Overview
The Authentication section allows administrators to configure how users authenticate with the AnswerRocket platform. Multiple authentication methods can be enabled simultaneously, including our native authentication system, Google authentication, SSO (Single Sign-On) via SAML, and LDAP. This document provides a detailed guide on setting up and managing these authentication methods.
Navigation
The authentication feature can be accessed by navigating to the Administration area and choosing the "Authentication" option from the left menu.
AnswerRocket Authentication
Overview
AnswerRocket authentication uses an email and password system managed by AnswerRocket.
Configuration Options
-
Number of Failed Login Attempts Before Account Lock: Set the number of unsuccessful login attempts allowed before the account is locked.
-
Lockout Time After Max Login Attempts (in hours): Specify the duration for which the account remains locked after reaching the maximum failed attempts.
-
Password Expiration Time (in days): Define how long passwords are valid before requiring a reset.
-
Session Expiration Time (in hours): Set the duration for which a user session remains active.
Google Authentication
Overview
Google authentication allows users to sign in using their Google accounts. Administrators can specify domains for which users can be automatically authenticated and created within AnswerRocket. If no domain is specified, the user must exist as a user in AnswerRocket before they can sign in.
Configuration Options
-
Insert Domains That Can Auto-Create Users: Add domains (e.g., http://answerrocket.com ) to automatically create and authenticate users from these domains.
SSO Authentication
Overview
There are three levels to Single Sign-On (SSO) integration in AnswerRocket:
-
Authentication
-
Account Creation
-
Permissions
Each level builds upon the previous one to provide a comprehensive SSO experience.
Level 1: Authentication
Description
At this level, SSO is used solely for authentication. If a user has an existing account in AnswerRocket and their SSO email matches their AnswerRocket email, they are authenticated and granted access to the product.
Process
-
User attempts to log in via SSO.
-
The system checks if the user's SSO email matches an existing AnswerRocket account email.
-
If a match is found, the user is authenticated and allowed to access the product.
Setup
Service Provider Information
The Service Provider information is about AnswerRocket and will need to be entered into the Identity Provider. The copy buttons can be used to easily grab the required information.
- Entity ID: The unique identifier for the SAML entity.
- Consumer URL: The URL where SAML responses are sent.
- Sign On URL: The URL for initiating the SSO process.
Identity Provider Information
- Name: The display name for the identity provider. This appears on the AnswerRocket sign-in page.
- POST Binding URL: The URL provided by the identity provider for SAML assertions.
- Entity ID: The unique identifier from the identity provider.
- Certificate: The token signing certificate from the identity provider.
Level 2: Account Creation
Description
In addition to authentication, this level allows for automatic account creation. If a user does not already exist in AnswerRocket but successfully authenticates via SSO, an account is created for them. Initially, they have minimal permissions.
Process
-
User attempts to log in via SSO.
-
If no existing AnswerRocket account matches the SSO email, a new account is created.
-
The new user is granted access but is restricted to basic permissions (e.g., access to Chat) and is placed in the "Everyone" group.
Setup
To automatically create users Claims Configuration information needs to be entered. This is where AnswerRocket gathers primary information about the user signing in.
- Auto-Create Authenticated Users:
Enable automatic creation of users authenticated through SSO. - Email, Given Name, Family Name, Name, Groups:
Map these fields from the identity provider to AnswerRocket.
Level 3: Permissions
Description
This level enhances the integration by mapping Identity Provider (IdP) group assignments to AnswerRocket permissions and groups. User permissions and group assignments are dynamically adjusted based on their IdP group memberships.
Process
-
User logs in via SSO.
-
The system retrieves the user's IdP group assignments.
-
IdP groups are mapped to AnswerRocket permissions and groups according to predefined mappings.
-
The user is assigned the cumulative rights and group memberships based on all their IdP groups.
-
Any manual changes made through the AnswerRocket UI are overwritten upon each SSO sign-in.
Summary
-
Authentication: Ensures users with matching emails in SSO and AnswerRocket are authenticated.
-
Account Creation: Allows for automatic account creation for users passing SSO, with basic permissions.
-
Permissions: Dynamically assigns permissions and groups based on IdP group memberships, ensuring comprehensive and consistent user management.
This structured approach ensures seamless and secure access management within AnswerRocket, leveraging the full capabilities of SSO.
To see an example of configuring an Identity Provider in Azure see this article.
LDAP Authentication
Overview
LDAP (Lightweight Directory Access Protocol) authentication allows users to authenticate using credentials stored in an LDAP directory.
Configuration Options
-
Name: The name for the LDAP configuration.
-
Domain: The domain for the LDAP server.
-
Host: The hostname of the LDAP server.
-
Base DN: The base distinguished name for LDAP queries.
-
System User Group (Optional): Specify groups within the LDAP directory.
-
Auto-Create Users in AnswerRocket: Enable automatic creation of users from LDAP.
Conclusion
Configuring authentication methods in AnswerRocket is critical for ensuring secure and efficient access management. By offering various authentication options such as native email/password, Google, SSO, and LDAP, administrators can choose the best method that fits their organizational needs. The detailed configuration options and structured processes outlined in this guide will assist in setting up a robust authentication system, providing a seamless and secure user experience.
Updated