Configuring system authentication

This topic provides information about:

Types of authentication methods

The following types of authentication methods are available:

FootPrints Internal: This is the default method in the system. You can use this if you want to maintain the user account passwords in FootPrints and you don't have an external system to authenticate FootPrints.
LDAP: You can use this method if you want to use a third-party LDAP source such as active directory to authenticate your users. When the users log in they enter their credentials from this third-party application. If the users are granted access, they are logged in as the user in FootPrints with their User ID. Multiple LDAP authentication types can be configured to connect to different sources.
Web server authentication: You can use this method if you want to enable single sign-on using a third-party authentication tool. This takes the authentication from FootPrints and passes it to the third-party authentication tool that the web server is configured to use. It runs through IIS or Apache.

By default, the FootPrints Internal and Web Server methods are generated, but only the FootPrints Internal method is enabled.

One authentication method is configured for each user account and the system tries to authenticate only against that method. For example, BMC users will be authenticated with Active Directory. Web server will be used for single sign-on. If the user cannot be authenticated against a method, a "bad credentials" error is generated.

If you attempt to disable a method that has users assigned to it, a warning appears. If you have two methods enabled and disable one, a warning message appears advising you that only one method is currently enabled. If you disable all external methods, the system automatically enables the FootPrints internal method. At least one method must be enabled at all times.

Note

You can validate LDAP methods from the Authentication Methods page (once the fields are set up), but you cannot validate a Web server method from that page.

To configure an authentication method

Click the Administration tab.
In the System Management section, click System Settings > Authentication.
The Authentication Methods page appears.
Perform any of the following actions on the Authentication Methods page::
- To modify an existing method, select the method and click the pencil icon in the first column.
  You can also click Actions > Edit Configuration. The Configure Authentication dialog box appears for the selected method. Modify the settings as needed, following the instructions for each method.
- To change the default method, select the new method and, click Set as Default.
- To add another LDAP configuration, click Add LDAP Configuration.
  The Configure Authentication dialog box appears.
- To delete an LDAP configuration, select it and click Delete LDAP Configuration.

To configure the FootPrints Internal method

By default, this method is named FootPrints but you can change the name.

Click the Administration tab.
In the System Management section, click System Settings > Authentication.
The Authentication Methods page appears.
Select the FootPrints Internal Authentication method and, click the pencil icon in the first column.
The Configure Authentication dialog box appears.
Select Enable FootPrints Internal Authentication.
In the Configuration Name field, enter the name for this configuration.
In the Password Policy section, configure the required options based on the following conditions:
- If you are installing FootPrints for the first time, the default minimum password length is set to eight characters. By default, the other check boxes are selected. Based on your requirements, you can customize the password policy.
- If you upgrade to the current version of FootPrints, the default minimum password length is set to one character. By default, the other check boxes are cleared. Based on your requirements, you can customize the password policy.
Click Save.

To configure the Web server method

Note

To use web server authentication, you must configure Tomcat with IIS or Apache on the front end and then configure the third party authentication that you want to use. For more information, see the support article 1 and support article 2.

Click the Administration tab.
In the System Management section, click System Settings > Authentication.
The Authentication Methods page appears.
Select the Web Server Authentication method and, click the pencil icon in the first column.
The Configure Authentication dialog box appears.
Select Enable Web Server Authentication.
In the Configuration Name field, enter the name for this service.
Click Save.

To configure an LDAP method

Click the Administration tab.
In the System Management section, click System Settings > Authentication.
The Authentication Methods page appears.
Click Add LDAP Configuration.
The Configure Authentication dialog box appears.
Select Enable LDAP Authentication.
In the Configuration Name field, enter the name for this configuration.
In the LDAP Authentication Attribute field, enter the attribute against which the user is authenticated, such as uid, samaccountname, or mail.
In the LDAP Server Address field, enter the IP address or fully qualified domain name of the LDAP server.
In the LDAP Server Port field, enter the port number.
The standard port number is 389.
In the LDAP Base DN field, enter the distinguished name(s) for this server.
Use the most basic level and ensure that you enter a name that has rights to access this server. For example, you might enter CN=Users,DC=<server name>,DC=local.
(Optional) In the Authentication Login Information fields, enter the credentials for accessing this server.
Ensure that you enter the account name in the Distinguished Name field. Once you save this configuration, this field becomes read-only. To change existing credentials, select Change Credentials.
In the LDAP Security Type field, select the appropriate option.
Click Save.