User Authentication#

Overview#

When logging in to a user interface, a user’s credentials can be authenticated based on their credentials in:

The internal system database
An LDAP-based external authentication server
A SAML-based identity management server

User type	Description
Administrators	A user who can log in to the administrator interface. The presence of an administrator interface means that a system user instance exists.
Subscribers	System users that have, or are linked to, user accounts in one or more UC applications. Subscriber management supports the management of UC application user accounts, which may in turn also be configured for local, LDAP, or SAML authentication.
API users	System users that connect directly to VOSS Automate, using the API. The system controls access to its service through HTTP basic authentication.

User Authentication Methods#

VOSS Automate supports the following authentication methods for accessing the system (for administrators and end users):

Local authentication
LDAP Authentication
Single-Sign-on (SSO)

The user’s setup determines the type of authentication required to access the system.

The table describes the Auth Method settings that determine the authentication method:

Auth Method	Description
Automatic	The system setup determines the authentication method, for example, the presence and viability of LDAP servers, SSO IdPs, and so on. The scope, user type, and Auth Enabled settings on the server determines viability: If a viable IdP server is detected, authentication defaults to SSO. Since this requires using the special SSO Login URL, login from the VOSS Automate login page will fail. If viable LDAP servers are found, authentication is attempted against each server until one is successful or all fail. LDAP servers that have errors are skipped. If neither of these external servers are found (IdP or LDAP), local authentication occurs. Authentication is performed in order of preference, in the user’s hierarchy, or above: Local user only if no LDAP, SSO IdP, in this hierarchy or above LDAP server SSO identity provider (IdP)
Local	User authentication is based on the password defined and stored locally in VOSS Automate, and the VOSS Automate credential policy defines the rules for the password (complexity, aging, etc), as well as further limits on session length, and so on. Local authentication can be done using username or email address. Local authentication is allowed if the authentication method is Local, and there are viable SSO and/or LDAP servers in scope (viable servers in the hierarchy). Users authenticated in this way are allowed to change their password once logged in. Password change is also available for Local users where such sync type CUCM-LDAP; where sync source is CUCM and user is LDAP synced.

Auth Method

Description

Automatic

The system setup determines the authentication method, for example, the presence and viability of LDAP servers, SSO IdPs, and so on. The scope, user type, and Auth Enabled settings on the server determines viability:

If a viable IdP server is detected, authentication defaults to SSO. Since this requires using the special SSO Login URL, login from the VOSS Automate login page will fail.
If viable LDAP servers are found, authentication is attempted against each server until one is successful or all fail. LDAP servers that have errors are skipped.
If neither of these external servers are found (IdP or LDAP), local authentication occurs.

Authentication is performed in order of preference, in the user’s hierarchy, or above:

Local user only if no LDAP, SSO IdP, in this hierarchy or above
LDAP server
SSO identity provider (IdP)

Local

User authentication is based on the password defined and stored locally in VOSS Automate, and the VOSS Automate credential policy defines the rules for the password (complexity, aging, etc), as well as further limits on session length, and so on. Local authentication can be done using username or email address. Local authentication is allowed if the authentication method is Local, and there are viable SSO and/or LDAP servers in scope (viable servers in the hierarchy). Users authenticated in this way are allowed to change their password once logged in. Password change is also available for Local users where such sync type CUCM-LDAP; where sync source is CUCM and user is LDAP synced.

Auth Method	Description
LDAP	The authentication method is LDAP authentication. Additional details can be provided to tie the user to a specific LDAP server or an alternate username can match to the one in LDAP (default is the VOSS Automate username). When using LDAP Authentication, the password rules that are a part of the credential policy in VOSS Automate do not apply, since the password is managed in the LDAP directory. Other credential policy rules, such as session length, are however applied, since these are managed by VOSS Automate.
SSO	The authentication method is Single Sign-on (SSO). Additional details can be provided to tie the user to a specific SSO IdP server or alternate username can match to the one in the IdP (default is the VOSS Automate username). The VOSS Automate credential policy is irrelevant, since password rules, session length, and so on are all managed by the IdP outside of VOSS-4UC. Single Sign-on support is for authentication only. It does not use authorization capabilities that are possible via SAML to control the user’s permissions within the application. No logout is supported when using SSO (single sign-out); that is, VOSS Automate will not initiate the termination of a session with the IdP (the VOSS session remains active as long as there is an active IdP session.

Auth Method

Description

LDAP

The authentication method is LDAP authentication. Additional details can be provided to tie the user to a specific LDAP server or an alternate username can match to the one in LDAP (default is the VOSS Automate username). When using LDAP Authentication, the password rules that are a part of the credential policy in VOSS Automate do not apply, since the password is managed in the LDAP directory. Other credential policy rules, such as session length, are however applied, since these are managed by VOSS Automate.

SSO

The authentication method is Single Sign-on (SSO). Additional details can be provided to tie the user to a specific SSO IdP server or alternate username can match to the one in the IdP (default is the VOSS Automate username). The VOSS Automate credential policy is irrelevant, since password rules, session length, and so on are all managed by the IdP outside of VOSS-4UC. Single Sign-on support is for authentication only. It does not use authorization capabilities that are possible via SAML to control the user’s permissions within the application. No logout is supported when using SSO (single sign-out); that is, VOSS Automate will not initiate the termination of a session with the IdP (the VOSS session remains active as long as there is an active IdP session.

For SSO, see also Single Sign On (SSO) Overview.

Authentication Method Setting Rules#

When adding or modifying users, the user’s Authentication Method is based on the User Default Auth Method setting in the system Global Settings, as well as on the rules outlined in the table below:

See: Global Settings.

Action	Auth Method Setting Rule
Add user from GUI	GUI default to Global Setting, but can be changed.
Modify user from GUI	GUI default to current user Auth Method, but can be changed.
LDAP Add user sync	Automatic
LDAP modify user sync	Leave setting as is.
Unified CM add user	Apply setting from Global Settings.
Unified CM modify user	Leave setting as is.
Quick Add Subscriber add user	Apply setting from Global Settings.
Quick Add Subscriber modify user	Leave setting as is.

User Authentication

On this page

User Authentication#

Overview#

User Authentication Methods#

Authentication Method Setting Rules#