Each time a user logs into the system, the user is authenticated. Authentication of a user's credentials means that the system identifies the user and gives her/him permission to access the system according to the configuration of the user. The system supports multiple methods of user authentication. Each method uses a specific authentication principle:

Form-based: the user has to provide the username and password in a form each time they try to access the system
Federated: user credentials are held with a third-party identity provider (IdP) and not within the system, and a token is provided to the system to validate. It is used to provide the single-sign-on capability for the system.

Authentication Type	Authentication Principle	Description
Database Credentials	Form-based	Database Credentials authenticates the user with a user name and password that is maintained in the system database. The password hashes are managed securely in the database. When the Database Credentials authentication method is used, password and account locking policies are also managed within the system. For more information, see Password and user lockout policy
Windows Active Directory (LDAP)	Form-based	The Windows Active Directory (LDAP) uses a simple bind authentication process. The user is identified by the Active Directory and the proof of identity comes in the form of a password. When a more secure method is required, Secure LDAP (SLDAP) can be used. To configure this authentication mode, see Identity provider - Active Directory.
Windows Active Directory Federation Service (ADFS)	Federated	Windows Active Directory Federation Service (ADFS) authentication is an OpenID Connect (OIDC) based authentication method. OIDC is an authentication method where the user's credentials are held with a third-party identity provider (ADFS) and not within the system. The system verifies the user's identity based on a simple JSON- based identity token which is delivered on top of the OAuth protocol. To configure this authentication mode, see Identity provider - Active Directory Federation Services.
Microsoft Entra ID (formerly Azure Active Directory)	Federated	Microsoft Entra ID (formerly Azure Active Directory) authentication is an OpenID Connect (OIDC) based authentication method. OIDC is an authentication method where the user's credentials are held with a third-party identity provider (Microsoft Entra ID) and not within the system. The system verifies the user's identity based on a simple JSON- based identity token which is delivered on top of the OAuth protocol. To configure this authentication mode, see Identity provider - Microsoft Entra ID (formerly Azure Active Directory).
Integrated Windows Authentication (IWA)	Federated	Integrated Windows Authentication (IWA) allows users, once they have signed in to Windows, to automatically log in to the system. Password verification takes place during Windows sign in. Upon success, a Kerberos ticket is generated. When the user is authenticated by the system the Kerberos ticket is validated. To configure this authentication mode, see Identity provider - Integrated Windows Authentication.
JSON Web Token (JWT)	Federated	The system can be integrated with customer applications via JSON Web Token (JWT) based authentication to provide a seamless single sign on login experience. Authentication and password verification takes place during signing in to the client application. The system verifies the user's identity based on the information presented in the JWT. To configure this authentication mode, see Identity provider - JSON Web Token.
Reverse Proxy	Federated	Reverse proxy based authentication allows users, once they have authenticated with an authentication server through the proxy, to automatically log in to the system. The system verifies the user's identity based on the information presented in the request from the proxy. To configure this authentication mode, see Identity provider - Reverse proxy.
OpenID Connect	Federated	OpenID Connect is an open standard identity layer on top of the OAuth 2.0 protocol, it allows third-party applications to verify the identity of the end-user and to obtain basic user profile information. The Verba system only utilizes the Login ID of the authenticated user. Verba supports the Authorization Code Flow. To configure this authentication mode, see Identity provider - OpenID Connect.
SAML	Federated	Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. To configure this authentication mode, see Identity provider - SAML.

The authentication process is implemented in the Web Application component installed on the Media Repository / Application Server role.

The system allows configuring multiple identity providers in a single system (or in a tenant in case of multi-tenant deployment). For a user to log into the system, must have at least one of the identity providers enabled. Identity providers are configured through the roles/permissions for the users.

By default, all roles have the Database Credentials and Integrated Windows Authentication options are enabled. System administrators can add new identity providers and change the default settings by updating the role configuration.

Login process

Depending on the configured IdPs for the users, the login screens and the login process might be different for users.

When multiple IdPs are enabled in the system, the system provides a 2-step authentication process. In the first step, the system identifies the user. In the second step, the system offers all configured authentication options. If there is only one IdP enabled, the system automatically skips the first step.

The following image shows the 2-step authentication in case of Azure AD and Database Credentials IdPs are both enabled.

Configuring identity providers

See the following article to configure identity providers and assign them to users: Identity providers.