EQuIS Enterprise Authentication Methods

<< Click to Display Table of Contents >>

Navigation:  Administration and Configuration >

EQuIS Enterprise Authentication Methods

EQuIS Enterprise supports the following authentication scenarios through the Enterprise Login Screen:

1.Basic User Authentication – Users enter their username and password into the Login Screen. Multi-Factor Authentication (MFA), via an authentication app, can be added by individual users in the User Profile Editor or required by the database administrator using settings in the ST_CONFIG table.

2.Microsoft Entra ID – Formerly known as Azure Active Directory (AAD). When configured appropriately, the Login Screen includes a button (i.e., “Sign in with Microsoft”) to initiate authentication with any Microsoft Entra ID domain. The EQuIS user account (either ST_USER.USER_NAME and/or ST_USER.EMAIL_ADDRESS) must exactly match the email address provided by Microsoft Entra ID in the id_token. The id_token is validated by EQuIS based on the signing keys of the provider.

3.OpenID Connect – When configured appropriately (see Login – OpenID Connect), the Login Screen includes a button (i.e., “Sign in with OpenID”) to initiate authentication with the configured identity provider via OpenID Connect (see https://openid.net/connect/). The EQuIS user account (either ST_USER.USER_NAME and/or ST_USER.EMAIL_ADDRESS) must exactly match the email address provided by the identity provider in the id_token. The id_token is validated by EQuIS based on the signing keys of the provider.

 

EQuIS Enterprise supports the following authentication scenarios independently of the Login Screen. These scenarios appear to "just work" from the user's perspective. When users visit EQuIS Enterprise, they are automatically logged in.

1.LDAP/NTLM or Windows Authentication – EarthSoft clients hosting EQuIS Enterprise on-premise may opt to configure EQuIS Enterprise to accept windows authentication LDAP (RFC 4511) or NTLM. In this scenario, EQuIS assumes that IIS has already completed the authentication and matches a record in the ST_USER table to that user. See LDAP Authentication.

2.SAML-based Single Sign On (SSO) – EarthSoft clients may also opt to configure EQuIS Enterprise to use SAML Single Sign On (SSO) authentication. See SAML-based Single Sign On (SSO).

 

Note: Regardless of which authentication mechanism is used, the end user’s web browser must allow cookies. Upon successful authentication, a secure cookie is used to authenticate the user throughout the session.

 

EQuIS Enterprise REST API also supports the following Authentication method:

Bearer JWT Token Authentication – EQuIS issues JWT tokens from the REST API route api/tokens. A control in the Security tab of the User Profile Editor provides a simple user interface to this rest controller. Perform bearer authentication by adding an HTTP request header like the following.

   Authorization: bearer eyJaqlkRlslLBa562slkqovqevpoija2dvn20ribn30inv0indokod31j4b2ficokwcnklnij2igj==