Skip to main content
Skip table of contents

Authentication management

censhare offers an internal standard authentication as well as common external identity management methods to authenticate users. Multiple authentication methods can be in place in parallel.

As of censhare 2021.2.x, censhare requires Keycloak as default authentication solution. Keycloak is an open-source identity and access management solution. Keycloak allows for external authentication methods such as two-factor authentication, LDAP and SAML as well as integrating your existing identify solutions. For more information, see Keycloak authentication.

Introduction

In censhare, users log in with a unique username and password. You can use multiple authentication methods in parallel and integrate censhare with the authentication methods that are already in place in your organization.

The following is required for censhare authentication to successfully log on a user:

  • user name and password
  • at least one default domain
  • at least one default role

If you use external identity providers, the domain and role must be mapped to the existing user attributes, or you must extend your user profiles with the respective attributes.

The configuration is carried out in the censhare Admin Client. To configure LDAP, Kerberos, or SAML SSO authentication, you need access to the respective services . 

Authentication for censhare Client and censhare Web can be configured separately.

Prerequisites

None.

Authentication methods

  • Keycloak (default authentication method as of censhare 2021.2.x)
  • censhare internal standard authentication
  • LDAP/AD
  • Kerberos - SSO
  • SAML - SSO

Keycloak

This functionality is available in combination with censhare WP as of censhare 2021.2.x.

Keycloak is used with censhare WP as external authentication solution. 

Keycloak is an open-source identity and access management solution. Keycloak is used to integrate external authentication methods such as LDAP or SAML. For censhare, Keycloak is used in connection with censhare WP: for the web-based client, the censhare Client, and the censhare Admin Client. Existing authentication methods can be used as before.

See Keycloak authentication

See Configure login via Keycloak and LDAP

See Configure Keycloak with SAML

See Configure censhare standard login via Keycloak

censhare internal standard authentication

censhare provides an internal authentication that is default. The internal authentication is always available, and can be used as a fallback, if you use external authentication methods. At least one system administrator account must always be configured for the standard authentication. As a best practice, system administrators, system users, and external users should use this authentication method.

With the standard authentication, user accounts are managed and stored in the censhare master data. To manage user data, access to the censhare Admin Client is required. No setup is required for this authentication method.

Tip: We recommend to configure at least one administration account that uses the internal standard authentication. This allows you to sign in to censhare in case the external authentication fails.

See Configure censhare standard login via Keycloak

LDAP/AD

The custom authentication uses a Microsoft Active Directory or LDAP service to manage user accounts. The authentication sequence between the censhare Client/censhare Web, the censhare Server, and the directory service is handled with tickets and certificates. The authentication requires a mapping of user profiles and censhare permissions and settings. When a user logs in to censhare for the first time, censhare creates the user in the master data. At every following login, the user data are synchronized.

With the custom (LDAP/AD) authentication, user profiles are managed and stored on the Active Directory/LDAP server. To manage user data, access to the Active Directory/LDAP server is required.

See Configure login via Keycloak and LDAP

See Configure custom LDAP authentication

Kerberos - SSO

The Kerberos protocol can be used to authenticate users in a joint domain network. In Kerberos environments, the censhare Server, censhare Client, and censhare Web are configured as nodes that authenticate their identity to one another.

The single sign-on authentication with Kerberos requires LDAP configuration. User profiles are managed and stored on the Active Directory/LDAP server. To manage user data, access to the Active Directory/LDAP server is required.

See Configure Single-Sign-on with Kerberos

SAML - SSO

The SAML protocol is a standard authentication method to authenticate users across security domains. In SAML environments, the censhare Server and the Online channel are added as service providers and authenticate users through an identity provider.

See Configure Keycloak with SAML

See Single-Sign-On with SAML


Other authentication methods that were available in earlier versions of censhare are deprecated.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.