Configure login modes

Learn how you can configure different login models based on OIDC or SAML that are supported by Manhattan ACTIVE® Cloud.

Objective

Manhattan Active® Platform Auth Server has administrative user interface to configure or modify several aspects of security such as the authentication and login modes and OAuth client setup. This document describes how you can configure the login modes for authenticating to Manhattan Active® Platform.

Before You Begin

You will need access to the Manhattan Active® Platform application, and a System Administrator role to configure security properties in the Auth Server user interface.

Manhattan Active® Cloud standardizes authorization with OAuth2 for all inbound HTTP traffic. For identity provisioning and active directory integration, Manhattan Active® Cloud supports a variety of authentication modes with Open ID and SAML:

  • External Authentication Mode with Open ID is a login configuration where the user is exclusively authenticated via an external Identity Provider using Open ID as the identity protocol. In this mode, all users are maintained by the external Identity Provider.
  • External Authentication Mode with SAML is a login configuration where the user is exclusively authenticated via an external Identity Provider using SAML as the identity protocol. In this mode, all users are maintained by the external Identity Provider.
  • Mixed Authentication Mode with User Discovery is a login configuration where the user identity is managed either in the Native authentication source by Manhattan Active® Cloud, or by an External Identity Provider with Open ID or SAML. The determination for the authentication mode for the actual user is made in real-time when the user attempts to log in, based on the user’s username. In this mode, the user is first prompted to enter their username, and the UI then redirects to the authentication mode configured for that user.
  • Native Authentication Mode is a login configuration where the user is exclusively authenticated by Manhattan Active® Cloud. In this mode, the user directory, and credentials (in the form of usernames and passwords) are maintained in Manhattan Active® Cloud database. Users that are maintained with the native authentication mode are referred to as native users to distinguish them from the users that are maintained in the corporate directory. If no other authentication mode is configured, Native Authentication Mode is the default configuration.

Manhattan supports known Open ID and SAML Identity Providers for configuring as the External Authentication Mode. Integration with the IDPs listed below has been tested and supported:

  • Microsoft Azure AD: Open ID & SAML
  • ADFS: Open ID & SAML
  • Okta: Open ID & SAML
  • CA SiteMinder: Open ID
  • Ping Identity: Open ID
  • MITREid: Open ID
  • KeyCloak: Open ID & SAML
  • IBM Security Access Manager: SAML

Do note, that IDPs may have their nuances - not all IDPs support the full Open ID and/or SAML standards or may support additional features that are not part of the standards. In such cases, Manhattan offers technical support and consulting to accommodate the testing and validation necessary for a specific IDP to fully integrate with Manhattan Active® Cloud.

To access the administration UI, go to your Auth Server URL (https://<stack_name>-auth.<domain_name>). After you log in, you should see the Administration option as a button that you can use to navigation to the administration UI:

The admin panel is accessible only to the users with the System Administrator role.

There are two main concepts that are important to understand:

Authorization providers

An authorization provider is a configuration for an external identity provider. For example, you could have the following authorization providers stored in the Auth Server configuration:

  • OpenID with Okta
  • Backup OpenID with Okta
  • OpenID with Azure
  • SAML external IDP

One of these providers could be used when setting the identity type to external or mixed.

Login mode

The login mode defines how your users will authenticate in the Auth Server.

  • Active login mode will be loaded on the Auth Server startup and defines how the users authenticate.
  • Pending login mode will be marked when setting a new login mode. If there is a pending login mode when the Auth Server starts it will be marked as Active and the previous Active login mode will be marked as Inactive.

Steps

  1. Click on Configure Login Mode

  2. Select the identity type between database, external or mixed and click Next

  3. If you choose external or mixed in Step 2, it will show the list of available providers. You can also add new ones. Click on Add Authentication Provider to add a new one and select the protocol.

  4. You can also click Show Templates to see predefined providers

  5. Select a template

  6. This will copy the pre-configured parameters, you will have to provide a unique Name that cannot be edited later. Click on Save button

  7. This will create a provider. You can view it under Authentication Providers tab

  8. The new login mode will be Pending until the next restart of the Auth Server.

Global Properties

There are other properties that are not exclusive of either OpenId or SAML. In the Global properties tab you can edit these properties.

Note that these properties will only be loaded when manh.security.dbmode=true and a proper login mode is configured. Properties can be of three types: string, number or boolean.

Learn More

Author

  • Shipra Choudhary: Senior Software Engineer, Security, Manhattan Active® Platform, R&D.

Last modified April 25, 2024: Update deploy.yml (aa43072)