------+
| Unified CM modify user | Leave setting as is. |
+----------------------------------+---------------------------------------------------------------+
| Quick Add Subscriber add user | Apply setting from Global Settings. |
+----------------------------------+---------------------------------------------------------------+
| Quick Add Subscriber modify user | Leave setting as is. |
+----------------------------------+---------------------------------------------------------------+