Authentication management
censhare offers an internal standard authentication as well as common external identity management methods to authenticate users. Multiple authentication methods can be in place in parallel.
As of censhare 2021.2.x, censhare requires Keycloak as default authentication solution. Keycloak is an open-source identity and access management solution. Keycloak allows for external authentication methods such as two-factor authentication, LDAP and SAML as well as integrating your existing identify solutions. For more information, see Keycloak authentication.
Introduction
In censhare, users log in with a unique username and password. You can use multiple authentication methods in parallel and integrate censhare with the authentication methods that are already in place in your organization.
The following is required for censhare authentication to successfully log on a user:
- user name and password
- at least one default domain
- at least one default role
If you use external identity providers, the domain and role must be mapped to the existing user attributes, or you must extend your user profiles with the respective attributes.
The configuration is carried out in the censhare Admin Client. To configure LDAP, Kerberos, or SAML SSO authentication, you need access to the respective services .
Authentication for censhare Client and censhare Web can be configured separately.
Prerequisites
None.
Authentication methods
- Keycloak (default authentication method as of censhare 2021.2.x)
- censhare internal standard authentication
- LDAP/AD
- Kerberos - SSO
- SAML - SSO
Keycloak
This functionality is available in combination with censhare WP as of censhare 2021.2.x.
Keycloak is used with censhare WP as external authentication solution.
Keycloak is an open-source identity and access management solution. Keycloak is used to integrate external authentication methods such as LDAP or SAML. For censhare, Keycloak is used in connection with censhare WP: for the web-based client, the censhare Client, and the censhare Admin Client. Existing authentication methods can be used as before.
See Configure login via Keycloak and LDAP
See Configure Keycloak with SAML
See Configure censhare standard login via Keycloak
censhare internal standard authentication
censhare provides an internal authentication that is default. The internal authentication is always available, and can be used as a fallback, if you use external authentication methods. At least one system administrator account must always be configured for the standard authentication. As a best practice, system administrators, system users, and external users should use this authentication method.
With the standard authentication, user accounts are managed and stored in the censhare master data. To manage user data, access to the censhare Admin Client is required. No setup is required for this authentication method.
Tip: We recommend to configure at least one administration account that uses the internal standard authentication. This allows you to sign in to censhare in case the external authentication fails.
See Configure censhare standard login via Keycloak
LDAP/AD
The custom authentication uses a Microsoft Active Directory or LDAP service to manage user accounts. The authentication sequence between the censhare Client/censhare Web, the censhare Server, and the directory service is handled with tickets and certificates. The authentication requires a mapping of user profiles and censhare permissions and settings. When a user logs in to censhare for the first time, censhare creates the user in the master data. At every following login, the user data are synchronized.
With the custom (LDAP/AD) authentication, user profiles are managed and stored on the Active Directory/LDAP server. To manage user data, access to the Active Directory/LDAP server is required.
See Configure login via Keycloak and LDAP
See Configure custom LDAP authentication
Kerberos - SSO
The Kerberos protocol can be used to authenticate users in a joint domain network. In Kerberos environments, the censhare Server, censhare Client, and censhare Web are configured as nodes that authenticate their identity to one another.
The single sign-on authentication with Kerberos requires LDAP configuration. User profiles are managed and stored on the Active Directory/LDAP server. To manage user data, access to the Active Directory/LDAP server is required.
See Configure Single-Sign-on with Kerberos
SAML - SSO
The SAML protocol is a standard authentication method to authenticate users across security domains. In SAML environments, the censhare Server and the Online channel are added as service providers and authenticate users through an identity provider.
See Configure Keycloak with SAML