Authentication

In the Authentication tab, you configure SBM authentication settings. You can configure authentication settings in utility mode after your database has been initialized.

Important: For new installations, the Authentication settings are not saved in the Application Engine database until after you run the Create Database Wizard in SBM System Administrator. After you run the wizard and successfully create the database, use SBM Configurator to configure your Authentication settings.

If your installation uses multiple Web servers with different authentication settings for each server, select the Override authentication settings for this server check box and configure the authentication settings for your local server. Clear the check box if all servers will use the same authentication settings.

Browser Sessions

To begin configuring SBM authentication, select the method SBM will use to manage user sessions.

Single Sign-On (SSO)
SSO enables users to provide their login credentials once, receive a security token in return, and then use this token again to access other SSO-enabled tools without logging in again. Because SSO offers a single point of access to SBM that enhances the end-user experience, consider selecting this option to manage SBM user sessions.
SBM Session Cookies
Optimizes the performance of log in and log out features and is recommended for browsers that support cookies.
- If you select one of the LDAP authentication options and SBM Session Cookies to manage sessions, select the Allow legacy access check box to allow access for the SBM API and remote connections for SBM System Administrator. Enter your domain name on the Windows Domain tab.
- You must select Allow legacy access if administrators will connect to SBM System Administrator remotely, if you use integrations, such as SourceBridge, or to allow connections for other programs that use the SBM API.

Browser Authentication

After you determine how SBM will manage user sessions, select which option to use to obtain browser user credentials.

SBM Login Form
Displays a login form in the Web browser to gather user credentials.
Windows Authentication
Credentials of the user logged in to the workstation are used to log in automatically.

Note the following important information about using Single Sign-On with Windows Authentication:
- If you select Single Sign-On with Windows Authentication, you must configure your authentication settings on the Single Sign-On (SSO) server in order for SBM Configurator to successfully update the SSO configuration files.
- Select the Enable Login Form check box to display a login page if user validation fails.
Third Party Authentication System
Browser user credentials are collected and authenticated by a SAML2 identity provider or another identity management system. You will configure additional settings on the External Identity Provider tab that appears.

When you select either Single Sign-On or Third Party Authentication System, browser users are validated externally and logged in automatically without a login form. In the following section, you will determine which authentication source to use for validating Web service and API calls in this scenario.

Authentication Sources

Finally, select the authentication source that SBM will validate credentials against. If you selected Windows Authentication or Third Party Authentication System to collect identities, use this option to designate how Web service calls and connections from the SBM API are authenticated.

Internal SBM Database
Uses SBM login IDs and internal SBM passwords to authenticate users.
LDAP
Validates users against LDAP using SBM Application Engine.
LDAP then Internal
Validates users against LDAP using SBM Application Engine first, and then against the internal SBM database if the user is not found in LDAP.
SSO LDAP
Validates users against LDAP using SSO.
SSO LDAP then Internal
Validates users against LDAP using SSO first, and then against the internal SBM database if the user is not found in LDAP.
Windows Domain
Uses the Windows security system for authentication. User login IDs and passwords are authenticated against your Windows domain.

The domain that is used for validation differs as follows depending on the session management option that you select:
- If you select Single Sign-On to manage sessions, domain user IDs and passwords are validated against the domain of the SSO machine for browser authentication requests. Domain user IDs and passwords are validated against the domain of the IIS machine for Web service calls that do not have a security token.
- If you select SBM Session Cookies to manage sessions, domain user IDs and passwords are validated against the domain that you specify on the Windows Domain tab. If you do not provide a domain, the domain that the IIS server is installed on is used.

CAUTION:

When users are logged in automatically by using either Windows Authentication or a Third-Party system for browser authentication, selecting Internal SBM Database for Web services authentication potentially allows users to:

Access the repository from SBM Composer by specifying only the login ID with no password
Log in to SBM Application Repository by specifying only the login ID with no password
Make SBM Web service calls by specifying only the login ID and no password

By default, users in SBM are created without a password, which means any user that has not explicitly changed his or her password can log in by specifying a blank password. Therefore, either consider using SSO instead of session cookies or set passwords in SBM for every user.

User Session Time-Out

Depending on the authentication source and session management options that you select, you can optionally designate a User session time-out period.

This setting forces users to re-authenticate if they have not actively used the system for a specified number of minutes. Enter a positive integer to have SBM automatically log out users who are inactive for the specified number of minutes. This feature does not apply when browser user identities are collected via Windows Authentication.

Note: The User session time-out setting is unrelated to licensing. Rather, you use the User session time-out setting to enhance the security of your system. This setting prevents data from inadvertently being exposed in end-user interfaces for an indefinite period of time.

When this setting is enabled, the Web client polls the server once a minute to determine if the configured timeout has been exceeded. If no activity has occurred in the browser and the configured timeout has been exceeded, the client disconnects the session and returns a message that indicates that the session has timed out. If the timeout is exceeded and the user attempts to make a change in the browser before the next polling period after the timeout period has lapsed, then the session is immediately disconnected and the user is prompted to log in again.

If the connection to the server is lost or the server cannot be reached, the existing session is automatically disconnected after the first unsuccessful poll between the client and the server. Note that any data that is entered in a transition form that is not completed when the session timeout occurs is lost and will need to be re-entered in the transition form again when the user logs back in.

Enable Login Form

If you decide to gather user identities using either Windows Authentication or a Third Party Authentication System, select the Enable Login Form check box to display a login page to users when user validation fails. Clear the check box if you do not want the page to appear.