User authentication is performed through LabKey Server's core database authentication system by default. Authentication
means identifying the user to the server. In contrast, user authorization
is handled separately, by an administrator assigning roles to users and groups of users
With Premium Editions of LabKey Server, other authentication methods including LDAP, SAML and CAS single sign-on protocols, and Duo two-factor authentication can also be configured. Premium Editions also support defining multiple configurations of each external authentication method. Learn more about Premium Editions here
To open the main authentication dashboard:
- Select (Admin) > Site > Admin Console.
- Under Configuration, click Authentication.
- Global Settings: Use checkboxes to enable either or both option.
- Configurations: There are two tabs for configurations:
- Primary: The default primary configuration is Standard database authentication.
- On servers where additional authentication methods are enabled, you can use the Add New Primary Configuration dropdown.
- Secondary: Use this tab to enable a secondary authentication method if desired.
- Login Form Configurations: These configurations make use of LabKey's login page to collect authentication credentials. Standard database authentication uses this method. If additional configuration methods are added, such as LDAP on a Premium Edition server, LabKey will attempt authenticating against each configuration in the order they are listed. You can drag and drop to reorder them.
- Single Sign On Configurations: Configurations in this section (if any) let LabKey users authenticate against an external service such as a SAML or CAS server. LabKey will render custom logos in the header and on the login page in the order that the configurations are listed. You can drag and drop to reorder them.
Enable Self Signup
Self sign-up allows users to register for new accounts themselves when using database authentication. When the user registers, they provide their own email address and receive an email to choose a password and sign in.
When enabled via the authentication page, users will see a Register
button on the login page. Clicking it allows them to enter their email address, verify it, and create a new account.
When self sign-up is enabled, users will need to correctly enter a captcha sequence of characters before registering for an account. This common method of 'proving' users are humans is designed to reduce abuse of the self sign-up system.
Use caution when enabling this if you have enabled sending email to non-users. With the combination of these two features, someone with bad intent could use your server to send unwanted spam to any email address that someone else attempts to 'register'.
Self-Service Email Changes
Administrators can configure the server to allow non-administrator users to change their own email address (if their password is managed by LabKey Server). To allow non-administrator users to edit their own email address, click Enable
next to Self-service email changes
When enabled uses can edit their email address by selecting (User) > My Account
. On the user account page, click Change Email
Multiple Authentication Configurations and Methods
— The ability to add other authentication methods and to define multiple configurations of each method is available with all Premium Editions of LabKey Server. Learn more
or contact LabKey
Multiple authentication methods can be configured simultaneously, which provides flexibility, failsafe protections, and a convenient way for different groups to utilize their own authentication systems with LabKey Server. For example, standard database authentication, an LDAP server, and SAML can simultaneously be used.
For each external method of authentication used with Premium Editions of LabKey Server, there can also be multiple distinct configurations defined and selectively enabled. For example, the following server has 5 available configurations, 3 of which are enabled.
When multiple configurations are available, LabKey attempts to authenticate the user in the order configurations are listed on the Primary
tab, followed by the Secondary
tab. You can rearrange the listing order by dragging and dropping using the six-block handles on the left.
If any one configuration accepts the user credentials, the login is successful. If all enabled configurations reject the user's credentials, the login fails. This means that a user can successfully authenticate via multiple methods using different credentials. For example, if a user has both an account on a configured LDAP server and a database password then LabKey will accept either. This behavior allows non-disruptive transitions from database to LDAP authentication and gives users an alternate means in case the LDAP server stops responding or its configuration changes.
When migrating users from LDAP
to the database authentication method, you can monitor progress using the "Has Password" field on the Site Users
Supported Authentication Methods
- Database Authentication - LabKey Server's built-in database authentication service.
- LDAP: (Premium Feature) Configure LDAP servers to authenticate users against an organization's directory server.
- SAML: (Premium Feature) Configure a Security Assertion Mark-up Language authentication method.
- CAS: (Premium Feature) Authenticate users against an Apereo CAS server.
- Duo: (Premium Feature) Require users to provide an additional piece of information to be authenticated.
Auto-create Authenticated Users
If one or more remote authentication methods is enabled, you will see an additional checkbox in the Global Settings
. By default, new LabKey Server accounts will be automatically created for users who are authenticated by external methods such as LDAP, SAML, or CAS. You can disable it in the global settings by unchecking the box.
If you disable auto creation of authenticated users, be sure to communicate to your users the process they should follow for creating a LabKey account. Otherwise they will be able to authenticate but will not have an actual LabKey account with which to use the server. As one example process, you might require an email request to a central administrator to create accounts. The administrator would create the account, the activation email would invite the user to join the server, and they would be authenticated via the external configuration.
Enable/Disable and Delete Configurations
You cannot disable or delete the basic standard database authentication. When other configurations are available, you can use the toggle available at the top of the settings panel to enable/disable them. Click the (pencil)
to edit settings. Click the
to delete a configuration.