Authentication

Authentication Sources

To begin configuring SBM authentication, select the authentication source that SBM will validate credentials against.

• Internal SBM Database

  Uses SBM login IDs and internal SBM passwords to authenticate users.

• LDAP

  Validates users against LDAP using SBM Application Engine.

• LDAP then Internal

  Validates users against LDAP using SBM Application Engine first, and then against the internal SBM database if the user is not found in LDAP.

• SSO LDAP

  Validates users against LDAP using SSO.

• SSO LDAP then Internal

  Validates users against LDAP using SSO first, and then against the internal SBM database if the user is not found in LDAP.

• Windows Domain (NTCR)

  Uses the Windows security system for authentication. User login IDs and passwords are authenticated against your Windows domain.

• External Identity Provider

  Uses an external identity provider to validate user credentials and control access to SBM.

Depending on the option that you select, refer to the following for more information:

• About Windows Domain Authentication
• About LDAP Authentication
• About External Identity Provider Authentication

Session Management

After you select an authentication source, select the method SBM will use to manage user sessions. The options differ depending on the authentication source that you select.

• Single Sign-On (SSO)

  SSO enables users to provide their login credentials once, receive a security token in return, and then use this token again to access other SSO-enabled tools without logging in again. Because SSO offers a single point of access to SBM, which enhances the end-user experience, consider selecting this option to manage SBM user sessions.

• SBM Session Cookies

  Optimizes the performance of log in and log out features and is recommended for browsers that support cookies. If you select this check box, a Web page with a logon form is presented to users when they access the system.

  • If user names and passwords contain non-ASCII characters, you must select the SBM Session Cookies option.
  • If you select one of the LDAP authentication options and SBM Session Cookies to manage sessions, select the Allow legacy access check box to allow access for the SBM API and remote connections for SBM System Administrator.
  • You must select Allow legacy access if administrators will connect to SBM System Administrator remotely, if you use integrations, such as SourceBridge, or to allow connections for other programs that use the SBM API. In addition, you must enable Basic authentication on the tmtrack application in IIS in order to connect.
• HTTP Basic Authentication

  Gathers the user's login ID and password in a pop-up dialog box and uses the browser's built-in authentication rather than cookies. This is the least secure option that is offered by SBM.

• Windows Authentication (IIS)

  Manages user authentication using IIS against a Windows domain. This option only applies to Windows Domain (NTCR) authentication.

• Windows Authentication (SSO)

  Manages user authentication using SSO against a Windows domain. This option only applies to Windows Domain (NTCR) authentication.

  • If you select Windows Domain (NTCR) with Windows Authentication (SSO), you must configure your authentication settings on the Single Sign-On (SSO) server in order for SBM Configurator to successfully update the SSO configuration files.
  • Select the Enable Login Form check box to display a login page if user validation fails.
  • The Windows Domain tab is not displayed if you select Windows Authentication (SSO). Domain user IDs and passwords are validated against the domain of the IIS machine for Web service calls that do not have a security token. Domain user IDs and passwords are validated against the domain of the SSO machine for browser authentication requests.
• Other

  Select this option if users will be validate against an external identity provider.

User Session Time-Out

Depending on the authentication source and session management options that you select, you can optionally designate a User session time-out period.

This setting forces users to re-authenticate if they have not actively used the system for a specified number of minutes. Enter a positive integer to have SBM automatically log out users who are inactive for the specified number of minutes. This feature is only available when user sessions are managed using Single Sign-On (SSO) or SBM session cookies. This setting is not available with Windows Domain (NTCR) authentication.

When this setting is enabled, the Web client polls the server once a minute to determine if the configured timeout has been exceeded. If no activity has occurred in the browser and the configured timeout has been exceeded, the client disconnects the session and returns a message that indicates that the session has timed out. If the timeout is exceeded and the user attempts to make a change in the browser before the next polling period after the timeout period has lapsed, then the session is immediately disconnected and the user is prompted to log in again.

If the connection to the server is lost or the server cannot be reached, the existing session is automatically disconnected after the first unsuccessful poll between the client and the server. Note that any data that is entered in a transition form that is not completed when the session timeout occurs is lost and will need to be re-entered in the transition form again when the user logs back in.

Related Topics

About Windows Domain Authentication

About LDAP Authentication

About External Identity Provider Authentication

Password Restrictions

Other Settings