Top.Mail.Ru
Adding Authentication
CTRL+K

Adding Authentication

In this article
  • Adding Authentication
  • Built-in Authentication
  • OpenID Authentication
  • SAML Authentication
  • Standard Windows Authentication
  • Kerberos Authentication
  • Attribute Matching
  • Authentication Deletion Considerations

On the Authentication page, you can configure authentication requirements in the system.

Authentication

By default, the system uses built-in authentication. To add a new authentication method, click + Add and select its type:

  • OpenID
  • SAML
  • Standard Windows
  • Kerberos

The system also supports seamless login. If authorization via Active Directory is configured and built-in authentication is disabled, users are automatically authenticated even if their session was interrupted.

Users from Active Directory whose accounts are synchronized into the system can authenticate using their Active Directory credentials.

Built-in Authentication

The interface displays the following options:

  • Complex password (on/off)
  • Password validity (days)
  • Number of login attempts

When complex password is enabled, you must also specify the minimum password length (from 8 to 15 characters).

Built-in authentication settings

Note
  • If the Built-in authentication type has been deleted from the table, it can be recreated.
  • Only one Built-in authentication type can exist in the system.

OpenID Authentication

Adding OpenID authentication allows users to log in to the system using the OpenID protocol with Keycloak.

OpenID is a protocol for decentralized user identification on the internet that allows users to use a single account to log in to multiple websites, simplifying authentication and improving user convenience. More information is available on the official OpenID website.

Keycloak is an identity and access management system that supports various protocols, including OpenID, enabling centralized user account management and secure authentication. You can learn more about Keycloak on the official website.

When this type is selected, the following fields appear in the interface:

  • Name
  • Issuer URL (the address that uniquely identifies the OpenID provider server)
  • Client Authenticator (client authentication type)
  • SSL
  • Client ID (client identifier)
  • Client secret (client key)
  • Match by field in the system (select the attribute used to synchronize users logging in via OpenID)

OpenID authentication

Login is performed via the Sign in via OpenID button.

Detailed instructions for configuring OpenID authentication are provided on the page Configuring Authentication Using OpenID Connect and Keycloak.

SAML Authentication

Adding SAML authentication allows users to log in to the system using their Active Directory credentials via the SAML protocol. When selected, the following options appear in the interface:

  • Export metadata (download an XML file — service provider metadata)
  • Import metadata (upload an XML file — identity provider metadata)
  • Match by field in the system (select the attribute used to synchronize users logging in via SAML)

SAML authentication

Important

The attribute for matching must be in the same format as the nameId parameter of your IdP.

Standard Windows Authentication

Adding Standard Windows Authentication allows users to log in to the system using their Active Directory credentials. When adding this authentication type, specify its name and select the matching attributes (the attribute used to synchronize users logging in via standard authentication).

Note
  • Standard authentication is not displayed if the server runs Linux.
  • If an authentication of type Standard is already added, subsequent authentications can only be of type Kerberos.

Kerberos Authentication

Adding Kerberos authentication allows users to log in to the system using their Active Directory credentials via the Kerberos protocol. When this authentication type is added, the following fields appear in the interface:

  • Name
  • Key (.keytab)
  • Domain name or KDC address
  • Match by field in the system (select the attribute used to synchronize users logging in via Kerberos authentication)

When enabling Kerberos authentication, upload a previously created keytab file, specify the domain name or key distribution center address, and select the attribute used to synchronize users logging in. When disabling authentication, the previously uploaded keytab file is deleted.

Kerberos

Signing in is performed via the Login using Active Directory button.

Login using Active Directory

Attribute Matching

Attribute matching logic:

  • Login is selected by default
  • You can select email or any custom field. The field must have a string data type
  • The selected field is matched with the UserPrincipalName attribute in AD. If they match, the employee is allowed to log in to the system

Authentication Deletion Considerations

To delete an authentication method, click the context menu icon next to it and select Delete.

Deleting authentication

Confirm deletion in the modal window that appears.

Deletion confirmation

Note
  • The last/only authentication method cannot be deleted.
  • If an authentication method is assigned to employees, it can be deleted, but users will be logged out of the system.

Was the article helpful?

Yes
No
Previous
Adding API Keys
Next
Keytab File Creation for the Kerberos Authentication in Active Directory
We use cookies to improve our website for you.