Authentication

Introduction to authentication in ConSol CM

ConSol CM provides three authentication methods to confirm the identity of its users. You can use the ConSol CM database, an LDAP server or a Kerberos service for authentication. Authorization is done via roles.

Concepts, terms and definitions

Concept	Other terms	Definition
authentication		Process to confirm the identity of the users
authorization		Process to determine the access permissions of the authenticated users, is done via roles
database authentication		Authentication using the ConSol CM database
LDAP authentication		Authentication using an LDAP server
Kerberos authentication		Authentication using Kerberos

Available authentication methods

Database authentication

Availability:

• Web Client
• CM/Track

The user name and password are saved in the ConSol CM database.

If database authentication is used, you can set a password policy (see Resetting the password in the Web Client) and configure the password reset functionality (see Configuring templates for resetting the password).

LDAP authentication

Availability:

• Web Client
• CM/Track

The user name is saved in the ConSol CM database. The password is saved on the LDAP server. Thus, the users or contacts cannot change it in ConSol CM.

See Configuring LDAP authentication.

Kerberos authentication

Availability:

• Web Client

The user name is saved in the ConSol CM database. The password is saved in Windows Active Directory. Thus, the users cannot change it in ConSol CM. The credentials are retrieved from a valid Windows session.

See Single Sign-On with ConSol CM Using Kerberos (in a Windows Domain).

Basic tasks

Determining the authentication method

The authentication method is determined using system properties.

Determining the authentication method for the Web Client

Relevant system properties:

• LDAP and database authentication: cmas-core-security, authentication.method
• Kerberos authentication: cmas-core-security, kerberos.v5.enabled

Depending on the configured authentication method, you need to fill different fields on the Users screen:

• Database authentication: Field Password
• LDAP authentication: Field LDAP ID
• Kerberos authentication: Field Kerberos Principal Name

Determining the authentication method for CM/Track

The authentication method for CM/Track is determined using the system property cmas-core-security, contact.authentication.method.

The possible values for this property are:

• DATABASE
  If a user name and a password are saved in the contact data, a login attempt using the database is made.
• LDAP
  If an LDAP ID is saved in the contact data, a login attempt using the available LDAP servers is made.
• LDAP,DATABASE
  If an LDAP ID is saved in the contact data, the first login attempt is made using the available LDAP servers. If the login fails, an attempt to log in using the database is made, provided that a user name and password are saved in the contact data.
• DATABASE,LDAP
  If a user name and a password are saved in the contact data, the first login attempt is made using the database. If the login fails, an attempt to log in using the available LDAP servers is made, provided that an LDAP ID is saved in the contact data.
  

Depending on the configured authentication method, you need to create fields for the credentials in the contact data (see Customer Field Management and GUI Design for Customer Data):

• Database authentication: User name (field with the annotation username) and password (field with the annotation password). See Database Authentication for Customers.
• LDAP authentication: LDAP ID (field with the annotations username und ldapid). See Configuring LDAP authentication.

Advanced tasks

Advanced task only exist for database authentication. If LDAP or Kerberos authentication is used, the advanced settings need to be configured in LDAP or Kerberos.

Setting a password policy

Setting a password policy is optional. A password policy can only be configured if database authentication is used.

The following settings can be used for the password policy:

• cmas-core-security, policy.password.pattern (String)
  RegEx pattern for the password, default value: ^.3,$ (at least 3 characters)
  Example: ^(?=.*[A-Z])(?=.*[0-9])(?=.*[a-z]).{5,}$ (at least 5 characters, at least one upper case letter, one lower case letter and one number)
  
• cmas-core-security, policy.password.age (Integer)
  Maximum validity period, in number of days, example 183 (6 months), default value: 5500 (= 15 years, i.e., no password change enforced).
  
• cmas-core-security, policy.rotation.ratio (Integer)
  Number which defines the number of previous passwords which may not be identical, example and default value: 1.
  
• cmas-core-security, policy.username.case.sensitive (Boolean)
  Defines whether the password is case-sensitive. Example and default value: true.
  Note that this setting is affected by the MySQL collation setting and needs the correct collation to work properly with MySQL.

For LDAP and Kerberos, the password policy needs to be configured in LDAP / Kerberos.

Configuring templates for resetting the password

If database authentication is used, the users can reset the passwords by themselves, provided that they have a valid email address. The password reset functionality is available for both users in the Web Client and contacts in CM/Track.

The From address of the email which is sent to the user is defined in the system property cmas-core-security, password.reset.mail.from.

Resetting the password in the Web Client

The users’ email addresses must be provided in the user data (see Fields) for the users to be able to reset their passwords in the Web Client.

If a user has forgotten his password, he can request a new password using the Forgot your password? link on the login page of the Web Client. The user receives an email with a link to a URL where he can set a new password.

The email which is sent to the user is based on the password-reset-template template, which is saved in the Templates section of the Web Admin Suite, see Password reset.

The following example shows a template to reset the password:

Replace myserver and myport by the parameters of your system in the row https://myserver:myport/cm-client/passwordChange?resetCode=${resetCode}.

You can find a detailed description of templates in general in Technical templates.

Resetting the password in CM/Track

The contacts’ email addresses must be provided in the contact data (see Customer Field Management and GUI Design for Customer Data) for the contacts to be able to reset their passwords in the Web Client.

If a contact has forgotten his password, he can request a new password using the Forgot your password? link on the login page of CM/Track. The contact receives an email with a link to a URL where he can set a new password.

The email which is sent to the contact is based on the track-password-reset-template template, which needs to be created in the Templates section of the Web Admin Suite, see Password reset

The following example shows a template to reset the password.

Replace myserver and myport by the parameters of your system in the row https://myserver:myport/track/#/password-reset/resetCode-${resetCode}.

You can find a detailed description of templates in general in Technical templates.

Please note that the variable expirationDate is a system variable which is set to a date 24 hrs later than the time of the password reset request by default. You can change the variable using the system property cmas-core-security, resetCode.expirationPeriod (Integer, milliseconds). The system property is not present by default but has to be created if it is required.