User authentication can be implemented either through LabKey Server's core authentication system or through an external authentication system such as LDAP, CAS single sign-on protocol, or Duo two-factor authentication.
LabKey allows authentication using any of the configured, enabled authentication providers. If a provider accepts the user credentials, the login is successful. If all providers reject the user's credentials, the login fails. This means that a user can successfully authenticate via multiple methods using different credentials. For example, if a user has both an account on a configured LDAP server and a database password then LabKey will accept either. This behavior allows non-disruptive transitions from database to LDAP authentication and gives users an alternate means in case the LDAP server stops responding or its configuration changes.
The available primary authentication providers are described in the topics below:
If enabled, a secondary authentication provider requires additional validation beyond one of the above primary authentication methods:
User Account Creation Options
To open the authentication page:
- Select Admin > Site > Admin Console.
- Click Authentication in the configuration section.
Self sign-up allows users to register for new accounts themselves when using database authentication. Use caution when enabling this if you have enabled sending email to non-users.
When enabled via the authentication page, users will see a "Register for a new account" link on the login page. Clicking it allows them to enter their email address, verify it, and create a new account.
Auto-create Authenticated Users
If one or more of the authentication providers is enabled, auto-creation of new accounts for users who are authenticated is enabled by default. You can disable it, but if you do so, be sure to communicate to your users the process they should follow for creating a LabKey account. For instance, you might require an email request to a central administrator to create accounts.