Authentication is the mechanism that governs how users access Pyramid. The authentication engine in the application is driven through two key aspects: provider and method. Authentication Method means the process used to verify the identity of a user, device, or system when they log in. While the Authentication Provider refers to the technology that houses user IDs and passwords. The two settings can be largely independent of each other.
Method Types
The following methods are available for users to manually log in to the application. The are additional techniques for programmatic login using the security REST API framework.
- Forms Authentication - The user is prompted for username and password through an HTML form in the application. This approach is generally not available for use with external SSO providers.
- Basic Authentication - The user is prompted for username and password through a browser driven pop-up window. This approach is generally not available for use with external SSO providers.
- Windows Authentication - The user is logged into the application automatically (Single sign-on, SSO) using the user's Windows account and credentials. This approach is usually only available with Active Directory as the provider.
- IDP pop-up Authentication - The user is logged into the application automatically by first logging into the external IDP authentication site, where the user supplies their credentials and possibly their multi-factor authentication key. They are then redirected to Pyramid with a token. If the user is already logged into the authentication provider, they may be directly logged into Pyramid (SSO)
The available authentication methods available depend on the Authentication provider, since not all methods are compatible with all types. The following table summarizes these options:
|
Forms |
Basic |
Windows |
IDP Pop-up |
|
|
Internal Database |
● | ● | ||
|
Active Directory |
● | ● | ● | |
|
General LDAP |
● | ● | ||
|
SAML / OpenID |
◌ | ● |
Notes:
- Windows Authentication is usually only available where the Active Directory provider is in use and the user is coming from a Windows enabled device (typically a desktop).
- When using LDAP authentication with multiple domains, the domain should be included with the user's name: domain\user for both forms and basic authentication.
Setting Authentication Methods
The authentication method is set on the web services page in the admin console. It can be set for the entire instance or by web server in the event you want different experiences for different users.
Programmatic Access
Programmatic authentication is possible using the in-built security APIs. This technique allows developers to grant access to Pyramid without user intervention - providing an extensible, single sign-on technique for users to log into the platform.
Other Considerations
Windows Authentication and Browser Settings
Windows Authentication often requires other settings to be made in the browser to facilitate authentication. Admins should check with each preferred browser to determine how best to enable windows authentication.
Windows Authentication also requires special firewall ports to be opened. This often makes Windows Auth inconvenient as a solution outside of the LAN network or connections that cannot be made with VPN.
Security Considerations
SSL Certificates
Both Forms and Basic authentication use clear text credentials. As such, an SSL certificate and HTTPS protocol is STRONGLY recommended for all websites hosting the application.
To deploy SSL certificates and HTTPS, other HTTP server technologies need to be deployed with the stack. This includes Microsoft IIS for Windows or NGINX (or any other reverse proxy technology).
Multi-Factor Authentication
If using certain authentication providers and forms-based access as the method, the built-in multi-factor authentication (MFA) capability is recommended to secure user access to the platform. MFA is normally available when using external IDP solutions.
To enable the built-in MFA (if relevant), check the box for all web servers in the cluster or for specific servers (if implementing it separately) in the web services admin page..
- For more information, see Multi-Factor Authentication.