Authentication

Introduction to authentication in ConSol CM

ConSol CM provides three authentication methods to confirm the identity of its users. You can use the ConSol CM database, an LDAP server or a SSO service for authentication. Authorization is done via roles.

Concepts, terms and definitions

Concept	Other terms	Definition
authentication		Process to confirm the identity of the users
authorization		Process to determine the access permissions of the authenticated users, is done via roles
database authentication		Authentication using the ConSol CM database
LDAP authentication		Authentication using an LDAP server
SSO authentication		Authentication using a single sign-on technology, e.g. Kerberos, Microsoft Active Directory Federation Services or Azure AD

Available authentication methods

Database authentication

Availability:

• Web Client
• CM/Track

The user name and password are saved in the ConSol CM database.

If database authentication is used, you can set a password policy (see Setting a password policy) and configure the password reset functionality (see Configuring templates for resetting the password).

LDAP authentication

Availability:

• Web Client
• CM/Track

The user name is saved in the ConSol CM database. The password is saved on the LDAP server. Thus, the users or contacts cannot change it in ConSol CM.

See Configuring LDAP authentication.

SSO authentication

Availability:

• Web Client (Kerberos, see Single Sign-On with ConSol CM Using Kerberos (in a Windows Domain))
• CM/Track (Microsoft Active Directory Federation Services or Azure AD, see Configuring SSO authentication)

The user name is saved in the ConSol CM database. The password is saved in the active directory. Thus, the users cannot change it in ConSol CM. The credentials are retrieved from a valid Windows session.

Basic tasks

Determining the authentication method

The authentication method is determined using system properties.

Determining the authentication method for the Web Client

Relevant system properties:

• LDAP and database authentication: cmas-core-security, engineer.authentication.method
• Kerberos authentication: cmas-core-security, kerberos.v5.enabled

Depending on the configured authentication method, you need to fill different fields on the Users page:

• Database authentication: Field Password
• LDAP authentication: Field LDAP ID
• Kerberos authentication: Field Kerberos Principal Name

Determining the authentication method for CM/Track

The authentication method for CM/Track is determined using the system property cmas-core-security, contact.authentication.method.

Depending on the configured authentication method, you need to create fields for the credentials in the contact data on the Contact fields page, see Defining the credentials for CM/Track:

• Database authentication: User name (field with the setting User name for CM/Track) and password (field with the setting Password for CM/Track).
• LDAP authentication: LDAP ID (field with the setting User name for CM/Track and LDAP ID for CM/Track).
• SSO authentication: User name (field with the setting User name for CM/Track).

If database authentication is used, you need define whether CM/Track user names should be case-sensitive in the system property cmas-core-security, policy.track.username.case.sensitive. Only set it to true if the database collation supports case-sensitive strings.

After creating the fields, they need to be filled out for each contact on the contact page of the Web Client.

Mixed authentication method

A mixed authentication method with both LDAP and database authentication is available for both the Web Client and CM/Track. This mode is configured by setting the engineer.authentication.method or contact.authentication.method properties to one of the following values:

• LDAP,DATABASE
  If an LDAP ID is saved in the user / contact data, the first login attempt is made using the available LDAP servers. If the login fails, an attempt to log in using the database is made, provided that a user name and password are saved in the user / contact data.

• DATABASE,LDAP
  If a user name and a password are saved in the user / contact data, the first login attempt is made using the database. If the login fails, an attempt to log in using the available LDAP servers is made, provided that an LDAP ID is saved in the user/ contact data.

Advanced tasks

Advanced task only exist for database authentication. If LDAP or SSO authentication is used, the advanced settings need to be configured in LDAP or the SSO technology.

Setting a password policy

Setting a password policy is optional. A password policy can only be configured if database authentication is used.

The following settings can be used for the password policy:

• cmas-core-security, policy.password.pattern (String)
  RegEx pattern for the password, default value: ^(?=.*[0-9])(?=.*[A-Z])(?=.*[a-z]).{7,}$ (at least 7 characters, at least one upper case letter, one lower case letter and one number)
  
• cmas-core-security, policy.password.age (Integer)
  Maximum validity period, in number of days, example 183 (6 months), default value: 5500 (= 15 years, i.e., no password change enforced).
  
• cmas-core-security, policy.rotation.ratio (Integer)
  Number which defines the number of previous passwords which may not be identical, example and default value: 5.
  
• cmas-core-security, policy.username.case.sensitive (Boolean)
  Defines whether the password is case-sensitive. Example and default value: true.
  Note that this setting is affected by the MySQL collation setting and needs the correct collation to work properly with MySQL.

For LDAP and Kerberos, the password policy needs to be configured in LDAP / Kerberos.

Configuring templates for resetting the password

If database authentication is used, the users can reset the passwords by themselves, provided that they have a valid email address. The password reset functionality is available for both users in the Web Client and contacts in CM/Track.

The From address of the email which is sent to the user is defined in the system property cmas-core-security, password.reset.mail.from.

Resetting the password in the Web Client

The users’ email addresses must be provided in the user data (see Fields) for the users to be able to reset their passwords in the Web Client.

If a user has forgotten his password, he can request a new password using the Forgot your password? link on the login page of the Web Client. The user receives an email with a link to a URL where he can set a new password.

The email which is sent to the user is based on the password-reset-template template, which is saved on the Templates page of the Web Admin Suite, see Password reset.

Code example 1: Template to reset the password for the Web Client

The following variable is configured using system properties:

• urlWebclient
  Value of the system property cmas-core-server, url.webclient.

Resetting the password in CM/Track

The contacts’ email addresses must be provided in the contact data (see Contact models) for the contacts to be able to reset their passwords in the Web Client. In addition, they need write permissions to their own customer group.

If a contact has forgotten his password, he can request a new password using the Forgot your password? link on the login page of CM/Track. The contact receives an email with a link to a URL where he can set a new password.

The email which is sent to the contact is based on the track-password-reset-template template, which needs to be created on the Templates page of the Web Admin Suite, see Password reset.

Figure 3: Template to reset the password for CM/Track

The following variables are configured using system properties:

• expirationDate
  By default, the link expires 24 after the password reset request was made. To change this value, create the system property cmas-core-security, resetCode.expirationPeriod with the desired expiration date.
• urlTrack
  Value of the system property cmas-core-server, url.track.