Authentication and Authorization¶
When a user tries to log in, the Solution Manager does two things:
Authenticates the user. That is, it validates the credentials provided by the user. This can be a login and a password; if Kerberos authentication is enabled, a Kerberos ticket provided by the browser of the user; or a credential provided by the identity provider of your organization.
Authorizes the user. That is, it determines the tasks this user is allowed to do. To achieve this, the Solution Manager has a set of privileges that the administrators can grant to users.
To authenticate users, the Solution Manager provides several options:
Local authentication. The user accounts are managed by the Solution Manager. You create each user account manually.
With this authentication method, the users log in with user and password, and the Solution Manager validates that the user account and password are correct.
LDAP authentication. The user accounts are managed by the Active Directory of your organization (or an LDAP server), you do not have to create them in the Solution Manager.
With this authentication method, the users also log in with user and password but the Solution Manager does not store the user accounts. Instead it validates with Active Directory that the user account and password are correct.
Single sign-on with an Identity Provider (IdP). The Solution Manager delegates the authentication on an external identity provider. The authentication protocols supported are:
SAML
OAuth
OpenID Connect
Single sign-on with Kerberos.
Note
You can login selecting the authentication mode using https://solution-manager.acme.com:19443/solution-manager-web-tool/Login
.
Note
Single sign-on is automatically configured when accessing Solution Manager from Agora. As a result, authentication configuration is disabled. Also, local authentication is disabled.
Consider the following:
You cannot enable #3 and #4 at the same time.
When single sign-on is enabled, users can still log-in with options #1 or #2. In the login screen, they just have to enter their user and password. If they want to use single sign-on, they have to click Single Sign on.
For #2, #3 and #4, you do not manage the user accounts. However, you still have to register the roles that may be retrieved from Active Directory or the Identity Provider.
Only global administrators can manage the authentication settings.
The following sections explain how to
Create users managed by the Solution Manager.
Enable LDAP authentication.
Enable single sign-on authentication with an Identity Provider or with Kerberos.
Grant privileges to the users using roles.
Create roles.
Note
User management and role management configuration are disabled when accessing Solution Manager from Agora. User and role management is done through Agora.