Authentication
Authentication is the mechanism that governs how users will access the application. The authentication engine in the application is driven through 2 key aspects: provider and method. The 2 settings are mostly independent of each other.
- Authentication Provider - is the data store or repository of user IDs and passwords that will be used to check the authentication credentials of users logging in.
- Authentication Method - is the technique that the credentials will be captured in the log-in process from the user.
- Click here for more details on configuring the authentication method.
Authentication Provider
There are several providers operational in the product: the internal database, Active Directory (and Azure Active Directory), Open LDAP, SAML and OpenID.
Use the drop down to change to an external authentication provider.
Open LDAP and Azure AD authentication are not available in the Community Edition.
Changing Master Users
On changing the provider, you must provide the settings that will be used in the authentication engine together with an initial master user account from that provider, that will become the first enterprise user in the new setup. If you elect to change back to the internal database as the provider, you will also need to recreate the initial master user account.
In recreating a new master account, the old account will be disabled or deleted. As such, it is good practice to switch to the right authentication provider right after system setup.
Internal "Database"
Pyramid comes with its own internal authentication mechanism out-of-the-box. It involves storing user credentials in the internal database repository. All details are appropriately stored and encrypted in the database. However, it is up to each customer to secure the database itself and manage access to these tables. If more robust security infrastructure is needed, Pyramid recommends using specialized authentication providers like Active Directory, SAML or OpenID.
Settings
The internal authentication provider has few settings, however, admins can set:
- Automated Password Resets: elect how often users will be forced to change their passwords (every 1 to 12 months)
- Password Strength: elect the password strength tests to be used.
- None - no requirements
- Medium - 6 character minimum. At least 1 alpha characters, 1 numeric character. Cannot reuse the last 3 passwords.
- High - 8 character minimum, At least 1 upper, 1 lower, 1 numeric, 1 unusual. Cannot reuse the last 12 passwords.
Note: automated password reset and password strength options are not available in the Community Edition.
Active Directory
To setup an Active Directory, details for the directory are required, as well as the credentials for a domain user that will be used to traverse the directory database. Adding multiple domains is also possible.
- Click here for details on using and deploying Active Directory
Azure Active Directory with LDAPS
The process for using Azure AD is identical to that of a normal Active Directory, as explained above. However, there are more steps needed for setting up LDAPS on Azure. These are explained here.
Open LDAP
To setup a generic LDAP provider, details for the directory are required, as well as the credentials for a user that will be used to traverse the directory database.
- Click here for details on using and deploying LDAP
SAML
SAML provides a federated solution for authentication and will work with all standard SAML providers.
- For guidance on connecting to standard / generic SAML, click here.
- For guidance on connecting to Azure SAML, click here.
- For guidance on connecting to Active Directory Federated Services (AD SAML), click here.
OpenID
To setup an OpenID provider, details for the provider are required, as well as the principal name for first user (enterprise admin)
- Click here for details on using and deploying OpenID
Multi-Factor Authentication
Multi-Factor Authentication (MFA) is one of the ways to greatly improve security on any application . Pyramid offers MFA as an out-of-the-box feature where relevant and appropriate. Its applicability is influenced by both the chosen authentication provider and method.
- Click here for more details on MFA in Pyramid.
- MFA needs to be enabled as part of the authentication method. Click here for more.