2.1.2 User authentication
User authentication can be used for users who wish to log in to the SSO console. If user authentication is enabled, the login window is displayed. If user authentication is not enabled, the SSO console is displayed directly without the login window being displayed.
- Organization of this subsection
(1) SSO console login window
The following figure shows the login window.
|
|
![[Figure]](GRAPHICS/SS020007.GIF)
The items displayed in the above window are described below.
- User Name
-
The name of the user who is logging in is entered here.
-
When using the SSO authentication method
The name of a user account registered with the ssoauth command is entered.
-
When using the JP1 authentication method
The name of a user account registered as a JP1 user in JP1/Base is entered.
-
- Password
-
The password for this user name is entered here. If no password was set by using the ssoauth command, no password need be entered.
- Login
-
When you click this button, the system performs user authentication and checks the number of logged-in users. If the authentication and check are successful, the SSO console is displayed.
- Clear
-
Clears the entered user name and password.
(2) User authentication methods
The following two authentication methods are available:
-
SSO authentication method
-
JP1 authentication method
The default authentication method is the SSO authentication method. The following subsections describe the two authentication methods and how to change between the methods.
(a) SSO authentication method
The SSO authentication method is a user authentication method designed specifically for SSO, and in which the user information is managed by SSO. User information can be added, deleted, and edited by using the ssoauth command. User information is stored in the user authentication definition file (ssoauth.conf). For details on this file, see 6.3.26 User authentication definition file (ssoauth.conf).
For the SSO authentication method, administrator is registered as the default login user. Because no password and authority is set for the administrator user, we recommend that you either set a password and authority if needed, or delete the administrator user and then create a new user to meet the user's operation requirements.
(b) JP1 authentication method
The JP1 authentication method uses JP1/Base, and the user information is managed centrally by JP1/Base. Logged-in users are created as JP1 users by JP1/Base, which is the authentication server. User permission is set as follows:
-
JP1 resource group name: JP1_SSO
-
JP1 permission level: JP1_SSO_Admin or JP1_SSO_Operator#
- #
-
The JP1 permission levels correspond to the types of user authority in the SSO console. The table below lists the correspondence between the JP1 permission levels and the types of user authority in the SSO console. For details on which functions can be used with each type of user authority, see 2.1.1(2) Menu frame.
JP1 permission level
User authority
JP1_SSO_Admin
Administrator
JP1_SSO_Operator
Operator
You can also use JP1 user jp1admin, which is the default JP1 user registered in JP1/Base.
For the JP1 authentication method, JP1/Base is required on the host where SSO is installed. For details on user authentication by using JP1/Base, see the JP1/Base User's Guide.
(c) Changing the authentication method
To change the authentication method or disable user authentication, change the authentication key in the ssoconsoled action definition file (ssoconsoled.def). For details on this file, see 6.3.23 ssoconsoled action definition file (ssoconsoled.def). The changes made to the ssoconsoled action definition file are applied by either restarting the ssoconsoled daemon, or by executing the ssoconsoled -r command.
(3) Limiting the number of logged-in users
The number of users who can log in to the SSO console can be limited during user authentication. The maximum number of users who can log in is set in the ssoconsoled action definition file (ssoconsoled.def). For details on the ssoconsoled action definition file, see 6.3.23 ssoconsoled action definition file (ssoconsoled.def).
Note that in the initial status, the maximum number of users who can log in, either as Administrator or Operator, is not set. Set the maximum number according to the operational requirements.