.. _user-login-auth-method-srv-auth-scope: User login options by auth method and server auth scope ------------------------------------------------------------- .. _20.1.1|VOSS-551: Overview ............ This topic provides two views of user login authentication: * A flowchart (:ref:`login-auth-process-flow`) that outlines Automate's authentication checks when the authentication method is set to *Automatic*. * Two matrices showing successful user login based on specific server and user configurations, and whether the user uses an SSO login URL: * :ref:`idp-sso-login-url-used` * :ref:`no-idp-ldap-configured` .. _login-auth-process-flow: Login authentication process ............................. The flowchart below shows the authentication process in VOSS Automate when a user logs in where the the authentication method on VOSS Automate is set to *Automatic*. Settings and conditions to check include: * User login and settings (user and authentication) * Servers (SSO, LDAP) set up and their settings (scope and authentication) * System settings (global authentication method) .. include:: authentication-flowchart.uml Authentication matrix ...................... Users can log in to VOSS Automate (Yes or No) based on their authentication method, the user sync type, and the server authentication scope: ===================================== ================================================================== User authentication method The *Auth* method, either *Local*, *LDAP*, *SSO*, or *Automatic*. See also: * :ref:`user-authentication` * :ref:`user-settings` User sync type Who can authenticate, either *all users* or *LDAP-synced*. See also LDAP Server in the documentation. Server authentication scope The hierarchy, either of the following: * Current hierarchy and below * Current hierarchy only See also: LDAP Server and :ref:`configure-sso-idp` ===================================== ================================================================== .. note:: If an IdP server is in scope and authentication method is set to *LDAP*, authentication is attempted against LDAP on login. If the authentication method is set to *Automatic*, *IdP (SSO)* authentication takes precedence. .. rubric:: Related topics * .. raw:: latex LDAP Server in the Core Feature Guide .. raw:: html LDAP Server .. _idp-sso-login-url-used: IdP (SSO): User on IdP server, and SSO login URL used ''''''''''''''''''''''''''''''''''''''''''''''''''''''''' The table displays a matrix indicating either Yes (Y) or No (N) for whether users can log in to VOSS Automate based on the user authentication method, their sync type, and the server authentication scope, for users on an IdP (SSO) server, using a SSO log in URL: .. .. .. tabularcolumns:: |p{3cm}|p{3cm}|p{3cm}|p{3cm}|p{3cm}| .. tabularcolumns:: |\Yc{0.2}|\Yc{0.2}|\Yc{0.2}|\Yc{0.2}|\Yc{0.2}| +-------------+---------------------------+----------------------------+-----------------------+---------------------------+ | | Server authentication scope (hierarchy): | | | | + +---------------------------+----------------------------+-----------------------+---------------------------+ | | Current hierarchy and below | Current hierarchy only | | | | | + +---------------------------+----------------------------+-----------------------+---------------------------+ | User | | | auth | User sync type - who can authenticate: | + method +---------------------------+----------------------------+-----------------------+---------------------------+ | | | | | | | | All users | Synced users | All users | Synced users | +=============+===========================+============================+=======================+===========================+ | | | | Y (If user | | | Local | N | Y | not at | Y | | | | | server | | | | | | node) | | +-------------+---------------------------+----------------------------+-----------------------+---------------------------+ | | | | Y (If user | Y (If user | | LDAP | N | Y | at server | at server | | | | | node) | node) | +-------------+---------------------------+----------------------------+-----------------------+---------------------------+ | | | | Y | Y (If user | | SSO | Y | Y (If LDAP | | LDAP synced | | | | synced user) | | at server | | | | | | node) | +-------------+---------------------------+----------------------------+-----------------------+---------------------------+ | | | | Y (If user | Y (If user | | Automatic | Y | Y (If LDAP | at server | LDAP synced | | | | synced user) | node) | at server | | | | | | node) | +-------------+---------------------------+----------------------------+-----------------------+---------------------------+ .. _no-idp-ldap-configured: No IdP (SSO): LDAP configured and enabled for authentication ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' The table displays a matrix indicating either Yes (Y) or No (N) to define whether users can log in to VOSS Automate based on the user authentication method, their sync type, and the server authentication scope, for users not on an IdP (SSO) server, where LDAP is configured and enabled for authentication: .. .. .. tabularcolumns:: |p{3cm}|p{3cm}|p{3cm}|p{3cm}|p{3cm}| .. tabularcolumns:: |\Yc{0.2}|\Yc{0.2}|\Yc{0.2}|\Yc{0.2}|\Yc{0.2}| +-------------+---------------------------+----------------------------+-----------------------+---------------------------+ | | Server authentication scope (hierarchy): | | | | + +---------------------------+----------------------------+-----------------------+---------------------------+ | | Current hierarchy and below | Current hierarchy only | | | | | + +---------------------------+----------------------------+-----------------------+---------------------------+ | User | | | auth | User sync type - who can authenticate: | + method +---------------------------+----------------------------+-----------------------+---------------------------+ | | | | | | | | All users | Synced users | All users | Synced users | +=============+===========================+============================+=======================+===========================+ | | | | Y (If user | | | Local | N | Y | not at | Y | | | | | server | | | | | | node) | | +-------------+---------------------------+----------------------------+-----------------------+---------------------------+ | | | | Y (If user | Y (If user | | LDAP | Y | Y | at server | at server | | | | | node) | node) | +-------------+---------------------------+----------------------------+-----------------------+---------------------------+ | SSO | N | N | N | N | +-------------+---------------------------+----------------------------+-----------------------+---------------------------+ | | | | Y (If user | Y (If user | | Automatic | Y (if synced user) | Y (if synced | synced at | synced at | | | | user) | server | server | | | | | node) | node) | +-------------+---------------------------+----------------------------+-----------------------+---------------------------+