User authentication in MC

The MC provides authentication options that integrate the MC with your existing corporate authentication workflows. By default, the MC provides local authentication, which stores all user information in the MC. The MC integrates with Keycloak so you can configure federated or identity provider (IDP) authentication with the MC SUPER administrator account.

Local authentication

Local user authentication is the default authentication method and does not require additional steps after you install and configure the MC. Local user information is stored on an internal database on the MC web server.

You can edit or reset local user passwords in the following locations:

• Email Gateway.
• MC Settings > Change Password.
• In the user account menu in the toolbar, select Change Password.

Federated server authentication

Federated servers store your organization's user credentials in a single location so you can authenticate user identities across one or more applications. The MC integrates with Keycloak to support LDAP and LDAPS federated server configurations.

The MC can access only usernames in federated servers for authentication purposes—it cannot modify any other federated user information. To edit or reset a user password, contact your organization's federated server administrator.

For additional details about how LDAP and LDAPS federated services work with Vertica and the MC, see LDAP authentication.

Add SSL/TLS certificate

If you authenticate users with LDAPS or StartTLS, you must upload a certificate to the MC to encrypt communications between the MC and the server. If you do not upload a valid certificate, the MC cannot verify the connection:

1. Log in to the Management Console, then go to MC Settings > SSL/TLS Certificates.
2. In the Manage Authentication Certificates section, select Add New Certificate.
3. Browse your filesystem and upload your certificate.
4. Restart the MC.

After the MC restarts, the new certificate takes effect.

Set up a federated server

This section provides guidance about how to connect the MC to a federated server for MC user authentication. Only the MC SUPER administrator can configure an MC and federated server integration.

The steps to configure a federated server for MC user authentication vary by organization. Refer to the following sources for comprehensive documentation about integrating federated servers:

• LDAP documentation for protocol details.
• Keycloak documentation for details about configuring Keycloak.

The following steps connect the MC and an OpenLDAP federated server:

1. Log in to the Management Console, then go to MC Settings > User Federation. You are prompted to add an SSL/TLS certificate. OpenLDAP does not requie a certificate, so ignore the prompt and continue.

   The User Federation screen opens in a new tab.

2. On the User Federation screen, select ldap from the Add provider... dropdown list.

   The Add user federation provider screen displays.

3. In Required Settings, enter or select information for the following fields:

   • Console Display Name: Enter a name for the federated server. This value is listed in the grid on the User Federation screen.

   • Priority: Enter 0 to indicate the highest priority.

   • Edit Mode: Select READ_ONLY.

   • Vendor: Active Directory is populated in this field.

   • Username LDAP attribute: Enter cn=inetOrgPerson.

   • RDN LDAP attribute: Enter cn=inetOrgPerson.

   • UUID LDAP attribute: Enter cn=inetOrgPerson.

   • User Object Classes: Enter inetOrgPerson.

   • Connection URL: For LDAP, use port 389. For example, ldap://10.20.30.40:389.

     Note

     Like LDAP, StartTLS uses port 389. For LDAPS, use port 636. For example, ldaps://10.20.30.40:636.

   • Users DN: A distinguished name (DN) consists of two DC components. For example, dc=example,dc=com.

   • Bind Type: If the LDAP server supports anonymous binding, select none.

     Otherwise, select simple. This setting makes the Bind DN field available. In Bind DN, enter the administrator's DN and password.

4. Select Save.

The federated server is listed in the grid on the User Federation screen. When you add a new user in MC, the new user is authenticated to each MC session with credentials stored in the federated server.

For details on adding a federated user, see User administration in MC.

Identity provider (IDP) authentication

You can authenticate users with an IDP service. The MC integrates with Keycloak to configure IDP services and supports the following identity protocols and social IDPs:

• SAML v2.0
• OpenID Connect v1.0
• Keycloak OpenID Connect
• Various social providers, including GitHub, Facebook, and Google.

The MC can access only usernames from IDP servers for authentication purposes—it cannot modify any IDP user information. To edit or reset a user password, you must log into your IDP server and edit the information.

The steps to configure an IDP for MC user authentication vary depending on the IDP service. Refer to the Keycloak IDP documentation for comprehensive details about integrating identity providers.

Integrate MC and Azure AD IDP

The following sections explain how to configure IDP authentication with Microsoft Azure AD OpenID Connect (OIDC). This requires that you register an application in Azure, and then add that application as an IDP in the MC. For comprehensive documentation about creating an app in Azure, see the Microsoft Azure documentation.

Register the app

First, you must create your application in Microsoft Azure:

1. Log in to the Azure portal.

2. In the search bar, enter Azure Active Directory and open it.

3. In the + Add menu at the top, select App registration from the dropdown list.

4. Complete the fields on Register an application. For details about each field, see the Microsoft Azure documentation.

5. Select Register.

   Your new application's Overview page displays.

Next, create the client secret. This secret authenticates your Azure app to the MC:

1. In the menu on the left, select Certificates & secrets.

2. On the Client secrets tab, select + New client secret.

3. In Add a client secret, enter a description, and choose an expiration date.

4. Select Add.

   The new secret is listed in the Client secrets tab.

5. Copy the secret listed in the Value column, and store it in a secure location for later use.

   Important

   This secret is available to copy when you generate it. If you lose this value or need to copy it during a later session, you must delete the existing secret and generate a new one.

Next, add optional claims to your token configuration:

1. In the left-hand menu, select Token configuration.

2. Select + Add optional claim to open the Add optional claim pane to the right.

3. In the Add optional claim pane, select ID as the Token type, and then select the following boxes:

   • email
   • given_name
   • family_name
   • upn

4. Select Add.

   A pop-up displays and asks you about API permissions.

5. In the pop-up, select the checkbox and select Add. The claims are listed on the Token configuration page.

Next, retrieve the client ID and application endpoint:

1. Select Overview from the left-hand menu.

2. In the Essentials section, copy the Application (client) ID.

   Save the Application (client) ID in a secure location for later use.

3. At the top of the screen, select the Endpoints tab to display the application's available endpoints.

4. Copy the value in OpenID Connect metadata document.

   Save this endpoint in a secure location.

Add Azure AD IDP to the MC

This section requires the following information from the Azure AD app:

• Client secret Value
• Application (client) ID
• OpenID Connect metadata document endpoint

Only the MC SUPER administrator can add Azure AD as an IDP in the MC:

1. Log in to the Management Console, then go to MC Settings > Identity Providers.

   The Identity Providers screen opens in a new tab.

2. Select OpenID Connect v1.0 from the Add provider... list.

   The Add identity provider screen displays.

3. In the top section, add or select the following:

   • Alias: (Optional) Edit this field to distinguish this IDP from others that you might integrate with the MC.
   • Display Name: Enter Azure AD. This is the name that displays on the IDP login button after you complete configuration.
   • Trust Email: Toggle to On.
   • First Login Flow: Select auto_detect so that the MC can detect the new user in the IDP during the first user login.

4. In the OpenID Connect Config section, select or add the following:

   • Client Authentication: Select Client secret sent as post.
   • Client ID: Add the Azure AD Application (client) ID that you saved from the previous section.
   • Client Secret: Add the Azure AD Client secret Value that you saved from the previous section.
   • In Default Scopes, enter openid profile email.

5. Go to the Import External IDP Config section. In Import from URL, add the OpenID Connect metadata document endpoint that you saved from the previous section.

6. Select Import.

   MC imports the Azure application configuration and populates the URL fields.

7. Select Save.

8. Copy the value in Redirect URI and store it in a secure location for later use. You must add this URI in Azure.

Complete configuration

This section requires the Redirect URI value from Add the IDP to MC. Return to Azure, and complete the MC registration:

1. Log in to the Azure portal.

2. In the search bar, enter App registrations and go to your application's overview page.

3. Select Authentication in the left menu.

4. In Platform configurations, select Add a platform.

5. Select Web, then add the Redirect URI value from the MC.

   For details about additional Redirect URI options and your Azure AD application, see the Microsoft Azure documentation.

6. Select Configure.

After you complete the configuration, the MC SUPER administrator can add MC user accounts with user identities from Azure AD. Before each user can log in to the MC, they must accept the Microsoft Azure app permissions request.

Accept permissions request

After the MC SUPER administrator adds an Azure AD IDP user to the MC, the user must accept the Microsoft Azure permissions request to view the MC and access its data before they can log in to the MC:

1. On the MC login screen, select the Azure AD option at the bottom of the Sign in to your account section.

   Note

   The Azure AD option displays the Display Name value that you entered in Add Azure AD IDP to the MC.
2. Enter your Azure credentials for your organization's Azure AD.
3. When Microsoft requests permissions, select Accept to grant Azure AD access to the MC.

After you accept the permissions request, the user is authenticated to each MC session with Azure AD credentials.