Authentication

Authentication is the mechanism that governs how users will access the application. The authentication engine in the application is driven through 2 key aspects: provider and method. The 2 settings are mostly independent of each other.

  • Authentication Provider - is the data store or repository of user IDs and passwords that will be used to check the authentication credentials of users logging in.
  • Authentication Method - is the technique that the credentials will be captured in the log-in process from the user.
  • Click here for more details on configuring the authentication method.

Authentication Provider

There are several providers operational in the product: the internal database, Active Directory (and Azure Active Directory), Open LDAP, SAML, and OpenID.

By default, the application is installed with internal database authentication, which requires little configuration. An initial user is created in the internal database during installation using the given user ID and password from the installer. This user is initially set as the master user account with enterprise admin rights.

Use the drop-down list to change to an external authentication provider.

Open LDAP and Azure Active Directory authentication are not available in the Community Edition.

Changing Master Users

On changing the provider, you must provide the settings that will be used in the authentication engine together with an initial master user account from that provider, that will become the first enterprise user in the new setup. If you elect to change back to the internal database as the provider, you will also need to recreate the initial master user account.

In recreating a new master account, the old account will be disabled or deleted. As such, it is good practice to switch to the right authentication provider right after system setup.

Internal "Database"

Pyramid comes with its own internal authentication mechanism out-of-the-box. It involves storing user credentials in the internal database repository. All details are appropriately stored and encrypted in the database. However, it is up to each customer to secure the database itself and manage access to these tables. If more robust security infrastructure is needed, Pyramid recommends using specialized authentication providers like Active Directory, SAML, or OpenID.

Settings

The internal authentication provider has few settings, however, admins can set:

  • Provider: Database.
  • Initial User: If you are changing to the "Database" provider, you will need to create an initial user account by supplying details in this page. For more information, see Changing Master Users.
  • Authentication Security:
    • Database Authentication:
      • Reset Password: How often users will be forced to change their passwords (every 1 to 12 months).
    • Password Strength: The password strength tests to be used:
      • None - No requirements.
      • Medium - 6 character minimum. At least 1 alpha character and at least 1 numeric character. Cannot reuse the last 3 passwords.
      • High - 8 character minimum, At least 1 upper, 1 lower, 1 numeric, 1 unusual. Cannot reuse the last 12 passwords.

Note: Automated password reset and password strength options are not available in the Community Edition.

Active Directory

To setup an Active Directory, details for the directory are required, as well as the credentials for a domain user that will be used to traverse the directory database. Adding multiple domains is also possible.

  • Click here for details on using and deploying Active Directory

Azure Active Directory with LDAPS

The process for using Azure AD is identical to that of a normal Active Directory, as explained above. However, there are more steps needed for setting up LDAPS on Azure. These are explained here.

Open LDAP

To setup a generic LDAP provider, details for the directory are required, as well as the credentials for a user that will be used to traverse the directory database.

  • Click here for details on using and deploying LDAP

SAML

SAML provides a federated solution for authentication and will work with all standard SAML providers.

  • For guidance on connecting to standard / generic SAML, click here.
  • For guidance on connecting to Azure SAML, click here.
  • For guidance on connecting to Active Directory Federated Services (AD SAML), click here.

OpenID

To setup an OpenID provider, details for the provider are required, as well as the principal name for first user (enterprise admin)

  • Click here for details on using and deploying OpenID

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is one of the ways to greatly improve security on any application. Pyramid offers MFA as an out-of-the-box feature where relevant and appropriate. Its applicability is influenced by both the chosen authentication provider and method.