Configuring User Authentication

Authentication verifies the identity of a user. Everyone who accesses ConnectReport - whether they are a portal viewer, administrator, author, or publisher - must exist in the ConnectReport user store. Authentication may be provided by ConnectReport Server ("local authentication"), or an external identity provider.

Configuring SAML

Requirements

To configure SAML single sign-on for ConnectReport Server, you will need the following: 

  • A PEM-encoded x509 SAML public key certificate from your SAML identity provider with a .pem extension.
  • A SAML identity provider account that supports SAML 2.0 or later
  • The SAML identity provider must be configured to return an assertion that sends the username value.

SAML Setup

Navigate to the Management Console and click Configure in the sidebar. Under Authentication Strategies, choose SAML in the select box. 

Enter the Path. We recommend /saml-authenticate/callback

Enter the Entry point. This is the SAML 2.0 Endpoint.

Enter the Single logout URL. 

In the Certificate upload section, upload your x509 SAML public key certificate.

Once you have completed all of the fields, click Save configuration. 

Restart the ConnectReport services.

Verify that SAML single sign-on is working. Open your browser and clear its cookies. Navigate to the ConnectReport Portal at https://<ipaddress>:<port>/portal. If SAML is configured correctly, you will be redirected to your SAML provider's login page. 

How SAML Identity Management Works

If a user logs in via SAML who already has an existing identity in the ConnectReport user store, ConnectReport's authentication service will map their credentials to the existing identity in the ConnectReport user store using the SAML username attribute. If a user logs in via SAML who does not already have an existing identity in the ConnectReport user store, a least-privilege identity will automatically be created for them when they first log in. This identity will not include a password. 

Local authentication will still be available after you configure SAML unless you explicitly disable it by checking "Disable local authentication" in the SAML configuration in the Management Console. New ConnectReport users authenticated by the SAML identity provider will not be able to log in locally, as they will not have a local authentication password. Users who have been issued local login credentials will still be able to log in using local authentication if it is enabled. 

Using Local Authentication

ConnectReport Server maintains and configures local authentication by default. To log in using local authentication, navigate to https://<ipaddress>:<port>/local-login.