General Settings

Browser Sessions

To begin configuring SBM authentication, select the method SBM will use to manage user sessions.

Single Sign-On (SSO)
SSO enables users to provide their login credentials once, receive a security token in return, and then use this token again to access other SSO-enabled tools without logging in again. Because SSO offers a single point of access to SBM that enhances the end-user experience, consider selecting this option to manage SBM user sessions. For more information, refer to About Single Sign-On (SSO).
SBM Session Cookies
Optimizes the performance of log in and log out features and is recommended for browsers that support cookies.
- If you select one of the LDAP authentication options and SBM Session Cookies to manage sessions, select the Allow legacy access check box to allow access for the SBM API. Enter your domain name on the Windows Domain tab.
- You must select Allow legacy access if you use integrations, such as SourceBridge, or to allow connections for other programs that use the SBM API.

Browser Authentication

After you determine how SBM will manage user sessions, select which option to use to obtain browser user credentials.

SBM Login Form
Displays a login form in the Web browser to gather user credentials.
Windows Authentication
Credentials of the user logged in to the workstation are used to log in automatically.

Note the following important information about using Single Sign-On with Windows Authentication:
- If you select Single Sign-On with Windows Authentication, you must configure your authentication settings on the Single Sign-On (SSO) server in order for SBM Configurator to successfully update the SSO configuration files.
- Select the Enable Login Form check box to display a login page if user validation fails.
Third Party Authentication System
Browser user credentials are collected and authenticated by a SAML2 identity provider or another identity management system. You will configure additional settings on the External Identity Provider tab that appears.
Smart Card Login
Enables users to log in using Smart Cards. To set up Smart Card authentication, you must configure how authentication is handled and how user identities are managed on the Custom Authentication tab. For details, refer to Custom Authentication Settings.

When you select either Windows Authentication or Third Party Authentication System, browser users are validated externally and logged in automatically without a login form. In the following section, you will determine which authentication source to use for validating Web service and API calls in these scenarios.

Authentication Sources

Finally, select the authentication source that SBM will validate credentials against. If you selected Windows Authentication or Third-Party Authentication System to collect identities, this selection determines how Web service calls and connections from the SBM API are authenticated.

Internal SBM Database
Uses SBM login IDs and internal SBM passwords to authenticate users.
LDAP
Validates users against LDAP using SBM Application Engine.
LDAP then Internal
Validates users against LDAP using SBM Application Engine first, and then against the internal SBM database if the user is not found in LDAP.
SSO LDAP
Validates users against LDAP using SSO.
SSO LDAP then Internal
Validates users against LDAP using SSO first, and then against the internal SBM database if the user is not found in LDAP.
Windows Domain
Uses the Windows security system for authentication. User login IDs and passwords are authenticated against your Windows domain.

The domain that is used for validation differs as follows depending on the session management option that you select:
- If you select Single Sign-On to manage sessions, domain user IDs and passwords are validated against the domain of the SSO machine for browser authentication requests. Domain user IDs and passwords are validated against the domain of the IIS machine for Web service calls that do not have a security token.
- If you select SBM Session Cookies to manage sessions, domain user IDs and passwords are validated against the domain that you specify on the Windows Domain tab. If you do not provide a domain, the domain that the IIS server is installed on is used.

CAUTION:

When users are logged in automatically by using either Windows Authentication or a Third-Party Authentication System for browser authentication, selecting Internal SBM Database for Web services authentication potentially allows users to:

Access the repository from SBM Composer by specifying only the login ID with no password
Log in to SBM Application Repository by specifying only the login ID with no password
Make SBM Web service calls by specifying only the login ID and no password

By default, users in SBM are created without a password, which means any user that has not explicitly changed his or her password can log in by specifying a blank password. Therefore, either consider using SSO instead of session cookies or set passwords in SBM for every user.

User Session Time-Out

Depending on the authentication source and session management options that you select, you can optionally designate a User session time-out period. This setting forces users to re-authenticate if they have not actively used the system for the specified number of minutes. Enter a positive integer to have SBM automatically log out users who are inactive for the specified number of minutes.

If a User session time-out is set, the Web client polls the server once a minute to determine if the configured timeout has been exceeded. If no activity occurs and the user does not renew the session after a timeout warning appears, the client disconnects the session. If the timeout is exceeded and the user attempts to make a change in the browser before the next polling period after the timeout period has lapsed, the session is immediately disconnected and the user is prompted to log in again.

Note the following:

Use the User session time-out setting to enhance the security of your system. This setting prevents data from inadvertently being exposed in end-user interfaces for an indefinite period of time.
If you are using SSO and a session times out due to inactivity (according to the value set in SBM Configurator), named licenses are freed between 1-6 minutes after the last activity occurs and concurrent licenses are freed between 5-10 minutes after the last activity occurs. If you are not using SSO and the session times out, licenses are freed 60-65 minutes after the last activity occurs.
For more details, refer to solution S142506.
User session time-out is not applicable when browser user identities are collected via Windows Authentication.
If the connection to the server is lost or the server cannot be reached, the existing session is automatically disconnected after the first unsuccessful poll between the client and the server.
A timeout warning appears in the browser when five minutes remain before the timeout occurs. If a user clicks OK or performs an activity in the browser, the timeout warning is dismissed and the counter begins again. To change the number of minutes before the popup appears, refer to solution S142343.
Any data that is entered during a transition that is not completed when a timeout occurs is lost and must be re-entered in the transition form again when the user logs back in.

Login Form Options

Use the following options to display a login form and you are not using the SBM Login Form browser authentication option.

Enable login form

If you are not using the SBM Login Form option, select this option to display a login page if user validation fails with Windows Authentication, Third-Party Authentication, or Smart Cards. Clear the check box if you do not want the page to appear.

Display a login form on initial log in

If you selected Smart Card Login, select this option if you want to display a login form that requires users to click the Smart Card Login button on their first attempt to log in.