User Authentication

Overview

When logging in to a user interface, a user’s credentials can be authenticated based on their credentials in:

  • The internal system database

  • An LDAP-based external authentication server

  • A SAML-based identity management server

User type

Description

Administrators

A user who can log in to the administrator interface. The presence of an administrator interface means that a system user instance exists.

Subscribers

System users that have, or are linked to, user accounts in one or more UC applications. Subscriber management supports the management of UC application user accounts, which may in turn also be configured for local, LDAP, or SAML authentication.

API users

System users that connect directly to VOSS Automate, using the API. The system controls access to its service through HTTP basic authentication.

User Authentication Methods

VOSS Automate supports the following authentication methods for accessing the system (for administrators and end users):

  • Local authentication

  • LDAP Authentication

  • Single-Sign-on (SSO)

The user’s setup determines the type of authentication required to access the system.

The table describes the Auth Method settings that determine the authentication method:

Auth Method

Description

Automatic

The system setup determines the authentication method, for example, the presence and viability of LDAP servers, SSO IdPs, and so on. The scope, user type, and Auth Enabled settings on the server determines viability:

  • If a viable IdP server is detected, authentication defaults to SSO. Since this requires using the special SSO Login URL, login from the VOSS Automate login page will fail.

  • If viable LDAP servers are found, authentication is attempted against each server until one is successful or all fail.

  • If neither of these external servers are found (IdP or LDAP), local authentication occurs.

Authentication is performed in order of preference, in the user’s hierarchy, or above:

  1. Local user only if no LDAP, SSO IdP, in this hierarchy or above

  2. LDAP server

  3. SSO identity provider (IdP)

Local

User authentication is based on the password defined and stored locally in VOSS Automate, and the VOSS Automate credential policy defines the rules for the password (complexity, aging, etc), as well as further limits on session length, and so on. Local authentication can be done using username or email address. Local authentication is allowed if the authentication method is Local, and there are viable SSO and/or LDAP servers in scope (viable servers in the hierarchy). Users authenticated in this way are allowed to change their password once logged in.

LDAP

The authentication method is LDAP authentication. Additional details can be provided to tie the user to a specific LDAP server or an alternate username can match to the one in LDAP (default is the VOSS Automate username). When using LDAP Authentication, the password rules that are a part of the credential policy in VOSS Automate do not apply, since the password is managed in the LDAP directory. Other credential policy rules, such as session length, are however applied, since these are managed by VOSS Automate.

SSO

The authentication method is Single Sign-on (SSO). Additional details can be provided to tie the user to a specific SSO IdP server or alternate username can match to the one in the IdP (default is the VOSS Automate username). The VOSS Automate credential policy is irrelevant, since password rules, session length, and so on are all managed by the IdP outside of VOSS-4UC. Single Sign-on support is for authentication only. It does not use authorization capabilities that are possible via SAML to control the user’s permissions within the application. No logout is supported when using SSO (single sign-out); that is, VOSS Automate will not initiate the termination of a session with the IdP (the VOSS session remains active as long as there is an active IdP session.

For SSO, see also Single Sign On (SSO) Overview.

Authentication Method Setting Rules

When adding or modifying users, the user’s Authentication Method is based on the User Default Auth Method setting in the system Global Settings, as well as on the rules outlined in the table below:

Action

Auth Method Setting Rule

Add user from GUI

GUI default to Global Setting, but can be changed.

Modify user from GUI

GUI default to current user Auth Method, but can be changed.

LDAP Add user sync

Automatic

LDAP modify user sync

Leave setting as is.

Unified CM add user

Apply setting from Global Settings.

Unified CM modify user

Leave setting as is.

Quick Add Subscriber add user

Apply setting from Global Settings.

Quick Add Subscriber modify user

Leave setting as is.