Authentication

Introduction to authentication in ConSol CM

ConSol CM provides three authentication methods to confirm the identity of its users. You can use the ConSol CM database, an LDAP server or a SSO service for authentication. Authorization is done via roles.

Concepts, terms and definitions

Concept

Other terms

Definition

authentication

 

Process to confirm the identity of the users

authorization

 

Process to determine the access permissions of the authenticated users, is done via roles

database authentication

 

Authentication using the ConSol CM database

LDAP authentication

 

Authentication using an LDAP server

SSO authentication

 

Authentication using a single sign-on technology, e.g. Microsoft Active Directory Federation Services or Azure AD

Available authentication methods

Database authentication

Availability:

The user name and password are saved in the ConSol CM database.

If database authentication is used, you can set a password policy (see Setting a password policy) and configure the password reset functionality (see Configuring templates for resetting the password).

LDAP authentication

Availability:

The user name is saved in the ConSol CM database. The password is saved on the LDAP server. Thus, the users or contacts cannot change it in ConSol CM.

See Configuring LDAP authentication.

SSO authentication

Availability:

The user name is saved in the ConSol CM database. The password is saved in the active directory. Thus, the users cannot change it in ConSol CM. The credentials are retrieved from a valid Windows session.

See Configuring SSO authentication.

Basic tasks

Determining the authentication method

The authentication method is determined using system properties.

Determining the authentication method for the Web Client

The authentication method for the Web Client is determined using the system property cmas-core-security, engineer.authentication.method

Depending on the configured authentication method, you need to fill different fields on the Users page:

Determining the authentication method for CM/Track

The authentication method for CM/Track is determined using the system property cmas-core-security, contact.authentication.method.

Depending on the configured authentication method, you need to create fields for the credentials in the contact data on the Contact fields page, see Defining the credentials for CM/Track:

If database authentication is used, you need define whether CM/Track user names should be case-sensitive in the system property cmas-core-security, policy.track.username.case.sensitive. Only set it to true if the database collation supports case-sensitive strings.

After creating the fields, they need to be filled out for each contact on the contact page of the Web Client.

Mixed authentication method

A mixed authentication method with both LDAP and database authentication is available for both the Web Client and CM/Track. This mode is configured by setting the engineer.authentication.method or contact.authentication.method properties to one of the following values:

Advanced tasks

Advanced task only exist for database authentication. If LDAP or SSO authentication is used, the advanced settings need to be configured in LDAP or the SSO technology.

Setting a password policy

Setting a password policy is optional. A password policy can only be configured if database authentication is used.

The following settings can be used for the password policy:

For LDAP and SSO, the password policy needs to be configured in LDAP or the SSO technology.

Configuring templates for resetting the password

If database authentication is used, the users can reset the passwords by themselves, provided that they have a valid email address. The password reset functionality is available for both users in the Web Client and contacts in CM/Track.

The From address of the email which is sent to the user is defined in the system property cmas-core-security, password.reset.mail.from.

Resetting the password in the Web Client

The users’ email addresses must be provided in the user data (see Fields) for the users to be able to reset their passwords in the Web Client.

If a user has forgotten his password, he can request a new password using the Forgot your password? link on the login page of the Web Client. The user receives an email with a link to a URL where he can set a new password.

The email which is sent to the user is based on the password-reset-template template, which is saved on the Templates page of the Web Admin Suite, see Password reset.

Subject: Password reset procedure

From: no-reply@consol.de

 

Dear ${engineer.firstname} ${engineer.lastname},

Please click the following link to reset your password:

 

${urlWebclient}/passwordChange?resetCode=${resetCode}

 

This link expires at ${expirationDate?string("yyyy.MM.dd HH:mm:ss")}.

Code example 1: Template to reset the password for the Web Client

The following variable is configured using system properties:

Resetting the password in CM/Track

The contacts’ email addresses must be provided in the contact data (see Contact models) for the contacts to be able to reset their passwords in the Web Client. In addition, they need write permissions to their own customer group.

If a contact has forgotten his password, he can request a new password using the Forgot your password? link on the login page of CM/Track. The contact receives an email with a link to a URL where he can set a new password.

The email which is sent to the contact is based on the track-password-reset-template template, which needs to be created on the Templates page of the Web Admin Suite, see Password reset.

Subject: Your Password Reset Link

From: no-reply@consol.de

 

Dear ${unit.firstname} ${unit.lastname},

Please click the following link to reset your password:

 

${urlTrack}/#/password-reset/resetCode-${resetCode}

 

This link expires at ${expirationDate?string("yyyy.MM.dd HH:mm:ss")}.

Figure 3: Template to reset the password for CM/Track

The following variables are configured using system properties: