Authentication Overview#

Authentication in MetalSoft is distinct from authorization although are frequently configured together.

UI Users can login into MetalSoft using:

  1. Built-in username & password

  2. SAML compatible credentials

  3. LDAP compatible credentials

API users can use the following methods to authenticate HTTP requests:

  1. Oauth2 with the API key.

  2. Authorization: Bearer <API_Key> header.

  3. Basic authentication, with the username and password of a user

  4. ?verify=<user_id:signature> http query param where the signature value is calculated as a HEX digest of the MD5 sum of the body with the API key as the key. (deprecated)

Consult the following examples and the API documentation

The Role parameter#

Permissions depend on the role that a user has. For built-in authentication, this role is configured on each user. For LDAP and SAML authenticator is it received along with the user after the login process based on the groups to which a user is part of.

Consult the examples for examples on how to configure the role-to-group mapping.

  1. Configuring SAML authentication for OKTA

  2. Configuring LDAP authentication for Microsoft Authenticator

The login flow#

The login flow is a multi-stage process which depends on the configuration and enabled/disabled features such as two factor authentication. The following diagrams details the process:

Note that multiple auth methods can be active at the same time. They are matched against the domain of the email. For example you could have users use the LDAP authentication and users use the built-in authentication.

The configured default authentication mechanism will be used if no other authentication method’s domain matches.The same domain cannot be used for two different authenticator methods.

2Factor (MFA) authentication#

MetalSoft supports the use of the two factor authentication feature. Supported authentication mechanisms are Google Authenticator and Microsoft Authenticator.

It can be enabled for each individual user and is independent of the authentication method used. To enable 2FA users can go to Account settings > 2FA Authenticator.

Where to go from here:

  1. Configuring SAML authentication for OKTA

  2. Configuring LDAP authentication for Microsoft Authenticator

  3. Managing Users and Permissions