Authentication and Authorization

When a user tries to log in, the Solution Manager does two things:

  1. Authenticates the user. That is, it validates the credentials provided by the user. This can be a login and a password; if Kerberos authentication is enabled, a Kerberos ticket provided by the browser of the user; or a credential provided by the identity provider of your organization.

  2. Authorizes the user. That is, it determines the tasks this user is allowed to do. To achieve this, the Solution Manager has a set of privileges that the administrators can grant to users.

To authenticate users, the Solution Manager provides several options:

  1. Local authentication. With this authentication method, you create each user account manually on the Solution Manager and also grants the roles to the users. A role is a set of privileges. The subsection Role Management of the section Authorization explains what roles are.

    With this authentication method, the users log in with user and password.

    To manage local users, click the menu Configuration > User management. In this tab, you can create, modify and delete users and grant them roles. Roles are a set of privileges granted to a user. Continue reading this section to learn what roles are.

  2. LDAP authentication. The user accounts are managed by the Active Directory of your organization (or an LDAP server), you do not have to create them in the Solution Manager.

    With this authentication method, the users also log in with user and password but the Solution Manager does not store the user accounts. Instead it validates with Active Directory that the user account and password are correct.

  3. Single sign-on with an Identity Provider (IdP). The Solution Manager delegates the authentication on an external identity provider. The authentication protocols supported are:

    • SAML

    • OAuth

    • OpenID Connect

  4. Single sign-on with Kerberos.

Consider the following:

  • You cannot enable #3 and #4 at the same time.

  • When single sign-on is enabled, users can still log-in with options #1 or #2. In the login screen, they just have to enter their user and password. If they want to use single sign-on, they have to click Single Sign on.

  • For #2, #3 and #4, you do not manage the user accounts. However, you still have to register the roles that may be retrieved from Active Directory or the Identity Provider.

  • Only global administrators can manage the authentication settings.

The following sections explain how to