Each time a user logs into the system, the user is authenticated. Authentication of a user's credentials means that the system identifies the user and gives her/him permission to access the system according to the configuration of the user. The system supports multiple methods of user authentication. Each method uses a specific authentication principle:
Form-based: the user has to provide the username and password in a form each time they try to access the system
Federated: user credentials are held with a third-party identity provider (IdP) and not within the system, and a token is provided to the system to validate. It is used to provide the single-sign-on capability for the system.
Database Credentials authenticates the user with a user name and password that is maintained in the system database. The password hashes are managed securely in the database. When the Database Credentials authentication method is used, password and account locking policies are also managed within the system.
The Windows Active Directory (LDAP) uses a simple bind authentication process. The user is identified by the Active Directory and the proof of identity comes in the form of a password. When a more secure method is required, Secure LDAP (SLDAP) can be used.
Windows Active Directory Federation Service (ADFS)
Windows Active Directory Federation Service (ADFS) authentication is an OpenID Connect (OIDC) based authentication method. OIDC is an authentication method where the user's credentials are held with a third-party identity provider (ADFS) and not within the system. The system verifies the user's identity based on a simple JSON- based identity token which is delivered on top of the OAuth protocol.
Microsoft Entra ID (formerly Azure Active Directory) authentication is an OpenID Connect (OIDC) based authentication method. OIDC is an authentication method where the user's credentials are held with a third-party identity provider (Microsoft Entra ID) and not within the system. The system verifies the user's identity based on a simple JSON- based identity token which is delivered on top of the OAuth protocol.
Integrated Windows Authentication (IWA) allows users, once they have signed in to Windows, to automatically log in to the system. Password verification takes place during Windows sign in. Upon success, a Kerberos ticket is generated. When the user is authenticated by the system the Kerberos ticket is validated.
The system can be integrated with customer applications via JSON Web Token (JWT) based authentication to provide a seamless single sign on login experience. Authentication and password verification takes place during signing in to the client application. The system verifies the user's identity based on the information presented in the JWT.
Reverse proxy based authentication allows users, once they have authenticated with an authentication server through the proxy, to automatically log in to the system. The system verifies the user's identity based on the information presented in the request from the proxy.
OpenID Connect is an open standard identity layer on top of the OAuth 2.0 protocol, it allows third-party applications to verify the identity of the end-user and to obtain basic user profile information. The Verba system only utilizes the Login ID of the authenticated user. Verba supports the Authorization Code Flow.
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
To configure this authentication mode, see Identity provider - SAML.
The authentication process is implemented in the Web Application component installed on the Media Repository / Application Server role.
The system allows configuring multiple identity providers in a single system (or in a tenant in case of multi-tenant deployment). For a user to log into the system, must have at least one of the identity providers enabled. Identity providers are configured through the roles/permissions for the users.
By default, all roles have the Database Credentials and Integrated Windows Authentication options are enabled. System administrators can add new identity providers and change the default settings by updating the role configuration.
Depending on the configured IdPs for the users, the login screens and the login process might be different for users.
When multiple IdPs are enabled in the system, the system provides a 2-step authentication process. In the first step, the system identifies the user. In the second step, the system offers all configured authentication options. If there is only one IdP enabled, the system automatically skips the first step.
The following image shows the 2-step authentication in case of Azure AD and Database Credentials IdPs are both enabled.
Configuring identity providers
See the following article to configure identity providers and assign them to users: Identity providers.