Skip to main content
Version: Spectra Analyze 9.3.0

Authentication

General authentication settings

Administration > Configuration > Authentication

Session, cookies and passwords

  • Duration of login session

    How long an authenticated user session will remain active on the appliance, set in minutes, hours or days. Minimum: 1 minute; maximum: 90 days. The default is 7 days.

  • Session expire at browser close

    When selected, the session for every logged-in user will expire when the user closes their browser, requiring the user to log in every time they start their browser. This setting may be overridden by local web browser settings.

  • Session Inactivity Timeout

    When selected, the session for every logged-in user will expire after the configured period of inactivity in minutes, hours or days.

  • Use session-based CSRF cookies

    When selected, the CSRF (Cross-site request forgery) cookies will expire when the user closes their browser. By default, persistent CSRF cookies are used, and cookie age is approximately 1 year. This setting may be overridden by local web browser settings.

  • Password requirements

    Criteria configured here apply to passwords for all accounts on the appliance. Federated (single sign-on) accounts are not affected by the criteria configured here. All settings are optional and can be used in combination with other password requirements.

Login security

Criteria configured here apply to all accounts on the appliance instance. Requests to the authentication API are also affected by the criteria configured here.

  • Temporarily block user login after certain number of failed login attempts

    Select the checkbox to enable temporary account locking for every account that consecutively fails to log into the appliance. If this checkbox is not selected, other login security options cannot be configured and will not apply.

  • Number of failed login attempts

    Specify the maximum allowed amount of consecutive failed login attempts. If a user’s login attempts exceed the number configured here, their account will be temporarily locked and prevented from logging in. When an account is locked, appliance administrators cannot unlock it. The user whose account is locked will have to wait until the login delay expires. The login delay is configured in the Block timeout field.

  • Block timeout

    Specify how long should a user’s account remain locked after the maximum allowed amount of failed login attempts is exceeded. The time interval can be defined in seconds, or minutes, or hours. When an account is locked, appliance administrators cannot unlock it. The account will be automatically unlocked after the login delay configured here expires.

  • Block login for specific IP address

    The appliance tracks IP addresses from which users are attempting to log in. If this checkbox is selected, users who consecutively fail to log in will be blocked by their current IP address. They will be unable to log in from the IP address detected in failed login attempts, but they will still be able to log in from any other IP address. If this checkbox is not selected, users will be blocked based on their account username regardless of the IP address, and they won’t be able to log in from any IP address. The login delay interval (Block timeout) and the allowed number of failed login attempts apply to accounts blocked in this way. If the appliance is behind a reverse proxy, make sure that reverse proxy settings in Administration ‣ Configuration ‣ General are properly configured so that the users’ IP addresses can be identified. When an account is blocked in this way, appliance administrators cannot unblock it. The account will be automatically unblocked after the configured login delay expires.

  • Send notification email to administrator when login block occurs

    Select the checkbox to automatically send email notifications when an account is locked based on configured login security criteria. Email Alerting and SMTP must be enabled and configured on the appliance in order to send notification emails. The emails will be sent to the address configured in Administration ‣ Configuration ‣ System Alerting.

The remainder of this section describes federated (single sign-on) login options.

LDAP

Administration > Configuration > Authentication > User Directory: LDAP

Connection

  • LDAP server host

    Host name or IP address of the server providing LDAP authentication. Example: ldap.example.com. Click the Test button to verify the connection to the server.

  • LDAP server port

    LDAP server host port. Defaults: 389 (LDAP) or 636 (LDAPS).

  • TLS

    Select to use a TLS (secure) connection when communicating with the LDAP server.

  • TLS require certificate

    Select to require TLS certificate verification when communicating with the LDAP server.

  • Bind DN or user

    User to use when logging in to the LDAP server for searches. DN stands for Distinguished Name. Examples: user@example.com or cn=user,dc=example,dc=com

  • Password

    Password for the Bind user account.

User Schema

  • Base DN

    Root node in LDAP from which to search for users. Example: cn=users,dc=example,dc=com

  • Scope

    Scope of the user directory searches (base, one level, subordinate, subtree).

  • User Object Class

    The objectClass value used for when searching users. Example: user

  • User Name Attribute

    The user name field. Examples: sAMAccountName or cn

Group Schema

The majority of fields in this section are the same as in the User Schema section, except the settings relate to groups.

  • Group Type

    LDAP group membership attribute (Member, Unique Member)

User attribute mapping

  • First name

    Field to map to a user’s first name. Example: givenName

  • Last name

    Field to map to a user’s last name. Example: sn

  • E-mail

    Field to map to email. Example: mail

User access

  • Active flag group

    Group DN. Users will be marked as active only if they belong to this group. Example: cn=active,ou=users,dc=example,dc=com

  • Superuser flag group

    Group DN. Users will be marked as superusers only if they belong to this group. Example: cn=admins,ou=groups,dc=example,dc=com

  • Require group

    Group DN. Authentication will fail for any user that does not belong to this group. Example: cn=enabled,ou=groups,dc=example,dc=com

  • Deny group

    Group DN. Authentication will fail for any user that belongs to this group. Example: cn=disabled,ou=groups,dc=example,dc=com

Select TLS CA Certificate file

  • Select a file to upload

    The dialog that opens when clicking Choose File allows the user to upload their own TLS certificate for verifying the LDAP host identity. The certificate must be in PEM file format. To apply the certificate, the options TLS and TLS require certificate must be enabled. It is also possible to upload certificates through the Central Configuration Management section on Spectra Detect Manager, if the appliance is connected and authorized on the Manager.

OAuth 2.0 / OpenID Connect

👉 Described in the OpenID guide.

SAML

👉 Described in the SAML guide.