Configure Login, Authentication, and Inactivity Settings for the CSM Portal and CSM Browser Client
By default, the CSM Web Applications (Browser Client and CSM Portal) use the same login mode and authentication settings as those configured for the Desktop Client; however, users can define different settings if needed.
To configure login, authentication, and inactivity settings for the Browser Client and CSM Portall:
- In CSM Administrator, select .
- Select Browser Client or Browser Portal.
- Clear the Use Same Settings as Desktop Client check box.
- In the
Supported login modes section, select the login
modes that you want to support:
Note: Users can enable multiple login modes so that if one authentication fails or the user/customer cancels the process, the next configured login method is invoked (SAML, then external authentication server, then LDAP, then Windows, then Internal). Not all of these options will necessarily appear in the system if they have not been configured.Note: When using a secure login configuration (SAML, LDAP, or Windows), We strongly recommend that you activate the RedirectHttpToHttps flag in the CSM Portal and Browser Client web.config files for better security. The flag forces requests sent over HTTP protocol to use HTTPS instead.
- Internal: Allows
CSM authentication.
CSM authenticates the
CSM Login ID and Password defined in the
CSM Administrator User Profile () or Customer Credentials ().
Note: To use internal login credentials on a default domain, users must type CHERWELL\ in front of the user name (example: CHERWELL\Bob) in order to be able to log in. For more information, refer to Define the Default Domain and Anonymous Login Settings.
- LDAP: Allows Directory Service authentication. CSM authenticates login credentials using a Directory Service such as LDAP or Active Directory. Depending on configuration, user/customer data can be imported based on LDAP data. For more information, refer to Configuring the Integration with Directory Services.
- SAML: Allows Security Assertion Markup Language (SAML) authentication. For more information, refer to the SAML documentation.
- Windows: Allows Windows Authentication. CSM authenticates the Windows login credentials if set in the CSM Administrator User Profile () or Customer Credentials (). For more information about Windows Authentication, refer to the Windows Login documentation.
- Internal: Allows
CSM authentication.
CSM authenticates the
CSM Login ID and Password defined in the
CSM Administrator User Profile () or Customer Credentials ().
- Configure general login options:
- Validate Windows/LDAP credentials on server: If this check box is
not selected, Windows credentials are validated on the client, which is not as
secure unless you have full control of your network. If selected, the system
cannot automatically log in the user/customer without asking (that is, the
person will have to type their credentials) but it is much more secure. For
this feature to work, the server must have access to the Windows Domain or LDAP
server.
Note: For best results, configure your server to use encrypted communication before enabling this feature so that credentials are not passed to the server in a potentially sniffable format.
- Allow logging of authentication code (for troubleshooting): Select this check box to enable logging of authentication calls in order to troubleshoot configuration (example: When configuring LDAP setup). Then, use the Server Manager to enable logging in the CSM Portal and Browser Client.
- Validate Windows/LDAP credentials on server: If this check box is
not selected, Windows credentials are validated on the client, which is not as
secure unless you have full control of your network. If selected, the system
cannot automatically log in the user/customer without asking (that is, the
person will have to type their credentials) but it is much more secure. For
this feature to work, the server must have access to the Windows Domain or LDAP
server.
- Configure external authentication server option:
Note: This option makes use of the Cherwell Authentication Server, which must be installed on your network such that it has access to your domain and is also callable by the Cherwell Application Server. This option is distinct from SAML, although shares some concepts.
- Validate credentials via external authentication server: Select this check box to validate user/customer credentials against an external authentication server.
- Require user to enter credentials: Select this check box to require users/customers to enter their credentials each time they log in.
- Authentication server Uniform Resource Identifier (URI): Specify
the URI (location) of the external authentication server.
Note: Both Client applications and the Cherwell Application Server must have access to this URL.
- Select OK.