Get StartedReference DocsRelease NotesBlogSupport

Authentication Modes

Suggest Edits

Access through the Admin Console

Location: Users & Groups > Settings Menu > Authentication Modes Menu

Overview

You can change users' login options to include alternate methods to authenticate their login information via third parties. All enabled authentication modes will show up as a list of icons on the login page. There are a set of default additional authentication modes available on the Authentication Modes page, but you can also create new authentication modes to add to the list. The social media authentication options (Facebook, LinkedIn, and Twitter) require an additional step to configure them; you must navigate to Plugins > API Connections and fill out the required fields.

Enable or Disable Authentication Modes

  1. The Authentication Mode page has a table with two columns as follows:
    a. The first column lists the names of the third-party authentication modes.
    b. The second column displays the details about the modes.
  2. Select the third-party authentication mode to open up the details about the mode.
  3. In the top right corner of each Authentication Mode, there is a button to either ENABLE or DISABLE a mode.

Change the Authentication Mode List

You can edit, create or delete any authentication mode to control how your users log in to your AnswerHub site.

Edit an Authentication Mode

Each Authentication mode has the following configurable fields:

  • Consumer Endpoint: Enter the customer endpoint in this text field.
  • Header Text: Enter the header text in this text field.
  • Registration Link: Enter the registration link in this text field.
  • Mode: Select from the list of modes; the drop-down will display direct, endpointForm, usernameAndPasswordForm, and social.
  • Position: Select from the list of positions; leftTop, leftMiddle, leftBottom, rightTop, rightMiddle, and rightBottom.
  • Featured: Select true or false to change whether the system features the mode in the community UI.
  • Registration Enabled: [need to find out what this does].
  • Weight: [need to test what this does...probably the order horizontally for the list of the enabled authentication modes].
  • Large Image URL: Enter the large image URL in this text field.
  • Small Image URL: Enter the small image URL in this text field.

Create a New Authentication Mode

  1. Click the CREATE NEW AUTHENTICATION mode button.
  2. The "New Authentication Mode" modal window will appear with several text fields. You need to fill out the ID, Name, Large Image URL, Small Image URL, Consumer Endpoint, Mode, and Position fields as follows:
    a. ID: Enter an ID as a string.
    b. Name: Enter a user name as a string.
    c. Large Image URL: Copy in the image address; example, https://www.google.com/favicon.icon.
    d. Small Image URL: Copy in the image address; example, https://www.google.com/favicon.icon.
    Scroll in the modal window to see the next following fields:
    e. Consumer Endpoint: %s
    f. Mode: Select from the default list provided: direct, endpointForm, social, usernameAndPasswordForm.
    g. Position: Select from the default list provided: leftTop, rightBottom, rightMiddle, leftBottom, leftMiddle, rightTop.

Delete Authentication Modes

To delete an authentication mode, select the specific authentication mode you would like to delete and then select the trashcan icon in the upper right-hand corner of the authentication panel.

Password Management

This menu will show up in the admin console if you enable the Password Management plugin in the disabled plugins list (Plugins > Manage Plugins > Disabled Plugins tab).

Access from the Admin Console

Location: Users & Groups > Settings > Password Management Menu

Overview

From this page, you can configure the requirements for the creation and management of a user's password.

Configuring a User's Password

The following are the configurable text fields and checkboxes:

  • Days Before Expiration text field: Numeric value expected.
  • Days of Grace text field: Numeric value expected.
  • Password Length text field: Numeric value expected.
  • Should Contain Letters checkbox: Select if you want to require letters.
  • Should Contain Numbers checkbox: Select if you want to require numbers.
  • Should Contain Special Char checkbox: Select if you want to require special characters.
  • Should Contain Upper Case Letters: Select if you want to require upper case letters.

[Cookie] SSO Authentication

This menu will show up in the admin console if you enable the Cookie SSO Auth Plugin in the disabled plugins list (Plugins > Manage Plugins > Disabled Plugins tab).

Access from the Admin Console

Location: Users & Groups > Settings > SSO Authentication

Overview

This plugin allows users to use single sign-on for any of the created and enabled authentication methods. Once you enable the plugin, you can navigate to the SSO Authentication menu and configure the provider, cookie handling, user info service, the welcome email and user matching using the username and email.

SSO Configuration Options

Obtain all the configuration and documentation information from your SSO cookie provider before you start. This will make the configuration process easier. If your login workflow involves using a Remote User Info Service, you need to obtain the service documentation as well.

Provider Tab

Filling in the provider's specific endpoints in this tab is the first step.

In the Provider tab, you can configure the following text fields and checkboxes:

  1. Login URL text field: Enter the URL of the site that will supply the SSO cookie. This URL must include several required elements.
  • Here is an example of a login URL:
    http://myssocookieprovider.com/login.html?loginRedirect=http://answers.myssocookieprovider.com/users/login.html
    - The individual elements of the URL are:
    - myssocookieprovider.com: This is the web address of the site providing the SSO cookie. The login handler on this website should be able to redirect users to remote sites. Otherwise, once the user logs in, they will need to manually return to their AnswerHub website.
    - loginRedirect: This is the redirect parameter name for the login handler. You must obtain the exact name of this parameter, "loginRedirect" in our example, from the administrator of the site providing the SSO cookie.
    - NOTE: Make sure your SSO cookie provider keeps the redirect parameter throughout the entire login process, including failed login attempts, and redirects the user to the specified URL when successful.
    - answers.myssocookieprovider.com: This is the URL of the website where the user will get redirected upon successful login. This is the DNS name for the AnswerHub instance, which MUST be a subdomain of the site providing the SSO cookie. In this example, answers are the subdomain of myssocookieprovider.com.
    - NOTE: Make sure your SSO cookie provider makes cookies available to all subdomains.
  1. Logout URL text field: Enter the URL to call when the user logs out. This logout handler should ideally remove or invalidate the authorization cookie so that AnswerHub will know that the user has logged out of the SSO cookie provider site.
  2. Unauthorized URL text field: Enter the URL of a static page site that tells users when they are not authorized to perform a specified activity. If you leave this option blank, the system will use the default AnswerHub unauthorized page.
  3. Override Registration URL checkbox: Check this box to override registration URLs throughout AnswerHub ("sign up" on the login page, for example) and replace them with a redirect to another site, most likely the SSO cookie provider site's login page.
    Upon checking the box, the system will provide you with a text field where you can enter the link to which you wish to redirect.
  4. Delegate Cookie Deletion to Provider checkbox:
  • Check this box if you are confident that your cookie provider will completely clean up all your cookie information.
  • Uncheck the box if you would like the Cookie SSO Plugin to clean up all the cookie information.
  1. Provider Domain text field: Specify the Provider Domain used to set the cookie. The Cookie SSO Plugin will clean up all cookies that it can access on the specified domain.
    Used mostly for clients who don’t have a Logout URL or have an incomplete implementation of a Logout URL that does not clean up all cookies.
  2. Redirect to Remote Logout Site When Cookie is Wiped checkbox:
  • Check this box to prevent users who have cleared their cookies from remaining logged-in on the SSO cookie provider site.
  • Clearing cookies will log users out of AnswerHub, but you must enable this option to direct users to the SSO cookie provider site (specifically the Logout URL entered above) to log out. Without the redirect, users may remain logged-in on the SSO cookie provider site, depending on the site's dependency on the cookie.

Cookie Handling Tab

The Cookie Handling tab specifies how the plugin should extract and treat the content of the cookie. No matter if the cookie contains user information or values used to execute a further request to a remote service, you can map and save them here.

In the Cookie Handling tab, you can configure the following text fields, drop-downs, and checkboxes:

  1. Cookie Name text field: Enter a name for your cookie.
  2. Encoding drop-down: Select the appropriate option from the drop-down if you want to URL-decode the content of the cookie. Check with your cookie provider to see if the content of the cookie is URL-encoded.
  3. Encrypted checkbox: Check this box if your cookie SSO provider is setting an encrypted cookie. You need to obtain the following encryption information from your cookie SSO provider:
    a. Encryption Algorithm: The AnswerHub Cookie SSO Plugin currently supports two encryption algorithms: AES and RSA.
    b. AES Decryption Key Initial Vector: For AES encryption, the plugin supports a Static Initialization Vector (IV) or a Dynamic Initialization Vector (IV). For Static IV, you need to supply the Decryption Key Initial Vector, supplied by your cookie SSO provider. If your provider doesn't supply the Decryption Key Initial Vector, the system assumes Dynamic IV.
    c. Key to Decrypt the Cookie: This key is a file you need to obtain from the cookie provider and upload to the plugin.
  4. Enable Cookie Values Mapping checkbox: Check this box if you would like to specify the value mappings for your cookie. If you don’t, the whole content of the cookie will map to a single descriptor called after the cookie name. If you decide to map the values, The Cookie SSO Plugin supports parsing for several cookie representations: plain, JSON, and XML.
  • Here is an example of the contents of a cookie, shown in all three formats:
    - Plain:
    123 | true | John | Smith | [email protected] (no named values) id=123 ; manager=true ; first_name=John ; last_name=Smith ; email=[email protected] (named values)
    - JSON:
    {“id”:123, “manager”:true, “first_name”:“John”, “last_name”:“Smith”, “email”:“[email protected]”}
    - XML:
    123 true John Smith [email protected]

Sometimes, the cookie contains parameters to execute further requests to an account service, such as the ID of the user trying to login. You can map and use the ID in a request executed by a Remote User Info Service to retrieve additional user information.

The Cookie Mapping Format section below describes the configuration of the cookie mapping section:

  • ORIGINAL_FIELD_NAME is the field name specified in the cookie, for example, “first_name”. You can also use the ordinal position of the field entry, starting with 0, instead of the original field name. This is useful if you know the order of the entries, but not necessarily what they are called. This can be especially helpful with the plain entry, since field names may not be given.
  • TARGET_FIELD_NAME is the field name used in the Cookie SSO Plugin. Out of the box, the plugin recognizes the following field names: “userid”, “username”, “email”, “real_name”, “group”, “company”, “website”, and "profile_url".
    • You can also add fields the plugin will not process but your site customizations can store and use them.
    • To specify a new field, prepend an “extradata” label to it. The Cookie SSO Plugin will not use this field, but will store it inside AnswerHub and other plugins or custom themes on your AnswerHub site can use it.
    • In the example above, we create a target field called “administrator” and assign it the value of the field “manager” supplied by your cookie.
  • FIELD_TYPE is the type of data the field contains. The three accepted types are: integer, string, or bool (which is a Boolean value of true or false).

UserInfo Service Tab

In the UserInfo Service tab, you can configure the following drop-down and checkbox:

  1. Type: You can select from cookie, soap or rest.
  • The Cookie SSO plugin provides two ways to obtain remote user information: cookie-based user info service and remote user info service.
    • Cookie-based User Info Service: The cookie provides all the information needed to create or update a user. This is the default method when you don't specify the user info service.
    • Remote User Info Service: A remote service supplies the information needed to create or update a user. The cookie SSO provider can use information contained in the cookie to build a request and invoke a remote web service. You can use information contained in the cookie received from the cookie SSO provider to build a request and invoke a remote web service. You can use the TARGET_FIELD_NAME fields mapped from your cookie to reference the values of these fields when invoking a remote service.
    • AnswerHub Cookie SSO Plugin supports two types of remote user info services: SOAP and REST.
  1. Update Profile Information: Select this check box if you want to update AnswerHub user information with new information received from the user info service if there is a difference.

SSO Authentication Plugin Enabled or Disabled

  1. Enable the SSO Authentication plugin from the Configuration page.
  2. Click the ENABLE button under the SSO Authentication Plugin title in the right-hand side panel.

Welcome Email

You can select from the yes or no toggle button to determine whether SSO Authenticated users receive the welcome email.

User Matching

You can select from the yes or no toggle button to determine whether you want to allow username and email matching as a fallback to match users.

reCAPTCHA Configuration

Access through the Admin Console

Location (Upon Enabling the reCAPTCHA Plugin): Users & Groups > Settings Menu > reCAPTCHA Configuration Menu

Overview

This plugin allows you to create a protective layer to prevent spam. Once you enable the plugin from the Manage Plugin menu, a few configurations become available. You can configure the plugin to also allow more trusted users and groups to skip reCAPTCHA so they don't need to go through the validation process every time they want to access the site.

Enable reCAPTCHA Plugin in Plugins Menu

To see the reCAPTCHA Configuration Menu, you will need to enable the reCAPTCHA Support plugin in the Manage Plugins menu under the Plugins menu.

Configure reCAPTCHA Plugin

There are several checkboxes and text fields available to customize your configuration to your community's specific needs.

  • Enable reCAPTCHA (checkbox): If you want to use reCAPTCHA, you will need to select this checkbox
  • Show on User Registration (checkbox): Select to require a user to use reCAPTCHA to register

For Logged-in and Anonymous Users

  • Show on Questions (checkbox): Select to require a user to use reCAPTCHA to post a question.
  • Show on Answers (checkbox): Select to require a user to use reCAPTCHA to post an answer.
  • Show on Content Types (checkbox): Select to require a user to use reCAPTCHA to post any content type (Questions, Answers, Comments, Ideas, Articles, and Topics).
  • Show on Edits (checkbox): Select to require a user to use reCAPTCHA to edit any content.
  • Public Key text field (Site Key): Generated with a Gmail account.
  • Private Key text field (Secret Key): Generated with a Gmail account.
  • Use reCAPTCHA Secure site (checkbox): Select to require a user to use reCAPTCHA on secure sites with HTTPS.
  • Logged-in User Display (drop-down):
    • Show option: Requires reCAPTCHA for logged-in users.
    • Skip option: Allows the user to skip reCAPTCHA for logged-in users.
    • Skip if reputation higher than option: Enter a numeric value in the text field for the minimum reputation points to skip showing the reCAPTCHA to logged-in users.

Updated almost 4 years ago

What’s Next