SystemConfiguring Authentication

Spectrum has the concept of local and domain users. Local users are assigned a password by the administrator within the Spectrum system. Domain users are configured in Spectrum, but their passwords are stored in an LDAP, Azure, or Federated Single Sign-On system.

If you use an LDAP, Azure, or Single Sign-On system, Spectrum can use that system to authenticate the user.

LDAP or Azure

By integrating Lightweight Directory Access Protocol (LDAP) or Azure Active Directory (AZ) authentication into Spectrum, you can enable users to sign in to Spectrum by using their domain credentials so that they do not have to maintain a separate password for use with Spectrum. To sign in to Spectrum, a user must also have an account configured in Spectrum, or you can enable auto-provisioning to automatically create and maintain users and group assignments in Spectrum using your LDAP or Azure service.

Auto-Provisioning

You can configure auto-provisioning in Spectrum to automatically create and update users and group assignments in Spectrum using data from your existing LDAP or Azure service. This allows a Directory Service Administrator to manage users and their groups via LDAP or Azure and not have to duplicate efforts to add those users into Spectrum.

Best Practice

Loftware recommends configuring only one LDAP or Azure service per Spectrum instanceClosed A Spectrum Application Server and a Spectrum Database Server that are associated with each other by a Spectrum License..

When auto-provisioning is enabled, users in your LDAP/Azure service who belong to an LDAP/Azure group that is mapped to a Spectrum group are automatically created in Spectrum when the user signs in to Spectrum, and the Spectrum group memberships are automatically assigned based on the Spectrum-to-LDAP or Spectrum-to-Azure group mappings. You must still configure permissions for groups within Spectrum for users to have the appropriate access (for more information, see Create or Modify a Group).

If an auto-provisioned user already exists in Spectrum, the user's information and group assignments are automatically updated using the group mappings every time the user signs in to Spectrum.

Tip: If you manually add or remove a mapped group to or from an auto-provisioned user in Access Control Access Control, those manual changes will automatically be overwritten when the user signs in to Spectrum again. If you manually add or remove an unmapped group to or from an auto-provisioned user in Access Control Access Control, those group assignments will remain and are not affected by the auto-provisioning.

Auto-provisioned users are indicated in with an Auto-Provisioned tag in the Properties pane for the user in Access Control Access Control, and the auto-provisioned status cannot be changed.

Single Sign-On

Single Sign-On (SSO) enables users to sign in to Spectrum through a third-party authentication system, thereby bypassing the Spectrum sign in page when connecting to a Spectrum environment.

Loftware Spectrum supports the following SSO protocols:

  • Kerberos version 5
  • Security Assertion Markup Language (SAML) V2.0

Kerberos can be used to provide Integrated Windows authentication.

SAML is an XML-based framework, and it can be used in both Windows and Linux environments. It is designed for online applications like Spectrum to share authentication information.

Users must be configured in Spectrum, and the user name must be the same as their idP user name.

To configure Spectrum authentication, see the following topics: