# Authentication Overview

Authentication in MetalSoft is distinct from authorization although are frequently configured together.

UI Users can login into MetalSoft using:
1. Built-in username & password
2. SAML compatible credentials
3. LDAP compatible credentials

API users can use the following methods to authenticate HTTP requests:
1. `Oauth2` with the API key.
2. `Authorization: Bearer <API_Key>` header.
3. `Basic` authentication, with the username and password of a user
4. `?verify=<user_id:signature>` http query param where the signature value is calculated as a HEX digest of the MD5 sum of the `body` with the API key as the key.  (deprecated)

Consult the [following examples](https://github.com/metalsoft-io/scripts/tree/main/api-examples) and the [API documentation](https://us01.metalsoft.io/api/developer/developer#documents/3)

## The Role parameter

Permissions depend on the role that a user has. For built-in authentication, this role is configured on each user. For LDAP and SAML authenticator is it received along with the user after the login process based on the groups to which a user is part of.

Consult the examples for examples on how to configure the role-to-group mapping. 

1. [Configuring SAML authentication for OKTA](/content/configuration/users_and_permissions/configuring_saml_for_okta)
2. [Configuring LDAP authentication for Microsoft Authenticator](/content/configuration/users_and_permissions/configuring_ldap_for_microsoft_active_directory)

## The login flow

The login flow is a multi-stage process which depends on the configuration and enabled/disabled features such as two factor authentication. The following diagrams details the process:

![](/assets/general/authentication_overview_02.svg)

Note that multiple auth methods can be active at the same time. They are matched against the **domain** of the email.  For example you could have `@metalsoft.io` users use the LDAP authentication and `@gmail.com` users use the built-in authentication.

The configured `default authentication mechanism` will be used if no other authentication method's domain matches.The same domain cannot be used for two different authenticator methods.

## 2Factor (MFA) authentication

MetalSoft supports the use of the two factor authentication feature. Supported authentication mechanisms are Google Authenticator and Microsoft Authenticator.

It can be enabled for each individual user and is independent of the authentication method used. To enable 2FA users can go to `Account settings` > `2FA Authenticator`.

Where to go from here:
1. [Configuring SAML authentication for OKTA](/content/configuration/users_and_permissions/configuring_saml_for_okta)
2. [Configuring LDAP authentication for Microsoft Authenticator](/content/configuration/users_and_permissions/configuring_ldap_for_microsoft_active_directory)
3. [Managing Users and Permissions](/content/configuration/users_and_permissions/managing_users_and_permissions)