Authentication
Introduction to authentication in ConSol CM
ConSol CM provides three authentication methods to confirm the identity of its users. You can use the ConSol CM database, an LDAP server or a SSO service for authentication. Authorization is done via roles.
Concepts, terms and definitions
|
Concept |
Other terms |
Definition |
|---|---|---|
|
authentication |
|
Process to confirm the identity of the users |
|
authorization |
|
Process to determine the access permissions of the authenticated users, is done via |
|
database authentication |
|
Authentication using the ConSol CM database |
|
LDAP authentication |
|
Authentication using an LDAP server |
|
SSO authentication |
|
Authentication using a single sign-on technology, e.g. Microsoft Active Directory Federation Services or Azure AD |
Available authentication methods
Database authentication
Availability:
- Web Client
- CM/Track
The user name and password are saved in the ConSol CM database.
If database authentication is used, you can set a password policy and configure the password reset functionality.
LDAP authentication
Availability:
- Web Client
- CM/Track
The user name is saved in the ConSol CM database. The password is saved on the LDAP server. Thus, the users or contacts cannot change it in ConSol CM.
See Configuring LDAP authentication.
SSO authentication
Availability:
- Web Client
- CM/Track
The user name is saved in the ConSol CM database. The password is saved in the active directory. Thus, the users cannot change it in ConSol CM. The credentials are retrieved from a valid Windows session.
See Configuring SSO authentication.
Basic tasks
Determining the authentication method
The authentication method is determined using system properties.
Determining the authentication method for the Web Client
The authentication method for the Web Client is determined using the system property cmas-core-security, engineer.authentication.method
Depending on the configured authentication method, you need to fill different fields on the Users page:
- Database authentication: Fields Login and Password
- LDAP authentication: Field LDAP ID
- SSO authentication: Field Login
Determining the authentication method for CM/Track
The authentication method for CM/Track is determined using the system property cmas-core-security, contact.authentication.method.
Depending on the configured authentication method, you need to create fields for the credentials in the contact data on the Contact fields page:
- Database authentication: User name (field with the setting User name for CM/Track) and password (field with the setting Password for CM/Track).
- LDAP authentication: LDAP ID (field with the setting User name for CM/Track and LDAP ID for CM/Track).
- SSO authentication: User name (field with the setting User name for CM/Track).
If database authentication is used, you need define whether CM/Track user names should be case-sensitive in the system property cmas-core-security, policy.track.username.case.sensitive. Only set it to true if the database collation supports case-sensitive strings.
After creating the fields, they need to be filled out for each contact on the contact page of the Web Client.
Mixed authentication method
A mixed authentication method with both LDAP and database authentication is available for both the Web Client and CM/Track. This mode is configured by setting the engineer.authentication.method or contact.authentication.method properties to one of the following values:
-
LDAP,DATABASE
If an LDAP ID is saved in the user / contact data, the first login attempt is made using the available LDAP servers. If the login fails, an attempt to log in using the database is made, provided that a user name and password are saved in the user / contact data. -
DATABASE,LDAP
If a user name and a password are saved in the user / contact data, the first login attempt is made using the database. If the login fails, an attempt to log in using the available LDAP servers is made, provided that an LDAP ID is saved in the user/ contact data.
Advanced tasks
Advanced task only exist for database authentication. If LDAP or SSO authentication is used, the advanced settings need to be configured in LDAP or the SSO technology.
Setting a password policy
Setting a password policy is optional. A password policy can only be configured if database authentication is used.
The following settings can be used for the password policy:
- cmas-core-security, policy.password.pattern (String)
RegEx pattern for the password, default value: ^(?=.*[0-9])(?=.*[A-Z])(?=.*[a-z]).{7,}$ (at least 7 characters, at least one upper case letter, one lower case letter and one number) - cmas-core-security, policy.password.age (Integer)
Maximum validity period, in number of days, example 183 (6 months), default value: 5500 (= 15 years, i.e., no password change enforced). - cmas-core-security, policy.rotation.ratio (Integer)
Number which defines the number of previous passwords which may not be identical, example and default value: 5. - cmas-core-security, policy.username.case.sensitive (Boolean)
Defines whether the password is case-sensitive. Example and default value: true.
Note that this setting is affected by the MySQL collation setting and needs the correct collation to work properly with MySQL.
For LDAP and SSO, the password policy needs to be configured in LDAP or the SSO technology.