User Login Options by Auth Method and Server Auth Scope#

The sections below provide two views of user login authentication:

Login Authentication Process#

The flowchart below shows the authentication process in VOSS Automate when a user logs in where the the authentication method on VOSS Automate is set to Automatic.

Settings and conditions to check include:

  • User login and settings (user and authentication)

  • Servers (SSO, LDAP) set up and their settings (scope and authentication)

  • System settings (global authentication method)

@startuml 'Authentication !include style.iuml :User login * username * password; note left [[../src/user/tasks-admin-gui-access.html Use login URL]] end note :Find data/User by username; :Look for SSO server in scope with ALL/empty user type; note left * [[../src/user/sso-idp.html Authentication Scope]] * Down (default) * Local * [[../src/user/sso-idp.html User sync type]] * All users (default) * LDAP Users only end note if (Found\nSSO\nserver?) then (yes) end note right [[../src/user/tasks-admin-gui-access.html Use SSO\nlogin URL]] end note else (no) if (LDAP or\nUCM LDAP\nsync source?) then (yes) :Look for SSO server in scope with LDAP user type; note left Check if the LDAP user is in scope of SSO server end note if (Found\nSSO\nserver?) then (no) :Look for LDAP server in scope + auth_enabled + sync_type == LDAP synced users; note left * [[../src/user/add-ldap-server.html Authentication Scope]] * Down (default) * Local * [[../src/user/add-ldap-server.html User sync type]] * LDAP synced users only * All users (default) end note if (Found synced\nLDAP server) then (no) :Look for LDAP server in scope + auth_enabled + sync_type == ALL users or empty; else (yes) :Authenticate against LDAP; if (Authenticated?) then (yes) :pass: LDAP; stop note left User logged in end note else (no) :fail: Rejected by synced LDAP server; end note right User not logged in end note endif endif else (yes) end note left [[../src/user/tasks-admin-gui-access.html Use SSO\nlogin URL]] end note endif else (no) :Look for LDAP server in scope + auth_enabled + sync_type == ALL users or empty; endif if (Found 1 or\nmore LDAP\nservers?) then (yes) while (More servers?) note left Loop through LDAP servers and attempt authentication end note :Authenticate against LDAP; endwhile if (Authenticated?) then (yes) :pass: LDAP; stop note left User logged in end note else (no) :fail: Rejected by ALL LDAP servers; end note right User not logged in end note endif else (no) :Authenticate locally; if (Authenticated?) then (yes) :pass: LOCAL; stop note left User logged in end note else (no) :fail: rejected by LOCAL; end note left User not logged in end note endif endif endif @enduml

Authentication Matrix#

Users can log in to VOSS Automate (Yes or No) based on their authentication method, the user sync type, and the server authentication scope:

User authentication method

The Auth method, either Local, LDAP, SSO, or Automatic. See also:

User sync type

Who can authenticate, either all users or LDAP-synced. See also Add and Configure an LDAP Server

Server authentication scope

The hierarchy, either of the following:

  • Current hierarchy and below

  • Current hierarchy only

See also: Add and Configure an LDAP Server and SSO Identity Provider

Note

If an IdP server is in scope and authentication method is set to LDAP, authentication is attempted against LDAP on login.

If the authentication method is set to Automatic, IdP (SSO) authentication takes precedence.

IdP (SSO): User on IdP server, and SSO login URL used#

The table displays a matrix indicating either Yes (Y) or No (N) for whether users can log in to VOSS Automate based on the user authentication method, their sync type, and the server authentication scope, for users on an IdP (SSO) server, using a SSO log in URL:

User auth method

Server authentication scope (hierarchy):

Current hierarchy and below

Current hierarchy only

User sync type - who can authenticate:

All users

Synced users

All users

Synced users

Local

N

Y

Y (If user not at server node)

Y

LDAP

N

Y

Y (If user at server node)

Y (If user at server node)

SSO

Y

Y (If LDAP synced user)

Y

Y (If user LDAP synced at server node)

Automatic

Y

Y (If LDAP synced user)

Y (If user at server node)

Y (If user LDAP synced at server node)

No IdP (SSO): LDAP configured and enabled for authentication#

The table displays a matrix indicating either Yes (Y) or No (N) to define whether users can log in to VOSS Automate based on the user authentication method, their sync type, and the server authentication scope, for users not on an IdP (SSO) server, where LDAP is configured and enabled for authentication:

User auth method

Server authentication scope (hierarchy):

Current hierarchy and below

Current hierarchy only

User sync type - who can authenticate:

All users

Synced users

All users

Synced users

Local

N

Y

Y (If user not at server node)

Y

LDAP

Y

Y

Y (If user at server node)

Y (If user at server node)

SSO

N

N

N

N

Automatic

Y (if synced user)

Y (if synced user)

Y (If user synced at server node)

Y (If user synced at server node)