Authentication Overview¶
Authentication in MetalSoft is distinct from authorization although are frequently configured together.
UI Users can login into MetalSoft using:
Built-in username & password
SAML compatible credentials
LDAP compatible credentials
API users can use the following methods to authenticate HTTP requests:
Oauth2with the API key.Authorization: Bearer <API_Key>header.Basicauthentication, with the username and password of a user?verify=<user_id:signature>http query param where the signature value is calculated as a HEX digest of the MD5 sum of thebodywith the API key as the key. (deprecated)
Consult the following examples and the API documentation
The Role parameter¶
Permissions depend on the role that a user has. For built-in authentication, this role is configured on each user. For LDAP and SAML authenticator is it received along with the user after the login process based on the groups to which a user is part of.
Consult the examples for examples on how to configure the role-to-group mapping.
The login flow¶
The login flow is a multi-stage process which depends on the configuration and enabled/disabled features such as two factor authentication. The following diagrams details the process:
Note that multiple auth methods can be active at the same time. They are matched against the domain of the email. For example you could have @metalsoft.io users use the LDAP authentication and @gmail.com users use the built-in authentication.
The configured default authentication mechanism will be used if no other authentication method’s domain matches.The same domain cannot be used for two different authenticator methods.
2Factor (MFA) authentication¶
MetalSoft supports the use of the two factor authentication feature. Supported authentication mechanisms are Google Authenticator and Microsoft Authenticator.
It can be enabled for each individual user and is independent of the authentication method used. To enable 2FA users can go to Account settings > 2FA Authenticator.
Where to go from here: