Task: Configure 'Windows Login' Hub Authentication

• Preliminaries
• Permissions
• Configure Authentication
• Links

Preliminaries

Before you configure a Windows Login authentication service for your hub, you should decide on the following.

• The default Windows domain to be used for authentication through the service.
• Whether or not users will be permitted to specify a Windows domain other than your selected default.

In this example, we will configure a Windows Login authentication service such that:

• The default domain is PROJECTX.
• Users will be permitted to specify a Windows domain other than the selected default.
• Hub user accounts will be automatically created for users who are authenticated through the service but do not already have corresponding hub accounts.
  
  • For each of these automatically created accounts, the template user will be alex: the account will be created with the same Default Role, Email Alerts? setting, User Roles set, and Visibility Defaults as alex has at the time the new account is created.
  • Hub user accounts that are automatically created on behalf of third-party authentication services always have the special Enabled role.
• Windows Login authentication takes priority over all other configured third party authentication services (but note that the hub will always check sign-in credentials against hub user account usernames/passwords before applying any third-party authentication).
• Authentication for any satellite hubs will be performed by the primary hub.

Permissions Needed For This Task

• G_MANAGE_USERS (needed to access the Authentication Services page).
• User control over the hub user accounts that you want to use as the template user and authorizing user for your new authentication service.
  • G_ADMINISTER_USERS
    or
  • G_MANAGE_USERS and ROLE_ADMINISTER R for every role R that the user is assigned.

It is sufficient to authenticate as a user with the special Administrator role, which immutably has the necessary permissions. In particular, it is always sufficient to authenticate as special user Administrator.

Configure Authentication

To configure a Windows Login authentication service with the properties described above:

1. Sign in.
   1. Click the Sign In link in the GUI page header:
      The Sign In page will open.
   2. Sign in as Administrator, or another user with sufficient permissions.
2. Click the Settings icon in the page header to view the Settings page.
3. Change to the User Administration tab.
4. Click the Authentication Services link in the tab.
   The Authentication Services page will open.
5. Scroll down to the Add Service form.
6. Select Microsoft Windows Login from the Type menu.
   (If it is not present, it probably means that your hub is not running on a Windows machine.)
   The Configuration section of the Add Service form will update to display form fields for required Windows Login configuration information.
7. Enter a suitable name, such as Local Windows Login, in the Service Name field.
8. Fill in the remaining configuration fields as follows.

   Field	Value	Notes
   Priority	10	If one or more authentication services are already configured, this service will have first priority if and only if the entered Priority value is lower than all those shown in the table of current services.
   Usage	Global	If you are running a primary hub with satellites, authentication for the primary hub and all satellite hubs will be performed by the primary hub. If you do not have satellite hubs, this setting will have no effect.
   Create new user accounts automatically	selected	If the service successfully authenticates a user who does not already have a hub account, one will be automatically created.
   Template User (for new accounts)	alex	Existing user alex will be the template user for any hub user accounts that are automatically created by the service. Hub accounts that were not automatically created by the service are not affected, even if users sign into them using this service. There is no effect on Windows user account information.
   Auth User	see notes	This must be a hub user account that has user control over the designated Template User. The authentication service will only be able to perform hub operations that this account has permission to perform. In general, we recommend setting as follows. CodeSonar SaaS: the hub user account that you are using to configure the authentication service. otherwise: special user Administrator.
   User Selects Domain	Allow	For example, if a user specifies username OTHERDOMAIN\alex when signing in, the service will attempt to perform authentication for OTHERDOMAIN\alex. If successful, the user will be signed into the hub user account with username alex.
   Default Domain	PROJECTX	For example, if a user specifies username alex when signing in, the service will attempt to perform authentication for PROJECTX\alex. If successful, the user will be signed into the hub user account with username alex.

9. Click Add Service.
   The authentication service will be installed. When installation has finished, the table of current services will update to show an entry for the new service.
10. Try out the new service.
    1. Sign out of the Administrator account.
    2. Sign in with your Windows credentials.
       If everything is working correctly, the hub will sign you into a corresponding hub user account.
11. If you need to change the configuration for the service, click the corresponding entry in the table of current services and use the functionality on the Edit Authentication Service page that opens.

Links

• Typical CodeSonar Tasks
• CodeSonar GUI Reference