User authentication can be implemented through LabKey Server's core authentication system or through external authentication systems such as LDAP, CAS single sign-on protocol, or Duo two-factor authentication.
Multiple authentication providers can be enabled simultaneously, which provides flexibility, failsafe protections, and a convenient way for different groups to utilize their own authentication systems.
Multiple providers can be configured and selectively enabled, for example, the following server has 5 available providers, 3 of which are enabled.
When multiple providers are enabled, LabKey follows these authentication rules: If one provider accepts the user credentials, the login is successful. If all providers reject the user's credentials, the login fails. This means that a user can successfully authenticate via multiple methods using different credentials. For example, if a user has both an account on a configured LDAP server and a database password then LabKey will accept either. This behavior allows non-disruptive transitions from database to LDAP authentication and gives users an alternate means in case the LDAP server stops responding or its configuration changes.
When migrating users from LDAP
to the database provider, you can monitor progress using the "Has Password" field on the Site Users
Authentication vs. Authorization. Authentication
by any of the supported methods merely identifies the user to the server; authorization
is handled separately, by an administrator assigning roles to users and groups of users
To open the main authentication dashboard:
- Select (Admin) > Site > Admin Console.
- Click the Settings tab.
- Under Configuration, click Authentication. The options available will vary depending on your server edition and which authentication providers have been configured. The screenshot below shows the default configuration for a Community Edition server.
- Administrators can configure one or many authentication methods, such as basic database and LDAP authentication. (Premium editions of LabKey Server support multiple configurations of the same authentication method, such as two or more LDAP configurations.) When multiple configurations are enabled, login will be successful if at least one of the authentication methods is successful. For details on this behavior see above.
- To configure an existing authentication method, click one of the Edit links.
- To add a new authentication method, click Add... and select one of the options below. The available options will differ depending on your server edition.
Supported Authentication Methods
Self sign-up allows users to register for new accounts themselves when using database authentication. Use caution when enabling this if you have enabled sending email to non-users.
When enabled via the authentication page, users will see a "Register for a new account" link on the login page. Clicking it allows them to enter their email address, verify it, and create a new account.
When self sign-up is enabled, users will need to correctly enter a captcha sequence of characters before registering for an account. This common method of 'proving' users are humans is designed to reduce abuse of the self sign-up system.
Auto-create Authenticated Users
If one or more of the authentication providers is enabled, auto-creation of new accounts for users who are authenticated is enabled by default. You can disable it, but if you do so, be sure to communicate to your users the process they should follow for creating a LabKey account. For instance, you might require an email request to a central administrator to create accounts.
Self-Service Email Changes
Administrators can configure the server to allow non-administrator users to change their own email address (if their password is managed by LabKey Server). To allow non-administrator users to edit their own email address, click Enable
next to Self-service email changes
When enabled uses can edit their email address by selecting (User) > My Account
. On the user account page, click Change Email