Authentication
Users are identified by their email address. SD Elements supports four methods of authentication:
-
Username and password
-
Lightweight Directory Access Protocol (LDAP)
-
Secure Assertion Markup Language (SAML) version 2.0
-
Trusted Authentication
Only one of either LDAP, SAML, or Trusted Authentication can be enabled at once. Username and password authentication is always enabled.
Trusted Authentication is unavailable when Advanced Single Sign On is enabled. |
User account creation
User accounts are created in one of four ways:
-
An administrator creates an individual account with the web interface.
-
An administrator bulk imports a list of users.
-
An administrator configures the LDAP Sync feature to provision accounts.
-
The Single Sign-On (SSO) feature is configured to autoprovision accounts.
A welcome email is sent to users when an account is created. Users must follow the link within 72 hours before it expires. By following the link, a user can set their password and security questions and answers. If the link expires, an administrator can send a new one.
No email is sent to users who are automatically provisioned using SSO. |
Username and password
SD Elements has native support to authenticate users with an email address and password.
Users open the application login page and authenticate using their user-generated password.
After six failed login attempts, SD Elements will lock out a user. |
Users are created according to the options in the section User account creation.
At a minimum, passwords must be six characters long and contain at least one uppercase letter, one lowercase letter, and one digit.
Lightweight Directory Access Protocol (LDAP)
LDAP is a method that allows users to log in with their LDAP/Active Directory username and password.
Users open the application login page and authenticate using their standard LDAP username and password.
By default, the application creates a user the first time they log in. If access should be restricted, this option can be turned off. Please see the System Administration guide for more information.
Secure Assertion Markup Language (SAML)
SAML is a Single Sign-On (SSO) method where authentication is handled by a different system (Identity Provider, IdP). A user’s identity is securely shared with SD Elements, which allows users to automatically log in. SD Elements supports SAML v2.0.
The user login flow is as follows:
-
If a user is already authenticated by the IdP, SD Elements creates a new session for the user and logs them in. The user is not redirected to a different page.
-
If a user is not authenticated by the IdP, SD Elements can redirect the user to a different location, such as the IdP, so that the user can log in.
-
Users provisioned with a password can log in using the standard login form.
By default, the application creates users the first time they log in. If access should be restricted, this option can be turned off. Please see the System Administration guide for more information.
Trusted Authentication
Disabled when "Advanced Single Sign On" is enabled. |
Trusted Authentication is a Single Sign-On (SSO) method where authentication is handled by a different system. A user’s identity is securely passed to SD Elements which allows users to automatically log in.
A user accesses SD Elements through a corporate portal. The login flow is as follows:
-
If a user is already authenticated by the other system, SD Elements creates a new session for the user and logs them in. The user is not redirected to a different page.
-
If a user is not authenticated by the other system, SD Elements can redirect the user to a different location, such as the corporate portal, so that the user can log in.
-
Users provisioned with a password can log in using the standard login form.
By default the application creates users the first time they access it. If access should be restricted, this option can be turned off. Please see the System Administration guide for more information.
Trusted Authentication With HTTP Headers
This method is not secure unless all traffic into SD Elements is intercepted by a trusted server (such as a proxy), which verifies that all requests are authenticated. This prevents unauthenticated users from setting a correct header in an HTTP request to be considered authenticated. |
Trusted Authentication with HTTP Headers is a feature that allows users to log in through HTTP headers. A request is authenticated if it contains the user’s email address in a particular HTTP header, specified by the administrator of the SD Elements instance.
Details
-
Email Address: The HTTP header containing a user’s email address.
-
(Optional) First Name: The HTTP header that contains a user’s first name.
-
(Optional) Last Name: The HTTP header that contains a user’s last name.
-
(Optional) Login URL: The URL that unauthenticated users will be redirected to upon attempted access. The standard login page will be used if not provided.
-
(Optional) Logout URL: The URL where users will be redirected to upon logout. The standard logout page will be used if not provided.
-
The user has the system Super User permission.
-
Log in to SD Elements with super user credentials.
-
From the gear icon menu, select Authentication.
-
From the Single Sign-on tab, go to SSO Type and select the Trusted Authentication option.
-
Enter the details and click on Save. The fields are described below.
-
If the First Name and Last Name headers are not available, a new user will be prompted to enter their name.
If the First Name and Last Name headers are not available, a new user will be prompted to enter their name. It is also recommended that you provide both a Login URL and Logout URL for optimal integration with your Single Sign-On Service.
User Reactivation in SDE via SSO
SD Elements now supports the ability to reactivate inactive users found in SD Elements if the connected SSO provider has identified that user as having an Active status. Reactivation of a user can be done via SAML and LDAP, allowing your IDP or Directory to become the source of truth when managing a user’s status.
Activating the Feature
To use the User Reactivation feature you will need to activate the feature flag.
-
The user has the system Super User permission.
-
The user has set up SSO Authentication within SAML or LDAP
-
Log in to SD Elements with super user credentials.
-
From the gear icon menu, select Features.
-
Check the box to the left of Auto-Reactivate Users via SSO Login.
-
Click the Save button.