User Authentication#
Overview#
When logging in to a user interface, a user’s credentials can be authenticated based on their credentials in:
The internal system database
An LDAP-based external authentication server
A SAML-based identity management server
User type |
Description |
---|---|
Administrators |
A user who can log in to the administrator interface. The presence of an administrator interface means that a system user instance exists. |
Subscribers |
System users that have, or are linked to, user accounts in one or more UC applications. Subscriber management supports the management of UC application user accounts, which may in turn also be configured for local, LDAP, or SAML authentication. |
API users |
System users that connect directly to VOSS Automate, using the API. The system controls access to its service through HTTP basic authentication. |
User Authentication Methods#
VOSS Automate supports the following authentication methods for accessing the system (for administrators and end users):
Local authentication
LDAP Authentication
Single-Sign-on (SSO)
The user’s setup determines the type of authentication required to access the system.
The table describes the Auth Method settings that determine the authentication method:
Auth Method |
Description |
---|---|
Automatic |
The system setup determines the authentication method, for example, the presence and viability of LDAP servers, SSO IdPs, and so on. The scope, user type, and Auth Enabled settings on the server determines viability:
Authentication is performed in order of preference, in the user’s hierarchy, or above:
|
Local |
User authentication is based on the password defined and stored locally in VOSS Automate, and the VOSS Automate credential policy defines the rules for the password (complexity, aging, etc), as well as further limits on session length, and so on. Local authentication can be done using username or email address. Local authentication is allowed if the authentication method is Local, and there are viable SSO and/or LDAP servers in scope (viable servers in the hierarchy). Users authenticated in this way are allowed to change their password once logged in. Password change is also available for Local users where such sync type CUCM-LDAP; where sync source is CUCM and user is LDAP synced. |
Auth Method |
Description |
---|---|
LDAP |
The authentication method is LDAP authentication. Additional details can be provided to tie the user to a specific LDAP server or an alternate username can match to the one in LDAP (default is the VOSS Automate username). When using LDAP Authentication, the password rules that are a part of the credential policy in VOSS Automate do not apply, since the password is managed in the LDAP directory. Other credential policy rules, such as session length, are however applied, since these are managed by VOSS Automate. |
SSO |
The authentication method is Single Sign-on (SSO). Additional details can be provided to tie the user to a specific SSO IdP server or alternate username can match to the one in the IdP (default is the VOSS Automate username). The VOSS Automate credential policy is irrelevant, since password rules, session length, and so on are all managed by the IdP outside of VOSS-4UC. Single Sign-on support is for authentication only. It does not use authorization capabilities that are possible via SAML to control the user’s permissions within the application. No logout is supported when using SSO (single sign-out); that is, VOSS Automate will not initiate the termination of a session with the IdP (the VOSS session remains active as long as there is an active IdP session. |
For SSO, see also Single Sign On (SSO) Overview.
Authentication Method Setting Rules#
When adding or modifying users, the user’s Authentication Method is based on the User Default Auth Method setting in the system Global Settings, as well as on the rules outlined in the table below:
See: Global Settings.
Action |
Auth Method Setting Rule |
---|---|
Add user from GUI |
GUI default to Global Setting, but can be changed. |
Modify user from GUI |
GUI default to current user Auth Method, but can be changed. |
LDAP Add user sync |
Automatic |
LDAP modify user sync |
Leave setting as is. |
Unified CM add user |
Apply setting from Global Settings. |
Unified CM modify user |
Leave setting as is. |
Quick Add Subscriber add user |
Apply setting from Global Settings. |
Quick Add Subscriber modify user |
Leave setting as is. |