Authentication Methods
CSM provides four methods for authenticating users: internal, LDAP/Active Directory, Security Assertion Markup Language (SAML), and Windows authentication.
You can enable multiple login modes so that if one authentication fails or the user/customer cancels the process, the next configured login method is invoked (example: SAML, then external authentication server, then Windows, then LDAP, then Internal). Not all of these options will necessarily be configured in your system.
Depending on which authentication methods you have enabled, which client you are using, where you have CSM installed, and where your authentication is implemented, you may be able to use pass-through authentication or single sign-on (SSO) when authenticating in CSM.
LDAP, Windows, and SAML authentication can be implemented as client-side or server-side authentication, meaning that the authentication request can be configured to come from either the client or the server. In general, client-side authentication is easier to use, but server-side authentication is more secure.
- Internal
CSM authenticates using the login ID and password that is defined in either CSM Administrator or CSM Desktop Client.
- In the CSM Administrator User Profile, select to edit users' credentials.
- In the Desktop Client, first select , select a customer, and then select to edit customers' credentials.
- Important: If Internal authentication is disabled, any services that are configured to use an internal account for authentication will be disabled.
Note: Users may need to typeCHERWELL\
in front of the user name (example: CHERWELL\Bob). For more information, see Define the Default Domain and Anonymous Login Settings. - LDAP/Active Directory
CSM authenticates login credentials stored in an LDAP directory service such as Active Directory. Depending on configuration, user/customer data can be imported based on LDAP data.
- Client-side LDAP authentication allows both SSO and pass-through authentication. Server-side LDAP authentication allows SSO, but not pass-through authentication.
- For installations in which the LDAP service is on a different network from the CSM server, LDAP authentication requires the use of a Trusted Agent. This will be the case for all SaaS environments.
- SAML
Allows SAML authentication. SAML authentication can be service provider initiated or identity provider initiated, and it allows both SSO and pass-through authentication.
- Since SAML is web-based, it does not require a Trusted Agent as long as the identity provider is reachable by the CSM client via the Internet.
- Windows
CSM authenticates using Windows login credentials. Usernames must be manually defined in CSM Administrator, but passwords are defined by Windows credentials.
- In on-premises, exclusively Windows environments, client-side Windows authentication allows both SSO and pass-through authentication. Server-side Windows authentication allows SSO, but not pass-through authentication.
- In SaaS environments, client-side Windows authentication allows both SSO and pass-through authentication in the Desktop Client. In the CSM Browser Client, SSO is possible, but not pass-through authentication. Server-side Windows authentication is not possible in SaaS environments.
- For installations in which the CSM server is not in the customer's network domain, Windows authentication requires the use of a Trusted Agent. This will be the case for all SaaS environments.