Configure Login, Authentication, and Inactivity Settings for the Portal and Browser Client
By default, the CSM Web Applications (CSM Browser Client and Customer Portal) use the same login mode and authentication settings as those configured for the Desktop Client; however, Users can define different settings if needed.
To configure login, authentication, and inactivity settings for the CSM Browser Client and Customer Portal:
- In CSM Administrator, select .
- Select Browser Client or Browser Portal.
- Clear the Use Same Settings as Desktop Client check box.
- In the Supported login modes section, select the login modes that
you want to support: Note: Users can enable multiple login modes so that if one authentication fails or the User/Customer cancels the process, the next configured login method is invoked (SAML, then external authentication server, then LDAP, then Windows, then Internal). Not all of these options will necessarily appear in the system if they have not been configured.Note: When using a secure login configuration (SAML, LDAP, or Windows), Cherwell strongly recommends that you activate the RedirectHttpToHttps flag in the CSM Portal and CSM Browser Client web.config files for better security. The flag forces requests sent over HTTP protocol to use HTTPS instead.
- Internal: Allows CSM authentication. CSM authenticates the CSM Login ID and Password defined in the CSM Administrator User Profile () or Customer Credentials (). Note: To use internal login credentials on a default domain, Users must type CHERWELL\ in front of the user name (example: CHERWELL\Bob) in order to be able to log in. For more information, refer to Define the Default Domain and Anonymous Login Settings.
- LDAP: Allows Directory Service authentication. CSM authenticates login credentials using a Directory Service such as LDAP or Active Directory. Depending on configuration, User/Customer data can be imported based on LDAP data. For more information, refer to Configuring the Integration with Directory Services.
- SAML: Allows Security Assertion Markup Language (SAML) authentication. For more information, refer to the SAML documentation.
- Windows: Allows Windows Authentication. CSM authenticates the Windows login credentials if set in the CSM Administrator User Profile () or Customer Credentials (). For more information about Windows Authentication, refer to the Windows Login documentation.
- Internal: Allows CSM authentication. CSM authenticates the CSM Login ID and Password defined in the CSM Administrator User Profile () or Customer Credentials ().
- Configure general login options:
- Validate Windows/LDAP credentials on server: If this check box is not selected,
Windows credentials are validated on the client, which is not as secure unless you have
full control of your network. If selected, the system cannot automatically log in the
User/Customer without asking (that is, the person will have to type their credentials)
but it is much more secure. For this feature to work, the server must have access to the
Windows Domain or LDAP server. Note: For best results, configure your server to use encrypted communication before enabling this feature so that credentials are not passed to the server in a potentially sniffable format.
- Allow logging of authentication code (for troubleshooting): Select this check box to enable logging of authentication calls in order to troubleshoot configuration (example: When configuring LDAP setup). Then, use the Server Manager to enable logging in the CSM Portal and CSM Browser Client.
- Validate Windows/LDAP credentials on server: If this check box is not selected,
Windows credentials are validated on the client, which is not as secure unless you have
full control of your network. If selected, the system cannot automatically log in the
User/Customer without asking (that is, the person will have to type their credentials)
but it is much more secure. For this feature to work, the server must have access to the
Windows Domain or LDAP server.
- Configure external authentication server option: Note: This option makes use of the Cherwell Authentication Server, which must be installed on your network such that it has access to your domain and is also callable by the Cherwell Application Server. This option is distinct from SAML, although shares some concepts.
- Validate credentials via external authentication server: Select this check box to validate User/Customer credentials against an external authentication server.
- Require user to enter credentials: Select this check box to require Users/Customers to
enter their credentials each time they log in. Note: If this check box is not selected, and Users/Customers are on the same domain as the Cherwell Authentication Server, then the User’s/Customer's current Windows credentials are used to determine the person's identity. Otherwise, the User/Customer must provide his Windows domain/user ID and password into the login window.
- Authentication server Uniform Resource Identifier (URI): Specify the URI (location) of
the external authentication server. Note: Both Client applications and the Cherwell Application Server must have access to this URL.
- Select OK.