Each time a user logs into the system, the user is authenticated. Authentication of a user's credentials means that the system identifies the user and gives her/him permission to access the system according to the configuration of the user. The system supports multiple methods of user authentication. Each method uses a specific authentication principle:
- Form-based: the user has to provide the username and password in a form each time they try to access the system
- Federated: user credentials are held with a third-party identity provider (IdP) and not within the system, and a token is provided to the system to validate. It is used to provide the single-sign-on capability for the system.
Authentication Type | Authentication Principle | Description |
---|---|---|
Database Credentials | Form-based | Database Credentials authenticates the user with a user name and password that is maintained in the system database. The password hashes are managed securely in the database. When the Database Credentials authentication method is used, password and account locking policies are also managed within the system. For more information, see Password and user lockout policy |
Windows Active Directory (LDAP) | Form-based | The Windows Active Directory (LDAP) uses a simple bind authentication process. The user is identified by the Active Directory and the proof of identity comes in the form of a password. When a more secure method is required, Secure LDAP (SLDAP) can be used. To configure this authentication mode, see Identity provider - Active Directory. |
Windows Active Directory Federation Service (ADFS) | Federated | Windows Active Directory Federation Service (ADFS) authentication is an OpenID Connect (OIDC) based authentication method. OIDC is an authentication method where the user's credentials are held with a third-party identity provider (ADFS) and not within the system. The system verifies the user's identity based on a simple JSON- based identity token which is delivered on top of the OAuth protocol. To configure this authentication mode, see Identity provider - Active Directory Federation Services. |
Azure Active Directory (AAD) | Federated | Azure Active Directory (AAD) authentication is an OpenID Connect (OIDC) based authentication method. OIDC is an authentication method where the user's credentials are held with a third-party identity provider (Azure Active Directory) and not within the system. The system verifies the user's identity based on a simple JSON- based identity token which is delivered on top of the OAuth protocol. To configure this authentication mode, see Identity provider - Azure Active Directory. |
Integrated Windows Authentication (IWA) | Federated | Integrated Windows Authentication (IWA) allows users, once they have signed in to Windows, to automatically log in to the system. Password verification takes place during Windows sign in. Upon success, a Kerberos ticket is generated. When the user is authenticated by the system the Kerberos ticket is validated. To configure this authentication mode, see Identity provider - Integrated Windows Authentication. |
JSON Web Token (JWT) | Federated | The system can be integrated with customer applications via JSON Web Token (JWT) based authentication to provide a seamless single sign on login experience. Authentication and password verification takes place during signing in to the client application. The system verifies the user's identity based on the information presented in the JWT. To configure this authentication mode, see Identity provider - JSON Web Token. |
Reverse Proxy | Federated | Reverse proxy based authentication allows users, once they have authenticated with an authentication server through the proxy, to automatically log in to the system. The system verifies the user's identity based on the information presented in the request from the proxy. To configure this authentication mode, see Identity provider - Reverse proxy. |
The authentication process is implemented in the Web Application component installed on the Media Repository / Application Server role.
The system allows configuring multiple identity providers in a single system (or in a tenant in case of multi-tenant deployment). For a user to log into the system, must have at least one of the identity providers enabled. Identity providers are configured through the roles/permissions for the users.
By default, all roles have the Database Credentials and Integrated Windows Authentication options are enabled. System administrators can add new identity providers and change the default settings by updating the role configuration.
Login process
Depending on the configured IdPs for the users, the login screens and the login process might be different for users.
When multiple IdPs are enabled in the system, the system provides a 2-step authentication process. In the first step, the system identifies the user. In the second step, the system offers all configured authentication options. If there is only one IdP enabled, the system automatically skips the first step.
The following image shows the 2-step authentication in case of Azure AD and Database Credentials IdPs are both enabled.
Configuring identity providers
See the following article to configure identity providers and assign them to users: Identity providers.