Many of the same Authentication modules which can be used to authenticate KeyAccess client connections may also be used for authentication of Sassafras administrators.
Select Admin Authentication... from the Config Menu in order to set up an external system (e.g. Active Directory) for authenticating administrative passwords and privileges based on group membership.
Note that some authentication modules can use multiple properties to determine group membership when authenticating a KeyAccess user. However, for Admin Authentication, only the user name can be used to determine group membership.
Setting up authentication is only one step in the process of defining access and permissions in KeyServer. Here are the setup steps to consider:
The Admin Authentication dialog is similar to the Client Authentication dialog but without options that only pertain to clients.
If you have already set up User Authentication and you want to use the same authentication method for controlling Administrative accounts in KeyConfigure, use the "Copy User Auth" button so you won't have to re-enter the configuration details. Note that this is a one-time copy. If you later change the User settings, the Admin settings will NOT automatically be kept in sync.
When a KeyConfigure administrator attempts to connect to KeyServer, first the internally defined Accounts are checked, and then if there is no matching name, the external Admin Authentication method is checked. After the login is authenticated, KeyServer checks what Roles are associated with the account, either through group membership or via a direct assocation.
In order for an admin to succeed in logging in using external authentication, two things must happen. First, they must provide a name and password which are accepted by the external authentication. Second, the account must be associated with a Role. If the account is not explicitly linked to a Role, there must be a Role defined with an associated group which the external authentication method associates with the user name. Note that some authentication modules can use multiple properties to determine group membership when authenticating a KeyAccess user. However, for Admin Authentication, only the user name can be used to determine group membership.
Consult the Authentication Modules documentation for a description of options and configuration steps for each specific module choice. For specific information about using the Active Directory option for Admin Authentication, refer to the Active Directory Integration — Admin Authentication page. For more details on Admins and Roles, see the Admin Access Window documentation.