User authentication can be implemented either through LabKey Server's core authentication system or through an external authentication system such as LDAP, CAS single sign-on protocol, or Duo two-factor authentication.

LabKey allows authentication using any of the configured, enabled authentication providers. If a provider accepts the user credentials, the login is successful. If all providers reject the user's credentials, the login fails. This means that a user can successfully authenticate via multiple methods using different credentials. For example, if a user has both an account on a configured LDAP server and a database password then LabKey will accept either. This behavior allows non-disruptive transitions from database to LDAP authentication and gives users an alternate means in case the LDAP server stops responding or its configuration changes.

Authentication vs. Authorization: Authentication by any of the supported methods merely identifies the user to the server; authorization is handled separately, by an administrator assigning roles to users and groups of users.

Authentication Options

To open the authentication page:

  • Select (Admin) > Site > Admin Console.
  • Click the Admin Console Links tab.
  • Under Configuration, click Authentication. The options available will vary depending on your configuration.

The available primary authentication providers are described in the topics below:

If enabled, a secondary authentication provider requires additional validation beyond one of the above primary authentication methods:
  • Test Secondary Authentication: Adds a trivial, insecure secondary authentication requirement (for test purposes only)
  • Configure Duo Two-Factor Authentication: (Premium Feature) Requires users to provide an additional piece of information to be authenticated.
Other authentication options:

Authentication Logos

You can add logo images that will appear on the standard LabKey sign in page or on the page header "Sign In" link in the upper right. To add logo images, click Pick Logos, and click Choose File for the page header and/or login page links.

Self Sign-up

Self sign-up allows users to register for new accounts themselves when using database authentication. Use caution when enabling this if you have enabled sending email to non-users.

When enabled via the authentication page, users will see a "Register for a new account" link on the login page. Clicking it allows them to enter their email address, verify it, and create a new account.

To help prevent abuse by bots, when self sign-up is enabled, users will need to correctly enter a captcha sequence of characters before registering for an account.

Auto-create Authenticated Users

If one or more of the authentication providers is enabled, auto-creation of new accounts for users who are authenticated is enabled by default. You can disable it, but if you do so, be sure to communicate to your users the process they should follow for creating a LabKey account. For instance, you might require an email request to a central administrator to create accounts.

Self-Service Email Changes

Administrators can configure the server to allow non-administrator users to change their own email address (if their password is managed by LabKey Server). To allow non-administrator users to edit their own email address, click Enable next to Self-service email changes.

When enabled uses can edit their email address by selecting (User) > My Account. On the user account page, click Change Email.

Related Topics


Was this content helpful?

Log in or register an account to provide feedback

expand all collapse all