User authentication can be implemented either through LabKey Server's core authentication system or through an external authentication system such as LDAP, CAS single sign-on protocol, or Duo two-factor authentication.

LabKey allows authentication using any of the configured, enabled authentication providers. If a provider accepts the user credentials, the login is successful. If all providers reject the user's credentials, the login fails. This means that a user can successfully authenticate via multiple methods using different credentials. For example, if a user has both an account on a configured LDAP server and a database password then LabKey will accept either. This behavior allows non-disruptive transitions from database to LDAP authentication and gives users an alternate means in case the LDAP server stops responding or its configuration changes.

The available primary authentication providers are described in the topics below:

• Configure Database Authentication - Use LabKey Server's built-in authentication service.
• Configure LDAP - Connect to an LDAP (Lightweight Directory Access Protocol) server to authenticate users against an organization's directory server.
• Configure CAS Single Sign On Authentication - Authenticate users against an Apereo CAS server.

If enabled, a secondary authentication provider requires additional validation beyond one of the above primary authentication methods:

• Configure Duo Two-Factor Authentication - Requires users to provide an additional piece of information to be authenticated.

User Account Creation Options

To open the authentication page:

Self Sign-up

Self sign-up allows users to register for new accounts themselves when using database authentication. Use caution when enabling this if you have enabled sending email to non-users.

When enabled via the authentication page, users will see a "Register for a new account" link on the login page. Clicking it allows them to enter their email address, verify it, and create a new account.

Auto-create Authenticated Users

If one or more of the authentication providers is enabled, auto-creation of new accounts for users who are authenticated is enabled by default. You can disable it, but if you do so, be sure to communicate to your users the process they should follow for creating a LabKey account. For instance, you might require an email request to a central administrator to create accounts.

Additional Topics

• Create a .netrc or _netrc file. Useful for setting up autologin for RlabKey and SAS library access.
• HTTP Basic Authentication. Useful for command-line tools and testing in a trusted environment.