A customer recently asked us to assist in resolving an issue with authentication for some of their users. This sparked some discussion between members of our Technical Support Team as to whether most customers knew where you can set the authentication properties required for access to Passwordstate.
The end result is this blog entry, as a reminder on where authentication properties can be set, and any specific limitations or conditions that apply to those areas. For the purpose of this blog entry we’re using an AD Integrated instance of Passwordstate. If you’re using Forms-Based Authentication then some of the screens may look slightly different.
Global Authentication Options
The first area where authentication options are set controls the settings for all users. This is typically referred to as the Global or System Wide authentication options and is accessed from Administration->System Settings->authentication options as per the image below,
As stated on the screen above, the default System Wide authentication option for Passwordstate is ‘Passthrough AD Authentication’ which requires no additional input from the user.
If you wish to change this simply select the option of your choice from the Choose Authentication Option drop down list. This will change the default authentication options for all Passwordstate users. The screen provides you with options for additional settings used with Manual AD, AD Integrated, Forms Based authentication as well as settings for other options including the popular ones such as SAML, Yubikey and Duo.
Authentication Options for Specific User Groups
Next you can set specific authentication options for groups of users through User Account Policies. This is performed by creating a User Account Policy, specifying an authentication option and assigning that policy to a group of users. To create a User Account Policy, navigate to Administration->User Account Policies and click on Add to create a policy,
Give the User Account Policy a name, description and choose an authentication option at Setting ID A6,
In line with Click Studios Best Practices, we recommend that if you have ‘Passthrough AD Authentication’ selected as your System Wide setting then don’t apply an additional Two-factor Authentication option to all users. It will frustrate your users and defeats the purpose of implementing Single-Sign-on to Passwordstate. You should instead look at applying an additional 2FA for users that need access to highly privileged or sensitive accounts. It is recommended that you do this via Security Groups and not by supplying individual usernames.
Once you’ve selected the authentication options and any other settings you want to apply, click on Save and then using the Actions icon next to your new policy, click on Apply Policy to Users. An example of applying Google Authenticator in addition to Manual AD Authentication / Passthrough AD Authentication can be found here.
User Preferences – Authentication Options
Passwordstate allows users to set a number of preferences. One of the ‘preference sets’ that can be individually configured on a per user basis is authentication options. This allows each user to specify what Authentication Option they wish to use when accessing Passwordstate, and what additional authentication options they want for accessing their Password Lists. For users to set their own individual settings they need to navigate to Preferences->Preferences->authentication options,
From this screen they can choose an Authentication Option as well as configure specific settings for multiple authentication options for 2FA. You should note however that the options that appear here can be hidden and overridden by;
- An active User Account Policy, that applies to the user, with the Setting ID A6 set as ‘Use the System Wide Authentication Settings’,
- Specific Authentication Options have been selected to be hidden under Administration->System Settings->authentication options-> Hide the following Authentication Options on User’s Preferences screen:
Additional Authentication Required for IP Ranges
Lastly, you can choose to select different authentication options based on the IP address range that access to Passwordstate is initiated from.
This is especially useful when your System Administrators need access from non-trusted IP ranges, such as needing to access Passwordstate from an externally initiated VPN or when accessing from an Internet connection.
To configure authentication options specific for unregistered IP Ranges navigate to Administration->System Settings->allowed ip ranges->Web Site Allowed IP Ranges, specify the IP ranges for allowing access to Passwordstate and then under setting If the Passwordstate web site is accessed outside of one of the IP Ranges listed above, force the user to authenticate using the following method: choose an authentication option. If there are any settings required for that authentication option you can enter those details on the Administration->System Settings->authentication options screen.
We hope this helps you understand all the areas within Passwordstate where authentication options can be set. If you have any feedback, we’d love to hear it via support@clickstudios.com.au.