For the list of all supported Decision Insight downloads and releases, see the Downloads page.

Authentication and authorization


By default, the deployment stores the users and roles in its internal database. Alternatively, you can connect the deployment to an external user directory, such as Microsoft Active Directory or another LDAP server (see Configuring User Directories (LDAP)) or Single sign-on (see Configure Single sign-on (SSO)).

Users can be created and deleted. When a user is deleted, all associated information is also deleted: comments, avatar, shares, ...

Authentication

Internal user directory only

The internal user directory stores the name, details, and preferences for all users, along with their password.

The deployment does not actually store the password of users. It stores an hash of the password instead (using  PBKDF2, HMAC, 4096 iterations and a 24 bytes salt).

By default, the deployment is not configured to connect to an external user directory.

When a user tries to log in, the following happens: 

  • The password entered is checked against the password stored in the internal database.
    • If the password is correct, the user is granted the right to log in to the deployment.
    • If the password is incorrect, the user is denied access.

The user authorization depends on the roles the user was given by the administrator.

External user directory

Authentication and authorization can be delegated to an external system. The deployment currently supports the following systems:

  • Active Directory/LDAP
  • Single sign-on (SSO)

If the deployment is configured to use an external system, the internal user directory stores only the name, details, and preferences of users that have already logged once into the deployment.

The deployment can simultaneously handle users that are configured in its internal user directory and that are therefore authenticated against the internal user directory, and users that are authenticated against the external system (e.g: LDAP).

Both users are stored in the internal user directory. Users authenticated against the internal user directory are named internal users, and users authenticated against the external system are named external users.

When a user tries to connect to the deployment, the following happens:

  • If Single sign-on is disabled or not configured, the standard login screen is displayed to the user.
  • If Single sign-on is enabled, the deployment checks the user information received:
    • If the user info is not present, the standard login screen is displayed to the user.
    • If the user info is present, the deployment checks if the user's roles are known by the deployment:
      • If the user does not have at least one known role, the standard login screen is displayed to the user.
      • If the user has at least one known role, the internal user directory is updated with these roles, and access is granted.


When a user tries to log in (on the standard login screen), the following happens:

  • If the user exists in the internal user directory and is an internal user, the behavior is the same as for an internal user directory only.
  • If the user does not exist or if is an external user, the password entered is checked against the external system:
    • If the password is correct, the deployment checks whether the user is a member of each one of the roles configured in the external system (e.g.  groupRolesMap tag for LDAP).
      • If the user is not a member of at least one of these roles, the user is denied access.
      • If the user is a member of a least one of these roles, the user is associated with the roles mapped to these groups, and is logged into the deployment with the credentials of these roles.
    • If the password is incorrect, the user is denied access.


Workflows

Single sign-on Workflow


Login screen Workflow


Authorization

Authorization is based on permissions and roles. This topic is described in Managing rights.


Related Links