This page manages the various web servers in the cluster - allowing admins to determines the user authentication method that will be presented to users when they login into the system on each web server.
Mixed Authentication
In a multi web server deployment, it is possible to specify a different authentication method for each web server. In this scenario, each web server will be an entry point.
If you want to apply the same authentication method to each web server, select 'Apply to all.' This can be helpful when using different entry points into the system from different networks and URLs.
Authentication Methods
The following 4 methods are available for users to manually log into the application. The are additional techniques for programmatic login via the security REST API framework.
- Forms Authentication - the user is prompted for user name and password through an HTML form in the application.
- Basic Authentication - the user is prompted for user name and password through a browser driven pop-up window.
- Windows Authentication - the user is logged into the application automatically ('single sign-on' SSO) using the user's Windows account and credentials.
- SAML / OpenID Authentication - the user is logged into the application automatically by logging into the SAML / OpenID authentication site and then using that account they are authenticated into Pyramid. If the user is already logged into the SAML /OpenID provider, they will be directly logged into Pyramid (SSO)
The authentication methods available will adjust in tandem with the Authentication provider - since not all methods are compatible with all types. The following tables summarizes these options.
|
Forms |
Basic |
Windows Auth SSO |
SAML / OpenID SSO |
|
|
Database |
● | ● | ||
|
Active Directory |
● | ● | ● | |
|
General LDAP |
● | ● | ||
|
SAML / OpenID |
◌ | ● |
Notes:
- Windows Auth is only available if the AD provider is used and the user is coming from a Windows enabled device (typically a desktop)
- When using LDAP authentication with multiple domains, the domain should be included with the user's name: domain\user for both forms and basic authentication
Other Authentication Considerations
Windows Authentication and Browser Settings
Windows Authentication often requires other settings to be made in the browser to facilitate authentication. Admins should check with each preferred browser to determine how best to enable windows authentication.
Windows Authentication also requires special firewall ports to be opened. This often makes Windows Auth inconvenient as a solution outside of the LAN network or connections that cannot be made with VPN.
Security Considerations
SSL Certificates
Both Forms and Basic authentication use clear text credentials. As such, an SSL certificate and HTTPS protocol is STRONGLY recommended for all websites hosting the application.
To deploy SSL certificates and HTTPS, other HTTP server technologies need to be deployed with the stack. This includes Microsoft IIS for Windows or NGINX (or any other reverse proxy technology).
Multi-Factor Authentication
If using certain authentication providers and forms-based access as the method, the built-in multi-factor authentication (MFA) capability is recommended to secure user access to the platform.
To enable MFA, check the box for all web servers int he cluster or for specific servers (if implementing it separately).
- For more information, see Multi-Factor Authentication.
Programmatic Access
Programmatic authentication is possible using the in-built security APIs. This technique allows developers to grant access to Pyramid without user intervention - providing an extensible, single sign-on technique for users to log into the platform.