How to configure your login & LDAP/SSO options? - LabCollector

Search Knowledge Base by Keyword

How to configure your login & LDAP/SSO options?

You are here:
← All Topics

LabCollector offers various setup options. It is ready-to-use (insofar as is possible), its configuration can be easily managed by the super-admin in order to meet your specific laboratory requirements. In the following Knowledge Base, we will show you how to set up your login options and how to configure LDAP/AD and Single Sign On (SSO) authentication function.

To access your LDAP/AD and SSO options, simply go to ADMIN -> OTHER -> SETUP -> Login options:

  • You will see the following features under the login options tab:

    • A: Password protect Access for browsing purposes option:
      • YES: you define total login protection.
      • NO: you indicate a semi-open system in which data browsing and search are unrestricted.
      • The administration is always password protected.
      • You can also force internet browsers to not save login and password information.
    • B: Block user accounts after 3 failed login attempts option:
      • YES: if a user enters the wrong password three times, their account will be blocked and the super-administrator will be required to unlock it. You can also choose to have an alert sent to the super-administrator when a user is blocked.
      • NO: you can enter the password as many time as you want
    • C: Password Encryption mode: 
      • You can choose between three password encryption modes: (1) legacy (old one), (2) SHA-256 or (3) SHA-256 + strong rules.
      • (1) With legacy mode, you can only use the following characters: 0..9, a..z, A..Z and % . : / | _ – &- With the last two SHA modes, all characters are available and a double password confirmation on super-administrator and new users is requested.
      • SHA-256 + strong rules, super-administrator gives a temporary password to the user. During the first login, the new user has to change his password following the strong rules.
      • “Strong rules” means that the password must contain:
        • at least 8 characters
        • at least 1 lowercase
        • at least 1 uppercase
        • at least 1 digit
        • at least 1 special character
Be Careful note
This change cannot be reversed. ALL passwords will be converted.
.
    • D: Session timeout:
      – You can choose to either “lock” the screen or “logout” from the LabCollector session.
      – You can choose the timeout minutes you want to be logged or locked at.
    • E: Enable 2 factor authentication ?
      2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide a verification code.
      – You can set the expiry delay so that it asks you for the verification code either each time you try to login, everyday, every week or every month.
      – You can also set the message so that you receive it via email or via email + SMS.
    • F: Enable Captcha ?
      • CAPTCHAs are tools you can use to differentiate between real users and automated users, such as bots. CAPTCHAs provide challenges that are difficult for computers to perform but relatively easy for humans.
      • You can set the number of characters to either 4, 6 or 8 and you can also choose whether or not you want to include letters in the verification code.

 

  • You will see the following options under LDAP/AD:
Note
Lightweight Directory Access Protocol (LDAP) is for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Active Directory (AD) is a Microsoft product that consists of several services that run on Windows Server to manage permissions and access to networked resources. AD is the directory service database to store the organizational based data, policy, authentication, etc whereas LDAP is the protocol used to talk to the directory service database.


LabCollector allows you to use the LDAP and AD network for users, it works with standard LDAP protocol and only uses LDAP server and domain.

Be Careful note
If you use LDAP system, you will not have to enter passwords in users’ profiles as those are managed on the LDAP/AD server.

 

Users and Staff LDAP/AD can be directly imported: ADMIN -> USERS & STAFF -> IMPORT FROM LDAP & AD

 

    • A: You can choose to use the LDAP/AD function.
    • B: You can choose the function you want- LDAP or AD.
    • C: For LDAP server you can choose the URL which is a string that can be used to encapsulate the address and port of a directory server.
    • D: Here you can put the LDAP domain, using a specific domain separator or a custom DN (Distinguished Name that uniquely identifies an entry in the directory phrase). LDAP server has its own LDAP domain in the SMC. One LDAP domain can be selected as the default LDAP domain so that users can leave out this information when they authenticate.
    • E: Here you can put the LDAP attribute for a user name & email ID.
    • F: You can select to activate the Single Sign On (SSO) authentication for the users. (Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems).
Note

Single Sign On Authentication: This allows your lab to use SAML (Security Assertion Markup Language) authentication for signing in. SAML provides a single point of authentication, which happens at a secure identity provider. SAML uses secure tokens which are digitally signed and encrypted messages with authentication and authorization data. These tokens are passed from an identity provider to LabCollector with an established trust relationship. As in the case of LDAP, passwords (except for that of the super administrator) are managed outside of LabCollector.

 

    • G: You can put the label here. A label is the name of the company or corporation that the user will log in to.
    • H: Here you can put the identity provider details. Identity providers can facilitate connections between cloud computing resources and users, thus decreasing the need for users to re-authenticate when using mobile and roaming applications. Thus, you can add the Entity ID, SSO and single logout services and the public key. (public key is a way to authenticate yourself instead of using a password)
    • I: Certificate options allows you to insert public-private key pair. You can also create self-signed certificates and keys
    • J: Security of your URL, if it is encrypted or signed.
    • K: You can set the algorithm to either SHA-1 (which is set by default) or SHA-256.
    • L: Encoding if it is in uppercase or lowercase.
    • M: NameID format if it is persistent or unspecified. Defines the name identifier formats supported by the identity provider
    • N: You can choose to request an authentication context. An authentication context permits the augmentation of assertions with additional information pertaining to the authentication of the Principal at the Identity Provider. To explain simply, it ensures secure authentication. For example, when you have to do multifactor authentications.
Tips/hints
You can also get Service provider metadata information by clicking the link in the end for a Service Provider, which provides some information such as EntityID, Endpoints (Attribute Consume Service Endpoint, Single Logout Service Endpoint), its public X.509 cert, NameId Format, Organization info, and Contact info, etc.
    • O: You can choose whether or not you want force the SSL.

Related topics: