User Authentication Methods

VOSS-4-UC supports the following authentication modes for accessing the system (for administrators and end users):

  • Local authentication
  • LDAP Authentication
  • Single-Sign-on (SSO)

The user’s setup determines the type of authentication required to access the system.

The table describes the Auth Method settings that determine the authentication method:

Auth Method Description
Automatic

The system setup determines the authentication method, for example, the presence and viability of LDAP servers, SSO IdPs, and so on. The scope, user type, and Auth Enabled settings on the server determines viability:

  • If a viable IdP server is detected, authentication defaults to SSO. Since this requires using the special SSO Login URL, login from the VOSS-4-UC login page will fail.
  • If viable LDAP servers are found, authentication is attempted against each server until one is successful or all fail.
  • If neither of these external servers are found (IdP or LDAP), local authentication occurs.

Authentication is performed in order of preference, in the user’s hierarchy, or above:

  1. Local user only if no LDAP, SSO IdP, in this hierarchy or above
  2. LDAP server
  3. SSO identity provider (IdP)
Local User authentication is based on the password defined and stored locally in VOSS-4-UC. The VOSS-4-UC credential policy is fully utilized in this method and defines the rules for the password (complexity, aging, etc), as well as further limits on session length, and so on. Local authentication can be done using username or email address. Local authentication is blocked if there are external authentication servers higher in the path. Currently these are SSO IdP and LDAP servers. If these are found and are viable authentication servers, in terms of the server’s scope, user type and Authentication Enabled settings, then local authentication is bypassed.
LDAP The authentication method is LDAP authentication. Additional details can be provided to tie the user to a specific LDAP server or an alternate username can match to the one in LDAP (default is the VOSS-4-UC username). When using LDAP Authentication, the password rules that are a part of the credential policy in VOSS-4-UC do not apply, since the password is managed in the LDAP directory. Other credential policy rules, such as session length, are however applied, since these are managed by VOSS-4-UC.
SSO The authentication method is Single Sign-on (SSO). Additional details can be provided to tie the user to a specific SSO IdP server or alternate username can match to the one in the IdP (default is the VOSS-4-UC username). The VOSS-4-UC credential policy is irrelevant, since password rules, session length, and so on are all managed by the IdP outside of VOSS-4UC. Single Sign-on support is for authentication only. It does not use authorization capabilities that are possible via SAML to control the user’s permissions within the application. No logout is supported when using SSO (single sign-out); that is, VOSS-4-UC will not initiate the termination of a session with the IdP (the VOSS session remains active as long as there is an active IdP session.

For SSO, see also Single Sign On (SSO) Overview.

Authentication Method Setting Rules

When adding or modifying users, the user’s Authentication Method is based on the User Default Auth Method setting in the system Global Settings, as well as on the rules outlined in the table below:

Action Auth Method Setting Rule
Add user from GUI GUI default to Global Setting, but can be changed.
Modify user from GUI GUI default to current user Auth Method, but can be changed.
LDAP Add user sync Automatic
LDAP modify user sync Leave setting as is.
Unified CM add user Apply setting from Global Settings.
Unified CM modify user Leave setting as is.
Quick Add Subscriber add user Apply setting from Global Settings.
Quick Add Subscriber modify user Leave setting as is.