Admin Authentication

Many of the same Authentication modules which can be used to authenticate KeyAccess client connections may also be used for authentication of Sassafras administrators.

Select Admin Authentication... from the Config Menu in order to set up an external system (e.g. Active Directory) for authenticating administrative passwords and privileges based on group membership.

Note that some authentication modules can use multiple properties to determine group membership when authenticating a KeyAccess user. However, for Admin Authentication, only the user name can be used to determine group membership.

Configuration

Setting up authentication is only one step in the process of defining access and permissions in KeyServer. Here are the setup steps to consider:

1. Enter appropriate configuration in the Admin Authentication window
2. Define at least one Role with a Group specified that is a valid user-based group in your external authentication
   or
   Define an “External Account” with a name that will be recognized by your external authentication, and then associate it with one or more Roles.
   These permissions are set in the Admin Access Window
   
Note: Make sure you do NOT create an Admin Account in KeyConfigure using the same name that the external authentication uses - internal accounts always take precedence over consulting external authentication.
3. Define access to portions of the KeyServer in the ACL Details Window

Using a Role with a group allows a single configuration that will apply to multiple admins. As an alternative, explicitly associating External Accounts with Roles requires configuration for each Admin, but does not require a group to exist in your external authentication system. Watch the video below for an example using a group:
     

The Admin Authentication dialog is similar to the Client Authentication dialog but without options that only pertain to clients.

If you have already set up User Authentication and you want to use the same authentication method for controlling Administrative accounts in KeyConfigure, use the "Copy User Auth" button so you won't have to re-enter the configuration details. Note that this is a one-time copy. If you later change the User settings, the Admin settings will NOT automatically be kept in sync.

When a KeyConfigure administrator attempts to connect to KeyServer, first the internally defined Accounts are checked, and then if there is no matching name, the external Admin Authentication method is checked. After the login is authenticated, KeyServer checks what Roles are associated with the account, either through group membership or via a direct assocation.

In order for an admin to succeed in logging in using external authentication, two things must happen. First, they must provide a name and password which are accepted by the external authentication. Second, the account must be associated with a Role. If the account is not explicitly linked to a Role, there must be a Role defined with an associated group which the external authentication method associates with the user name. Note that some authentication modules can use multiple properties to determine group membership when authenticating a KeyAccess user. However, for Admin Authentication, only the user name can be used to determine group membership.

Consult the Authentication Modules documentation for a description of options and configuration steps for each specific module choice. For specific information about using the Active Directory option for Admin Authentication, refer to the Active Directory Integration — Admin Authentication page. For more details on Admins and Roles, see the Admin Access Window documentation.