Authentication Settings

The settings in the authentication category are used for configuring the following:

External authentication methods, such as AD authentication to Key Manager.
Password policies for Key Manager accounts.

When new passwords are set for Key Manager administrator accounts (such as, when creating new accounts, and when passwords are changed), the password is evaluated against the existing password- policy settings. Attempting to create an administrative account with a password that does not conform to these settings produces an error, which effectively disallows setting weak passwords to accounts.

note

Password policies only ensure that subsequently-set passwords conform to them. Password policies do not automatically force existing passwords to be changed.

Password policies only apply to accounts that have been created in the Key Manager system. In other words, these password policies do not apply to users who access Key Manager using AD accounts.

note

In addition to enforcing the password policies specified in user-configurable authentication settings, Key Manager also enforces the following:

Passwords must contain a combination of upper and lower-case letters.
Passwords must contain at least two non-alphabetic characters.
Passwords cannot contain the account name.

Active Directory User Authentication

Active directory domain name

If using AD accounts to authenticate to Key Manager, the AD domain name is to be specified here. After you have specified the AD domain name here, configure additional AD settings on the Settings→Active directory page to finalize AD setup.

For more information about setting up AD access to Key Manager, see the Installation Manual.

Validate Active Directory server certificates

When set to Yes, AD server certificates will be validated.

Single Sign-On (SSO) via SAML 2.0

SAML Allow creation of new users

When set to Yes, if no existing account is found upon user login, new account is created on demand.

SAML attribute mapping

This JSON field is used to map incoming assertions to local PKM accounts. All statements in the received SAML assertion values must match to the corresponding account attribute value. For example {"email": "email"} or {"username": "sAMAccountName"} could be suitable mappings. At least username or email must be used.

SAML name id format

Sets the format property of authn NameIDPolicy element.

SAML role mapping

This JSON field is used to map incoming list of groups to roles in PKM. To give user a role, map the relevant group to which the user belongs to to one of the roles in PKM. For example, a user in a group called "ukmadmins" would get PKM's default role of "Administrators" and "API Users" via this mapping: {"CN=ukmadmins,DC=example,DC=com": ["Administrators", "API Users"]}.

Password Policies

Attempt to crack passwords

When set to True, the system will test whether the password is easy to crack, and the password must pass the test to be accepted. The password strength is evaluated against a dictionary attack.

Enable tracking of failed log-on attempts

If set to Yes, Key Manager administrator accounts with consecutive failed log-on attempts are locked out. If set to No, consecutive failed log-on attempts do not trigger account lockout.

See also the associated authentication settings Number of consecutive failed log-on attempts that trigger account lockout, and Lockout duration in minutes.

Lockout duration in minutes

The duration in minutes for which an account is locked out (Minimum 1).

See also the associated authentication settings Number of consecutive failed log-on attempts that trigger account lockout, and Enable tracking of failed log-on attempts.

Number of consecutive failed log-on attempts that trigger account lockout

The number of consecutive failed log-on attempts that causes the account to lock out (minimum 1).

See also the associated authentication settings Enable tracking of failed log-on attempts, and Lockout duration in minutes.

Number of days after which passwords must be changed

The number of days after which Key Manager account passwords must be changed (minimum 1, 0 to disable).

If the specified time has elapsed without a password change, the user of the account is prompted to provide a new password on subsequent logins. All other actions are disabled until the password has been changed.

Password history length

A numerical value indicating the number of most-recent passwords that the new password must not match to (minimum 4).

This setting ensures that new passwords cannot match passwords that were previously used for the account. When attempting to set a new password, that password is compared against this number of most-recent passwords. The new password is allowed only if it is unique compared to the previous passwords.

Password minimum length

A numerical value indicating the minimum accepted length for account passwords (minimum 7).

Active Directory User Authentication​

Active directory domain name​

Validate Active Directory server certificates​

Single Sign-On (SSO) via SAML 2.0​

SAML Allow creation of new users​

SAML attribute mapping​

SAML name id format​

SAML role mapping​

Password Policies​

Attempt to crack passwords​

Enable tracking of failed log-on attempts​

Lockout duration in minutes​

Number of consecutive failed log-on attempts that trigger account lockout​

Number of days after which passwords must be changed​

Password history length​

Password minimum length​