.. _user_authentication: User Authentication ------------------- Overview .......... When logging in to a user interface, a user's credentials can be authenticated based on their credentials in: * The internal system database * An LDAP-based external authentication server * A SAML-based identity management server .. tabularcolumns:: |p{5cm}|p{10cm}| +----------------+--------------------------------------------------------------+ | User type | Description | +================+==============================================================+ |Administrators | A user who can log in to the administrator interface. The | | | presence of an administrator interface means that a system | | | user instance exists. | +----------------+--------------------------------------------------------------+ | Subscribers | System users that have, or are linked to, user accounts in | | | one or more UC applications. Subscriber management supports | | | the management of UC application user accounts, which may | | | in turn also be configured for local, LDAP, or SAML | | | authentication. | +----------------+--------------------------------------------------------------+ | API users | System users that connect directly to VOSS Automate, using | | | the API. The system controls access to its service through | | | HTTP basic authentication. | +----------------+--------------------------------------------------------------+ .. _user-authentication-methods: User Authentication Methods ............................. .. _20.1.1|VOSS-551|EKB-7380: .. _21.2|EKB-11005: VOSS Automate supports the following authentication methods for accessing the system (for administrators and end users): * Local authentication * LDAP Authentication * Single-Sign-on (SSO) The user's setup determines the type of authentication required to access the system. The table describes the **Auth Method** settings that determine the authentication method: .. tabularcolumns:: |p{5cm}|p{10cm}| +-------------+-------------------------------------------------------------------------------------------+ | Auth Method | Description | +=============+===========================================================================================+ | Automatic | The system setup determines the authentication method, for example, the presence | | | and viability of LDAP servers, SSO IdPs, and so on. | | | The scope, user type, and Auth Enabled settings on the server determines | | | viability: | | | | | | * If a viable IdP server is detected, authentication defaults to SSO. Since this | | | requires using the special SSO Login URL, login from the VOSS Automate login page | | | will fail. | | | * If viable LDAP servers are found, authentication is attempted against each | | | server until one is successful or all fail. LDAP servers that have errors are skipped. | | | * If neither of these external servers are found (IdP or LDAP), local | | | authentication occurs. | | | | | | Authentication is performed in order of preference, in the user's hierarchy, or | | | above: | | | | | | #. Local user *only if* no LDAP, SSO IdP, in this hierarchy or above | | | #. LDAP server | | | #. SSO identity provider (IdP) | +-------------+-------------------------------------------------------------------------------------------+ | Local | User authentication is based on the password defined and stored locally in | | | VOSS Automate, and the VOSS Automate credential policy defines the rules for the password | | | (complexity, aging, etc), as well as further limits on session length, and so on. | | | Local authentication can be done using username or email address. | | | Local authentication is allowed if the authentication method is Local, and there | | | are viable SSO and/or LDAP servers in scope (viable servers in the hierarchy). | | | Users authenticated in this way are allowed to change their password once logged | | | in. | +-------------+-------------------------------------------------------------------------------------------+ | LDAP | The authentication method is LDAP authentication. | | | Additional details can be provided to tie the user to a specific LDAP server or | | | an alternate username can match to the one in LDAP (default is the VOSS Automate | | | username). | | | When using LDAP Authentication, the password rules that are a part of the | | | credential policy in VOSS Automate do not apply, since the password is managed in | | | the LDAP directory. | | | Other credential policy rules, such as session length, are however applied, | | | since these are managed by VOSS Automate. | +-------------+-------------------------------------------------------------------------------------------+ | SSO | The authentication method is Single Sign-on (SSO). | | | Additional details can be provided to tie the user to a specific SSO IdP server | | | or alternate username can match to the one in the IdP (default is the VOSS Automate | | | username). | | | The VOSS Automate credential policy is irrelevant, since password rules, session | | | length, and so on are all managed by the IdP outside of VOSS-4UC. | | | Single Sign-on support is for authentication only. It does not use authorization | | | capabilities that are possible via SAML to control the user's permissions | | | *within* the application. | | | No logout is supported when using SSO (single sign-out); that is, VOSS Automate | | | will not initiate the termination of a session with the IdP (the VOSS session | | | remains active as long as there is an active IdP session. | | | | +-------------+-------------------------------------------------------------------------------------------+ For SSO, see also :ref:`sso-overview`. .. _authentication-method-setting-rules: Authentication Method Setting Rules ................................... When adding or modifying users, the user's Authentication Method is based on the **User Default Auth Method** setting in the system Global Settings, as well as on the rules outlined in the table below: .. raw:: latex For details on these Global Settings, refer to the "Global Settings" topic in the Advanced Configuration Guide. .. raw:: html

See: Global Settings.

.. tabularcolumns:: |p{5cm}|p{10cm}| +----------------------------------+---------------------------------------------------------------+ | Action | Auth Method Setting Rule | +==================================+===============================================================+ | Add user from GUI | GUI default to Global Setting, but can be changed. | +----------------------------------+---------------------------------------------------------------+ | Modify user from GUI | GUI default to current user Auth Method, but can be changed. | +----------------------------------+---------------------------------------------------------------+ | LDAP Add user sync | Automatic | +----------------------------------+---------------------------------------------------------------+ | LDAP modify user sync | Leave setting as is. | +----------------------------------+---------------------------------------------------------------+ | Unified CM add user | Apply setting from Global Settings. | +----------------------------------+---------------------------------------------------------------+ | Unified CM modify user | Leave setting as is. | +----------------------------------+---------------------------------------------------------------+ | Quick Add Subscriber add user | Apply setting from Global Settings. | +----------------------------------+---------------------------------------------------------------+ | Quick Add Subscriber modify user | Leave setting as is. | +----------------------------------+---------------------------------------------------------------+