Authentication is a process by which you verify that system users are who they claim to be. Costpoint security supports in-house users, consultants and remote office users. In-house users are members of the corporate active directory and are always logged into the corporate LAN. Consultants are also members of the corporate active directory, but may or may not be logged into the corporate LAN. Remote office users are not members of the corporate active directory and are not logged into the corporate LAN.
Costpoint has a number of authentication methods available but all methods ultimately require the use of a password.
Use this screen whenever you need to set up or maintain the authentication method you want your users to access.
Authentication Method * There are seven different authentication methods available:
The user ID and password are stored in a Costpoint database.
Oracle or SqlServer database user accounts are NOT used.
The password is stored in a hashed form: SHA-1(Secure Hash Algorithm-1, a popular one-way hash algorithm used to create digital signatures) with the user ID used as a "salt" which is a random number that is added to the encryption key or the password to protect them from disclosure.
A challenge-response algorithm is used for authentication with a server-side generated nonce ("number once" - an arbitrary number that is generated for security purposes).
The user-credentials combined with a nonce pass from the client in an encrypted form (Advanced Encryption Standard).
Users MUST enter their user ID and Password on the Login screen.
This method can be used for all three security use-cases: in-house, consultants, and remote.
This is the only method that can be used for remote office users.
Single Sign-on - Enables users to log on to a network and access all authorized resources within the enterprise or at different Web sites on the Internet. A single sign-on program accepts the user's name and password and automatically logs on to all appropriate servers.
The user ID is stored in both the Active Directory and a Costpoint database.
The Costpoint user ID can be mapped to a different Active Directory user ID.
The password is stored ONLY in the Active Directory.
Users should NOT enter their user ID and password on the Login screen.
This method can be used only for in-house users.
Active Directory - An advanced, hierarchical directory service that comes with Windows 2000 servers.
The user ID is stored in both the Active Directory and a Costpoint database.
The Costpoint user id can be mapped to a different Active Directory user ID.
The password is stored ONLY in the Active Directory.
Users MUST enter their user ID and password on the Login screen.
Either Costpoint or Active Directory User ID can be used to login in Costpoint
This method can be used for either in-house users or consultants.
Single Sign-on or Active Directory
The user ID is stored in both the Active Directory and a Costpoint database.
The Costpoint user ID can be mapped to a different Active Directory user ID.
The password is stored ONLY in the Active Directory.
Users are allowed to login using EITHER the “Active Directory” or “Single Sign-On” methods.
The “Single Sign-On” method requires a user to be logged in to the LAN.
This method can be used either for in-house users or consultants but is intended for consultants. Users can take advantage of “Single Sign-On” while logged in to the LAN but will still be able to login using the “Active Directory” method while traveling or at a customer site.
Windows Domain and Active Directory
The user ID is stored in both the Active Directory and a Costpoint database.
The Costpoint user ID can be mapped to a different Active directory user ID.
The password is stored ONLY in the Active Directory.
The following two conditions should be met for successful login:
Users MUST enter their user ID and password on the login screen.
Users MUST be logged in to the LAN.
This method can be used only for in-house users.
This method provides “extra security.” The “Active directory” method is used as a starting point but users must also be logged in to the LAN. Nobody can login from outside of the corporate network.
Windows Domain and Costpoint Database
The user ID and password are stored in a Costpoint database.
The same rules for password storage and transmission apply as for the "Costpoint Database” authentication method.
The following two conditions should be met for successful login:
Users MUST enter their user ID and password on the Login screen.
Users MUST be logged in to the LAN.
This method can be used only for “in-house users.”
This method provides “extra security.” The “Costpoint database” method is used as a starting point but users must also be logged in to the LAN. Nobody can login from outside of the corporate network.
Select this method if your server is SSL enabled and you have an SSL client certificate installed on the work station.
With this authentication method, you do not need to enter a user ID and password to log in to Costpoint. The system matches the ID in the certificate to the Costpoint user with this authentication ID.
You must also enter the ID in the Active Directory or Certificate ID field. If the ID field is not populated when you insert or update a user record, an error displays:
"With the authentication method you’ve selected, you must also enter an Active Directory or Certificate ID."
Enter a password for the user. The format of the password must conform to the password requirements set up in the Corproate Settings screen found at Administration\Configure\System\System Settings. Rights to change or update passwords are assigned on the Information tab of this screen (Administration\Maintain\Users).
Select this check box to enable the application to generate a random and temporary password based on your system password policy (minimum length, require number, mixed case, and so on). The password is then captured and communicated to the end user in an email. By default, this option is clear.
|
|
A valid email address must be entered in the Workflow tab of this application. If email cannot be sent by the application, the following message displays: “Password generation requires the system to use an email server and either the email server has not been setup in System Settings or the email server is currently not available. Please verify the email server setup or remove the check box to generate random password.” |
This option is available only if the "Costpoint Database" Authentication Method is selected. When selected, the Costpoint Password field is cleared and disabled (no password is required).
The email message sent to the user(s) is:
To: <Email address for this user>
Subject: Costpoint web account password
Content:
A temporary password has been assigned to your Costpoint web account. Please use this password and other information below for Costpoint web login. You will need to change your password on your initial login since this is only a temporary password.
URL: <http URL from System Settings>
User ID: <Costpoint Web User ID>
Password: <Random password assigned>
System: <System ID>
Re-enter the password for verification purposes. If the password entered on this line does not exactly match the password entered on the previous line, an error message displays when you attempt to save the page.
Active Directory or Certificate ID
Enter the user's Active Directory ID or Certificate ID.
The Active Directory ID is required for any of the authentication methods that require "Active Directory."
The Certificate ID is required when you select the "Certificate SSO" authentication method.
Allow Application Access via Integration Services
Use this option to control whether a given account can be used to run applications through an integration API (application programming interface) such as Web services or Enterprise Java Beans (EJBs).
Select this checkbox to expose applications as Web services or EJBs.
This checkbox is unchecked by default.
Select this subtask link to open the Company Access screen.
Select this subtask link to open the Assigned User Groups screen.
Select this subtask link to open the Module Rights screen.
Select this subtask link to open the Application Rights screen.
* A red asterisk denotes a required field.
Changes to this screen update the following table:
W_USER_UGRP_LIST (User Group List - Web)
