Authentication providers are the identity providers that host basic user information, such as user ID and password. EASYProcess supports the following authentication providers:
EASYProcess - EASYProcess itself has identity storage to keep user ID and other information. Under this scheme, users will be created and kept in EASYProcess. There are several built-in Web Parts and processes to support native user tables. These can be further customized by application need.
External Providers - If you already have a user identity provider, such as LDAP servers or through an ERP system, EASYProcess can use these providers, too. There are several built-in processes for LDAP, JD Edwards, or iSeries authentication. Under such a scenario, EASYProcess will authenticate the user on these servers with the provided user ID and password. Once authenticated, other information, such as user role and user organizational hierarchy, can also be downloaded from the provider (if such information exists and is needed).
Windows - Windows authentication can also be enabled for IIS websites. Under this scenario, a Windows login popup will open when the user requests any URL. Once authenticated, EASYProcess can further query Active Directory to retrieve other information about the users, such as email and roles; this information can be used to set up user roles in the context of any EASYProcess application.
A Combination of Above - You can also select any combination of the above, giving you a scenario where the user would be authenticated by LDAP. If LDAP fails, authentication is attempted again using EASYProcess. This switch will be seamless to the user.
Below is a screenshot of the Authentication Home menu. This is a first step a developer will take to set up the users. This menu can also be used to access other elements of the authentication set up.
Add New Users - Used to add new users who can access the application. These users are stored in the EP_Users tables in the database. The EASYProcess authentication process will use this data to verify different user accounts. While setting up the users, a developer can also decide the level of access each user will be grated to work on the application. This is defined in the ‘SecurityLevel’ property. This will be a numeric value set to define how the website will behave for different types of user type.
EASYProcess implements authentication using its own processes. This means that none of the authentication rules are hardcoded and can be configurable exactly to your need - just like anything else in EASYProcess.
There are built-in authentication processes for EASYProcess, JD Edwards, LDAP, Windows Authentication (Active Directory), and iSeries that can be easily customized to your needs. These processes can be then applied in sequence to support multiple authentication.
Below is an example of how custom IP blocking can be added to the existing Authentication process.
Below is a screenshot of the Authentication Processes menu. Here you can create a list of Authentication scenarios the application will run through for any user that wants to sign in.
This is how the backend process works to call all the individual checks in order.
EASYProcess provides a set of authentication services to manage user sessions in an application.
These services can be utilized in authentication processes or in any other processes in the application.
User Session Services
Add a User to a Session - Add a user to a browser session. This service is used by an authentication process to add a user to a session after the user has been authenticated. This allows use of any page that is authorized without login as long as the session is maintained. Once the browser is closed, the user session will expire and the user will have to log in again for this session.
Remove a User from a Session - This is used by logout process to remove a user from a browser session. After this service is executed, the user can no longer access any authorized function without logging in again for this session.
Modify a User Session - A user session has a property collection object that can be modified to add additional information to the user session. For example, if a user has an address book number, this number can be added to the user session object using this service. Added properties can be accessed later in other processes in the context of the same user session.
Use this service to authenticate a user ID/password combination through an external LDAP server.
This service is used by LDAP authentication processes, and accepts the following parameters:
- LDAP Server Path: path to LDAP servers (i.e. LDAP://ldap.yourcompany.com)
- User ID :ou=people, o=yourcompany, otherparameters=othervalues
Please note that the within the syntax of the server path, the user ID will vary based on your LDAP settings.
Once a user is authenticated to use an EASYProcess application, further authorization/security is applied using user roles.
Roles are stored within EPUserAuthorizations tables and can be managed from the EASYProcess authorization menu. Each role is assigned a numerical security level from 001 to 999; the higher the level, the higher the access level associated with a role. Generally, "System Administrators" are assigned 999, granting these users full access to the application.
Roles and Users
A user is assigned a role within the EPUsers/UserAuthorizationType column. Once a user is assigned a role, his/her security level will default to the security level associated with that role; this defaulted security level will only occur if the SecurityLevel column within EPUsers is set to -1 for this user.
If you set the security level to any number within 1-999, this will override the user's security (over UserAuthorizationType).
Access to Application Pages
Access to application pages are controlled by security level and override and restricted settings. All of these are available within the EASYProcess authorization menu.
Every page in EASYProcess will have a security level from 0-999. 0 means that a page is available to all users (including guest users) and can contain the login page and FAQ page, for example.
Parameters associated with EASYProcess pages and security levels include the following:
- A user will have access to a page if the user's security level, as calculated, is greater than or equal to the page's security level.
- If user or user role is provided exclusive access to a page using the override feature, this exclusive access will override #1.
- If user or user role is restricted to a page using the restricted feature, this limitation will override both #1 and #2.
Delegate Authentication allows one application to use another EASYProcess application as an authentication source. EASYProcess uses this mechanism to support single sign-on (SSO) across multiple applications.
A master application will hold user authentication information for every user who needs access to the system. All other applications will delegate its authentication to the master application. User roles can come from the master application or can be specified at a lower application level.
Setting up Delegate Authentication
Delegate Authentication can be set up from the EASYProcess Enterprise Manager:
- From the Enterprise Manager, navigate to the top menu and select Delegate Authentication Management.
- Select the application that requires Delegate Authentication within the left panel.
- Select the master application within the rightmost panel.
- Drag the master application from the right panel and drop this application within the middle panel.