Documentation/Administration/Authentication Methods

Documentation :: Administration :: Authentication Methods

ScriptRunner provides a number of authentication methods in order to help ease of access for your users, with authentication methods able to be set at an individual user level.

The three current types of authentication available by default are:

• LDAP
• Google OAuth
• Locally stored passwords

Creating An Authentication Service

• From the menu, select Manage Authentication Services.

• Click .

• The Create Authentication Service window should now be shown. Enter a name and description for your authentication service and select the Authentication Service Type you want to use:
  • google_auth - This allows you to use Google's OAuth service to authenticate using exiting Google accounts. For this to work, users Login Id's must match their Google email address.
  • ldap - This allows you to hook into existing authentication providers such as Microsoft Active Directory.
  • local - This provides a means of having ScriptRunner do it's own local authentication.

• Depending on the Authentication Service Type selected, you will be prompted for further information.
  • google_auth
    • Client ID: This is the Client ID shown in the Google Developers Console, as shown below.
      
      
      
      Further information on Google OAuth can be found at https://developers.google.com/identity/protocols/oauth2.

• • ldap
    • LDAP URL: The location of your LDAP server or service (example: ldap://ldap-server-name)
    • LDAP Bind User: The user used to connect to your LDAP service in Distinguished Name (DN) format (example: CN=ScriptRunner LDAP User,OU=ServiceAccounts,OU=USERS,DC=smnt,DC=org).
    • LDAP Bind User Password: The password for the Bind User.
    • LDAP Bind User Password AES Key: The key that will be used to encrypt information about this Authentication Service. As this is an AES key, it must be of 16, 24 or 32 characters in length.
    • LDAP Search Root: The base object to start searching from within your directory. This can help you limit what users in your directory can be granted access (example: DC=smnt,DC=org).
    • LDAP User Object Name: The property name that contains the user name within your directory. If using Active Directory leave as the default value.
    • Allow Password Changes: If you want to let users change their directory passwords through ScriptRunner then tick this option. When using Active Directory this will only work if establishing a secure connection (LDAPS) and if the bind user has permission to change other user passwords.
    • Max Login Attempts: The maximum number of failed attempts allowed for each user account before it becomes automatically locked.

• • local
    • Password Salt: A random combination of letters, numbers and special characters to be used as part of the salting process for stored password.
    • Password Validitiy Period (days): The number of days a users password will be valid for before being forced to change it.
    • Max Login Attempts: The maximum number of failed attempts allowed for each user account before it becomes automatically locked.

• Click .

Editing An Authentication Service

• From the menu, select Manage Authentication Services.

• Click against the Authentication Service you wish to update.

• Update settings as required.
  It is possible to change the Authentication Service Type, however this is not recommended. It is safer to create a new Authentication Service and migrate users over to that.

• Click

Removing An Authentication Service

• From the menu, select Manage Authentication Services.

• Click against the Authentication Service you wish to remove.

• Click on the confirmation prompt.
  
  

• If there are still users assigned to the Authentication Service you attempt to remove then you will receive an error. A confirmation prompt will show in the bottom left corner of the page if your remove request was successful.