Configuring Security (Authentication Method)
The Security feature is available with SmartServer 4.0 and higher. Prior to SmartServer 4.2, Security was called Authentication Method (Settings widget).
With HTTP Basic authentication, this method uses standard fields in the HTTP header to provide a username and password when making a request.
You can configure the SmartServer to use SAML (Security Assertion Markup Language) for single sign-on support for both the SmartServer platform login and the SmartServer CMS login using the Settings widget. For Remote CMS, SAML provides user authentication for the Remote CMS login through a centralized service for user credential management.
You can also configure support for OAuth 2.0 (Open Authorization) with OpenID Connect to provide user authentication and single sign-on support for both the SmartServer platform login, as well as the SmartServer CMS login, using the Settings widget.
This section also describes how to enable/disable Enhanced Security for SmartServer Pi (available with SmartServer 4.2 and higher).
To configure the authentication method settings, follow these steps:
- Open the SmartServer CMS.
- Open the CMS Settings widget.
- Click Security.
The Security view appears.
SmartServer IoT
SmartServer Pi - Select the authentication method:
SAML (Security Assertion Markup Language) – an open standard for exchanging authentication and authorization data between an identity provider and a service provider; provides web-browser single sign-on. With SAML authentication, you can sign into the CMS using your account on the SAML identity provider instead of a username and password.
SAML authentication requires:Registering with an SAML identity provider (e.g., Okta). When you configure SAML with the identity provider, you will need to specify the CMS URL for Remote CMS (i.e., root.cms) or smartserver-<your segment ID> for Local CMS (e.g., smartserver-17qanqp). For example:
- Single sign-on URL: https://{CMS URL / smartserver-<your segment ID>}/ /iap/auth/samlCallback
- Recipient URL: http://{CMS URL / smartserver-<your segment ID>}/ /iap/auth/samlCallback
- Destination URL: http://{CMS URL / smartserver-<your segment ID>}/ /iap/auth/samlCallback
- Audience URI: https://{CMS URL / smartserver-<your segment ID>}/ /iap/auth/samlCallback
- Default Relay State: https://{CMS URL / smartserver-<your segment ID>}/cms/#/dashboard
http is used only between NGINX and CMS.
Specifying the External Login in the CMS user account. This login is needed to link the CMS user accounts with SAML provider accounts (i.e., the email address) and is done by the SmartServer system administrator.
- OAuth 2.0 (Open Authorization) – an open standard for access delegation that works with HTTP and, that with the approval of the resource owner, allows access tokens to be issued to third-party clients by an authorization server. Also requires the External Login to be specified in the CMS user account.
- Basic (default) – method for an HTTP user agent (e.g., a web browser) to provide a username and password when making a request. HTTP Basic authentication uses standard fields in the HTTP header and does not require cookies, session identifiers, or login pages. For SmartServer Pi, you can also enable/disabled enhanced security. For SmartServer IoT, this feature is configured using the System Configuration page.
- Enter the authentication method settings as follows:
SAML
- Entity ID – specifies the Identity Provider Issuer
- SSO URL – enter the Identity Provider Single Sign-On URL
- X.509 Certificate – provides the X.509 Certificate without comment lines (
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
)
- OAuth 2.0
- Client ID
- Secret Client ID
- Token URL
- Auth URL
- User API URL
- Scope
- Login Field Name
- Redirected Host URL
- Basic
- Default setting
SmartServer IoT
SmartServer Pi
- Default setting
- For SmartServer Pi (available with SmartServer 4.2 and higher), you can enable/disable the enhanced security option for stronger/lighter password requirements. This option controls whether strong passwords are required that contain at least 14 characters, including digits, as well as lower-case, upper-case, and special characters.
For SmartServer IoT (SmartServer 4.2 and higher), this option is disabled; you can enable enhanced security using the SmartServer System Configuration page. See Enhancing Security.
SmartServer Pi enhanced security enabled
SmartServer Pi enhanced security disabled - Click Save to store the settings.