User Login Options by Authentication Method and Server Authentication Scope#

The sections below provide two views of user login authentication:

  • A flowchart that highlights authentication checks carried out by VOSS Automate for the authentication method set as Automatic.

  • Two matrices showing successful user login in accordance with specific server and user configurations. The matrices are divided according to whether the user uses an SSO login URL.

Authentication Flow#

The flowchart below shows the authentication process in VOSS Automate when a user logs in. Specifically, the chart shows the system process where the authentication method on VOSS Automate is set to be Automatic.

Settings and conditions to check include:

  • User login and settings (user and authentication)

  • Servers (SSO, LDAP) set up and their settings (scope and authentication)

  • System settings (global authentication method)

@startuml
'Authentication
!include style.iuml
:User login
* username
* password;
note left
    [[../src/user/tasks-admin-gui-access.html Use login URL]]
end note
  :Find data/User
  by username;
  :Look for
  SSO server
  in scope with ALL/empty
  user type;
  note left
   * [[../src/user/sso-idp.html Authentication Scope]]
     * Down (default)
     * Local
   * [[../src/user/sso-idp.html User sync type]]
     * All users (default)
     * LDAP Users only
  end note
  if (Found\nSSO\nserver?) then (yes)
    end
    note right
     [[../src/user/tasks-admin-gui-access.html Use SSO\nlogin URL]]
    end note
  else (no)
      if (LDAP or\nUCM LDAP\nsync source?) then (yes)
      :Look for
      SSO server
      in scope
      with LDAP
      user type;
      note left
       Check if the LDAP user
       is in scope of SSO server
      end note
      if (Found\nSSO\nserver?) then (no)
        :Look for
        LDAP server
        in scope
        + auth_enabled
        + sync_type ==
        LDAP synced
        users;
        note left
         * [[../src/user/enable-ldap-integration.html Authentication Scope]]
           * Down (default)
           * Local
         * [[../src/user/enable-ldap-integration.html User sync type]]
           * LDAP synced
            users only
           * All users (default)
        end note
        if (Found synced\nLDAP server) then (no)
          :Look for
          LDAP server
          in scope
          + auth_enabled
          + sync_type ==
          ALL users
          or empty;
        else (yes)
          :Authenticate
          against LDAP;
          if (Authenticated?) then (yes)
            :pass: LDAP;
            stop
            note left
              User logged in
            end note
          else (no)
            :fail: Rejected by
            synced
            LDAP server;
            end
            note right
             User not
             logged in
            end note
          endif
        endif
      else (yes)
        end
        note left
         [[../src/user/tasks-admin-gui-access.html Use SSO\nlogin URL]]
        end note
      endif
    else (no)
      :Look for
      LDAP server
      in scope
      + auth_enabled
      + sync_type ==
      ALL users
      or empty;
    endif
    if (Found 1 or\nmore LDAP\nservers?) then (yes)
    while (More servers?)
      note left
        Loop through
        LDAP servers
        and attempt
        authentication
      end note
      :Authenticate
      against LDAP;
    endwhile
    if (Authenticated?) then (yes)
      :pass: LDAP;
      stop
      note left
        User
        logged in
      end note
    else (no)
      :fail: Rejected
      by ALL
      LDAP servers;
      end
      note right
       User not
       logged in
      end note
    endif
else (no)
        :Authenticate
        locally;
        if (Authenticated?) then (yes)
            :pass: LOCAL;
            stop
            note left
              User
              logged in
            end note
        else (no)
            :fail: rejected
            by LOCAL;
            end
            note left
             User not
             logged in
            end note
        endif
    endif
  endif
@enduml

Authentication Matrix#

This section provides details on whether users can log in on VOSS Automate (Y or N), based on:

  1. User authentication method (Auth Method): either Local, LDAP, SSO, or Automatic

    See:

  2. User sync type: either all users, or LDAP synced

    See:

  3. Server authentication scope: one of the following:

    • Current and below

    • Current only

    See:

Note

If an IDP server is in scope and authentication method is set to LDAP, authentication is attempted against LDAP on login.

If the authentication method is set to Automatic, IDP(SSO) authentication takes precedence.

IDP(SSO) - User on IDP Server, and SSO Login URL Used#

User auth method

Server authentication scope (hierarchy):

Current hierarchy and below

Current hierarchy only

User sync type - who can authenticate:

all users

synced users

all users

synced users

Local

N

Y

Y (If user not at server node)

Y

LDAP

N

Y

Y (If user at server node)

Y (If user at server node)

SSO

Y

Y (If LDAP synced user)

Y (If user at server node)

Y (If user LDAP synced at server node)

Automatic

Y

Y (If LDAP synced user)

Y (If user at server node)

Y (If user LDAP synced at server node)

No IDP(SSO) - LDAP Configured and Enabled for Authentication#

User auth method

Server authentication scope (hierarchy):

Current hierarchy and below

Current hierarchy only

User sync type - who can authenticate:

all users

synced users

all users

synced users

Local

N

Y

Y (If user not at server node)

Y

LDAP

Y

Y

Y (If user at server node)

Y (If user at server node)

SSO

N

N

N

N

Automatic

Y (if synced user)

Y (if synced user)

Y (If user synced at server node)

Y (If user synced at server node)