EQuIS Enterprise Authentication Methods

<< Click to Display Table of Contents >>

Navigation:  Enterprise > Configuration >

EQuIS Enterprise Authentication Methods

EQuIS Enterprise supports the following authentication scenarios through the Login Screen:

1.Forms / Cookie Based Authentication (aka, Basic Authentication) – The user enters her/his username and password into the Login Screen.

2.Microsoft Azure Active Directory – When configured appropriately (see Azure Active Directory for User Authentication article), the Login Screen includes a button (i.e., “Sign in with Microsoft”) to initiate authentication with any Azure Active Directory (AAD) domain.  The EQuIS user account (either ST_USER.USER_NAME and/or ST_USER.EMAIL_ADDRESS) must exactly match the email address provided by Azure Active Directory in the id_token. The id_token is validated by EQuIS based on the signing keys of the provider.

3.OpenID Connect – When configured appropriately (see OpenID configuration article), the Login Screen includes a button (i.e., “Sign in with OpenID”) to initiate authentication with the configured identity provider via OpenID Connect (see https://openid.net/connect/). The EQuIS user account (either ST_USER.USER_NAME and/or ST_USER.EMAIL_ADDRESS) must exactly match the email address provided by the identity provider in the id_token. The id_token is validated by EQuIS based on the signing keys of the provider.

 

EQuIS Enterprise supports the following authentication scenarios independently of the Login Screen. These scenarios appear to "just work" from the user's perspective. When users visit EQuIS Enterprise, they are automatically logged in.

1.LDAP/NTLM or Windows Authentication – EarthSoft clients hosting EQuIS Enterprise on-premise may opt to configure EQuIS Enterprise to accept windows authentication LDAP (RFC 4511) or NTLM. In this scenario, EQuIS assumes that IIS has already completed the authentication and matches a record in in the ST_USER table to that user. See LDAP Authentication.

2.SAML-based SSO Authentication – EarthSoft clients may also opt to configure EQuIS Enterprise to use SAML Single Sign On (SSO) authentication. See SAML-based Single Sign On.

 

Note: Regardless of which authentication mechanism is used, the end user’s web browser must allow cookies. Upon successful authentication, a secure cookie is used to authenticate the user throughout the session.

 

EQuIS Enterprise REST API also supports the following Authentication method:

Bearer JWT Token Authentication – EQuIS issues JWT tokens from the REST API route api/tokens. A control in the Security tab of the User Profile Editor provides a simple user interface to this rest controller. Perform bearer authentication by adding an HTTP request header like the following.

  Authorization: bearer eyJaqlkRlslLBa562slkqovqevpoija2dvn20ribn30inv0indokod31j4b2ficokwcnklnij2igj==