Configuring system authentication
Types of authentication methods
The following types of authentication methods are available:
- FootPrints Internal: This is the default method in the system. You can use this if you want to maintain the user account passwords in FootPrints and you don't have an external system to authenticate FootPrints.
- LDAP: You can use this method if you want to use a third-party LDAP source such as active directory to authenticate your users. When the users log in they enter their credentials from this third-party application. If the users are granted access, they are logged in as the user in FootPrints with their User ID. Multiple LDAP authentication types can be configured to connect to different sources.
- Web server authentication: You can use this method if you want to enable single sign-on using a third-party authentication tool. This takes the authentication from FootPrints and passes it to the third-party authentication tool that the web server is configured to use. It runs through IIS or Apache. 
By default, the FootPrints Internal and Web Server methods are generated, but only the FootPrints Internal method is enabled.
One authentication method is configured for each user account and the system tries to authenticate only against that method. For example, BMC users will be authenticated with Active Directory. Web server will be used for single sign-on. If the user cannot be authenticated against a method, a "bad credentials" error is generated.
If you attempt to disable a method that has users assigned to it, a warning appears. If you have two methods enabled and disable one, a warning message appears advising you that only one method is currently enabled. If you disable all external methods, the system automatically enables the FootPrints internal method. At least one method must be enabled at all times.
To configure an authentication method
- Click the Administration tab.
- In the System Management section, click System Settings > Authentication.
 The Authentication Methods page appears.
- Perform any of the following actions on the Authentication Methods page: - To modify an existing method, select the method and click the pencil icon in the first column.
 You can also click Actions > Edit Configuration. The Configure Authentication dialog box appears for the selected method. Modify the settings as needed, following the instructions for each method.
- To change the default method, select the new method and, click Set as Default.
 - To add another LDAP configuration, click Add LDAP Configuration.
 The Configure Authentication dialog box appears.
- To delete an LDAP configuration, select it and click Delete LDAP Configuration.
 
- To modify an existing method, select the method and click the pencil icon in the first column.
To configure the FootPrints Internal method
By default, this method is named FootPrints but you can change the name.
- Click the Administration tab.
- In the System Management section, click System Settings > Authentication.
 The Authentication Methods page appears.
- Select the FootPrints Internal Authentication method and, click the pencil icon in the first column.
 The Configure Authentication dialog box appears.
- Select Enable FootPrints Internal Authentication.
- In the Configuration Name field, enter the name for this configuration.
- In the Password Policy section, configure the required options based on the following conditions:- If you are installing FootPrints for the first time, the default minimum password length is set to eight characters. By default, the other check boxes are selected. Based on your requirements, you can customize the password policy.
- If you upgrade to the current version of FootPrints, the default minimum password length is set to one character. By default, the other check boxes are cleared. Based on your requirements, you can customize the password policy.
 
- Click Save.
To configure the Web server method
- Click the Administration tab.
- In the System Management section, click System Settings > Authentication.
 The Authentication Methods page appears.
- Select the Web Server Authentication method and, click the pencil icon in the first column.
 The Configure Authentication dialog box appears.
- Select Enable Web Server Authentication.
- In the Configuration Name field, enter the name for this service.
- Click Save.
To configure an LDAP method
- Click the Administration tab.
- In the System Management section, click System Settings > Authentication.
 The Authentication Methods page appears.
- Click Add LDAP Configuration.
 The Configure Authentication dialog box appears.
- Select Enable LDAP Authentication.
- In the Configuration Name field, enter the name for this configuration.
- In the LDAP Authentication Attribute field, enter the attribute against which the user is authenticated, such as uid, samaccountname, or mail.
- In the LDAP Server Address field, enter the IP address or fully qualified domain name of the LDAP server.
- In the LDAP Server Port field, enter the port number.
 The standard port number is 389.
- In the LDAP Base DN field, enter the distinguished name(s) for this server.
 Use the most basic level and ensure that you enter a name that has rights to access this server. For example, you might enter CN=Users,DC=<server name>,DC=local.
- (Optional) In the Authentication Login Information fields, enter the credentials for accessing this server.
 Ensure that you enter the account name in the Distinguished Name field. Once you save this configuration, this field becomes read-only. To change existing credentials, select Change Credentials.
- In the LDAP Security Type field, select the appropriate option.
- Click Save.
To configure password history
The Password History feature is a security feature designed to prevent users from reusing their recent passwords. When a user updates the password, the system stores a limited number of previous passwords in a secure, encrypted format. This historical record is checked during each password change to make sure that the new password is not the same as any of the recently used ones.
For example, if the password history limit is set to 5, the system will retain the last five passwords. When a user attempts to set a new password, it is compared against these stored passwords. If there is a match, the system prompts the user to choose a different password.
This feature enhances the account security by enforcing better password management and reducing the risk of compromised credentials being reused.
Select Keep password history to enable the password history feature, enter the password history limit in Password Reuse limit and save the settings.
To configure the login lockout
The Login Lockout feature that temporarily blocks user access after a defined number of failed login attempts. This helps protect accounts from unauthorized access.
For example, if the system is configured to allow 5 consecutive failed attempts, the account will be locked after the fifth incorrect login. During the lockout period, which might last for a preset time (for example, 15 minutes) or until manually reset by an administrator, further login attempts are blocked even if the correct credentials are entered.
You can configure the login lockout using the following fields:
- Lockout Threshold: The maximum number of failed login attempts allowed before the account is locked.
- Lockout Duration: The length of time the account remains locked before it is automatically unlocked.
- Monitoring Period: The time window during which the system counts failed login attempts.
If a user fails to log in more than the defined Lockout Threshold within the Monitoring Period, their account is locked for the specified Lockout Duration. After the lockout period ends, the user can attempt to log in again.
Related topic
