Use this tab to define how Costpoint verifies user login.
Authentication is a process by which Costpoint verifies that the individuals logging into the system are who they claim to be.
Costpoint security supports in-house users, consultants, and remote office users.
- In-house users are members of the corporate active directory and are always logged into the corporate LAN.
- Consultants are also members of the corporate active directory, but may or may not be logged into the corporate LAN.
- Remote office users are not members of the corporate active directory and are not logged into the corporate LAN.
Costpoint has a number of authentication methods available but all methods ultimately require the use of a password.
Use this screen whenever you need to set up or maintain the authentication method you want your users to access.
Use this group box to establish the process by which to authenticate this user.
Use this drop-down list to select the authentication method to use for this user. The following table lists the different authentication methods available.
|Biometric Single Sign-on (FIDO)||
Select this check box to let the user login using a FIDO device, such as a FIDO USB key, or other biometric option (a fingerprint, face recognition, or personal PIN). You can allow the user to register a new FIDO device by executing the Generate Biometric Devices self-registration links action.
Use this field to enter a password for this user. The format of the password must conform to the password requirements set up in the Corporate Settings block on the Configure System Settings screen. Rights to change or update passwords can be assigned on the Information tab.
Use this field to re-enter the password for verification purposes. If the password entered on this line does not exactly match the password entered on the previous line, an error message displays when you attempt to save the page.
|Generate Temporary Password||
Select this check box to enable the application to generate a random and temporary password based on your system password policy (minimum length, require number, mixed case, and so on). The password is then captured and communicated to the end user in an email.
A valid email address must be entered on the Workflow tab of this application. If email cannot be sent by the application, the following message displays: "Password generation requires the system to use an email server and either the email server has not been setup in Configure System Settings or the email server is currently not available. Please verify the email server setup or remove the check box to generate random password."
This option is available only if the Costpoint Database option is selected from the Authentication Method drop-down list. When this check box is selected, the Costpoint Password field is disabled (no password is required).
The email message sent to the user(s) is:
To: <Email address for this user>
Subject: Costpoint web account password
A temporary password has been assigned to your Costpoint web account. Please use this password and other information below for Costpoint web login. You will need to change your password on your initial login since this is only a temporary password.
URL: <http URL from System Settings>
User ID: <Costpoint Web User ID>
Password: <Random password assigned>
System: <System ID>
|Active Directory or Certificate ID||
Use this field to enter the user's active directory ID or certificate ID. The active directory ID is required for any of the authentication methods that require the Active Directory authentication method. The certificate ID is required when you select the Certificate SSO option from the Authentication Method drop-down list.
|Manage User Groups in Active Directory||
Select this check box to manage user groups in the Active Directory. This check box is enabled only when you select any of the following options from the Authentication Method drop-down list:
When you select this check box for this user, this user is automatically assigned to user groups mapped to the Active Directory entered in the Active Directory or Certificate ID field. Upon login, the user groups linked to the Active Directory where this user belongs display on the Assigned User Groups subtask. User groups linked to a user but are not mapped to the Active Directory still display on the Assigned User Groups subtask. A user can be a member of Costpoint-only user groups and can also dynamically become a member of other user groups linked to the Active Directory.
Note: If you clear this check box or change the authentication method after the user is assigned to user groups linked to the Active Directory, the user will remain assigned to those user groups.
When you remove the user from the Active Directory, the user will also be removed from the Costpoint user group linked to the Active Directory.
|SAML Identity Provider||Select a SAML identity provider (IdP) for the user if the selected authentication method is SAML or Kerberos Single Sign-on or SAML Single Sign-on.|
Note: The current system and global SAML IdPs available in Lookup are based on the Authentication Providers set up in the Product Configuration Utility.
Use this group box to establish two-factor authentication (2FA) settings for this user. If 2FA is enabled, Costpoint will ask this user to enter a one-time passcode after entering his/her user name and password on the Costpoint login screen.
This group box is disabled if the selected authentication method is Single Sign-on or Certificate SSO.
Select this option if you do not want to enforce 2FA for this user.
Select this option if you want to enforce 2FA for this user and allow this user to generate a one-time passcode through a mobile device.
Additional steps are required for the user to fully enable this authentication method. After installing a 2FA application on a mobile device, the user must go to the Configure User Preferences screen to display the 2FA activation barcode, scan it, and complete 2FA enrollment.
Select this option if you want to enforce 2FA for the user. Costpoint will generate and send a one-time passcode to this user using the notification method configured for the user. The user can also receive the passcode by calling the Help Desk.
Select this option if you want to use a biometric device as a 2FA for this user.
Enter the date the selected 2FA method becomes effective.
If you select Notification, the current system date displays by default, but you can change it to a later date. If you select Mobile Application, the date that displays by default is seven days later than the system date to allow the user to complete the 2FA enrollment. You can still modify this date. If you select None, this field is disabled.
Enter a four-digit personal identification number (PIN) that this user will use together with the one-time passcode when logging in to Costpoint. You must enter a value in this field if the User Pin Required check box is selected on the Configure System Settings screen.
|Allow Access to Integration Console||
Select this check box to grant this user access to the Integration Console using his/her Costpoint user name and password.
|Allow Access to Extensibility Console||
Select this check box to grant this user access to the Extensibility Console using his/her Costpoint user name and password.