MANAGE USERS — AUTHENTICATION

Use this tab to define how Costpoint verifies user login. Authentication is a process by which Costpoint verifies that the individuals logging into the system are who they claim to be.

Costpoint security supports in-house users, consultants and remote office users. In-house users are members of the corporate active directory and are always logged into the corporate LAN. Consultants are also members of the corporate active directory, but may or may not be logged into the corporate LAN. Remote office users are not members of the corporate active directory and are not logged into the corporate LAN.

Costpoint has a number of authentication methods available but all methods ultimately require the use of a password.

Use this screen whenever you need to set up or maintain the authentication method you want your users to access.

Authentication Settings

Use this block to establish the process by which to authenticate this user.

Authentication Method

Use this drop-down list box to select the authentication method to be used for this user. The following table lists the seven different authentication methods available.

Authentication Method

Description

Costpoint Database

In this method:

  • The user ID and password are stored in a Costpoint database.

  • Oracle or SqlServer database user accounts are not used.

  • The password is stored in a hashed form: SHA-1(Secure Hash Algorithm-1, a popular one-way hash algorithm used to create digital signatures) with the user ID used as a 'salt' which is a random number that is added to the encryption key or the password to protect them from disclosure.

  • A challenge-response algorithm is used for authentication with a server-side generated nonce ('number once' - an arbitrary number that is generated for security purposes).

  • The user-credentials combined with a nonce pass from the client in an encrypted form (Advanced Encryption Standard).

  • Users MUST enter their user ID and Password on the Login screen.

  • This method can be used for all three security use-cases: in-house, consultants, and remote.

  • This is the only method that can be used for remote office users.

Single Sign-on

This method enables users to log on to a network and access all authorized resources within the enterprise or at different web sites on the internet. A single sign-on program accepts the user's name and password and automatically logs on to all appropriate servers. In this method:

  • The user ID is stored in both the Active Directory and a Costpoint database.

  • The Costpoint user ID can be mapped to a different Active Directory user ID.

  • The password is stored only in the Active Directory.

  • Users should not enter their user ID and password on the Login screen.

  • This method can be used only for in-house users.

Active Directory

This method is an advanced, hierarchical directory service that comes with Windows 2000 servers. In this method:

  • The user ID is stored in both the Active Directory and a Costpoint database.

  • The Costpoint user id can be mapped to a different Active Directory user ID.

  • The password is stored only in the Active Directory.

  • Users must enter their user ID and password on the Login screen.

  • Either Costpoint or Active Directory User ID can be used to login in Costpoint

  • This method can be used for either in-house users or consultants.

Single Sign-on or Active Directory

In this method:

  • The user ID is stored in both the Active Directory and a Costpoint database.

  • The Costpoint user ID can be mapped to a different Active Directory user ID.

  • The password is stored only in the Active Directory.

  • Users are allowed to login using either the Active Directory or Single Sign-On methods.

  • The Single Sign-On method requires a user to be logged in to the LAN.

  • This method can be used either for in-house users or consultants but is intended for consultants. Users can take advantage of Single Sign-On while logged in to the LAN but will still be able to login using the Active Directory method while traveling or at a customer site.

Windows Domain or Active Directory

In this method:

  • The user ID is stored in both the Active Directory and a Costpoint database.

  • The Costpoint user ID can be mapped to a different Active directory user ID.

  • The password is stored only in the Active Directory.

  • The following two conditions should be met for successful login:

  • Users must enter their user ID and password on the login screen.

  • Users must be logged in to the LAN.

  • This method can be used only for in-house users.

  • This method provides extra security. The Active directory method is used as a starting point but users must also be logged in to the LAN. Users cannot login from outside of the corporate network.

Windows Domain and Costpoint Database

In this method:

  • The user ID and password are stored in a Costpoint database.

  • The same rules for password storage and transmission apply as for the Costpoint Database authentication method.

  • The following two conditions should be met for successful login:

  • Users must enter their user ID and password on the Login screen.

  • Users must be logged in to the LAN.

  • This method can be used only for in-house users.

  • This method provides extra security. The Costpoint database method is used as a starting point but users must also be logged in to the LAN. Nobody can login from outside of the corporate network.

Certificate SSO

Select this method if your server is SSL enabled and you have an SSL client certificate installed on the work station.

With this authentication method, you do not need to enter a user ID and password to log into Costpoint. The system matches the ID in the certificate to the Costpoint user with this authentication ID.

You must also enter the ID in the Active Directory or Certificate ID field. If the ID field is not populated when you insert or update a user record, this error displays: 'With the authentication method you’ve selected, you must also enter an Active Directory or Certificate ID.'

 

Costpoint Password

Use this field enter a password for this user. The format of the password must conform to the password requirements set up in the Corporate Settings block on the Configure System Settings screen. Rights to change or update passwords can be assigned on the Information tab.

Generate Random Password

Select this check box to enable the application to generate a random and temporary password based on your system password policy (minimum length, require number, mixed case, and so on). The password is then captured and communicated to the end user in an email.

A valid email address must be entered in the Workflow tab of this application. If email cannot be sent by the application, the following message displays: 'Password generation requires the system to use an email server and either the email server has not been setup in Configure System Settings or the email server is currently not available. Please verify the email server setup or remove the check box to generate random password.'

This option is available only if the Costpoint Database option is selected in the Authentication Method drop-down list box. When this check box is selected, the Costpoint Password field is disabled (no password is required).

The email message sent to the user(s) is:

To: <Email address for this user>

Subject: Costpoint web account password

Content:

A temporary password has been assigned to your Costpoint web account. Please use this password and other information below for Costpoint web login. You will need to change your password on your initial login since this is only a temporary password.

URL: <http URL from System Settings>

User ID: <Costpoint Web User ID>

Password: <Random password assigned>

System: <System ID>

Verify Password

Use this field to re-enter the password for verification purposes. If the password entered on this line does not exactly match the password entered on the previous line, an error message displays when you attempt to save the page.

Active Directory or Certificate ID

Use this field to enter the user's active directory ID or certificate ID. The active directory ID is required for any of the authentication methods that require the Active Directory authentication method. The certificate ID is required when you select the Certificate SSO option in the Authentication Method drop-down list box.

Allow Application Access via Integration Services

Select this check box to control whether a given account can be used to run applications through an integration API (application programming interface) such as web services or Enterprise Java Beans (EJBs).

Select this check box to expose applications such as Web services or EJBs.