Using Active Directory or LDAP for Authentication Only

Download this manual as a PDF file

If you have already created accounts for users in SL1, you can use Active Directory or LDAP to authenticate one or more of those users. Each time an Active Directory or LDAP user logs in to SL1 using his/her Active Directory or LDAP username and password, SL1 will use Active Directory or LDAP to authenticate that user.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Required Tasks

You can use LDAP or Active Directory to authenticate one or more users when they log in to SL1. You can also specify that SL1 should not authenticate other LDAP or Active Directory users.

  • Each user logs in to SL1, either through the login page, a CAC card or certificate, or HTTP. The user logs in to SL1 using an LDAP or AD attribute value as a login name and the LDAP or AD password.
  • SL1 examines the login request and applies the appropriate Authentication Profile (and the appropriate Authentication Resource(s)).
  • SL1 then authenticates the user by communicating with the LDAP or Active Directory server.

If you want to use LDAP or Active Directory to only authenticate users (that is, you do not want SL1 to import user accounts from Active Directory or LDAP), you must manually create accounts in SL1 and specify LDAP or AD authentication. To do this:

  1. Create a user account in SL1. You can either create the account manually or you can use a user policy to create the account.
  • When creating the user policy, you must select LDAP/Active Directory in the Authentication Method field in the User Policy Properties Editor page (Registry > Accounts > User Policies > create/edit User Policy).

  • When creating the user account, you must specify select LDAP/Active Directory in the Authentication Method field in the Account Permissions page (Registry > Accounts > User Accounts > edit user account)
  1. Create an Active Directory or LDAP credential that allows SL1 to read from (and optionally, write to) the AD or LDAP directory. This credential allows SL1 to connect to Active Directory or LDAP and authenticate user accounts.
  2. Define the LDAP/AD Authentication Resource.
  • Specify how SL1 should communicate with the LDAP or Active Directory server and exchange information with the LDAP or Active Directory server.
  • In the Type field, select the following:
  • Do not import new users or sync user policies. SL1 will use LDAP or AD only to authenticate users and will not create a new user each time an LDAP or AD user attempts to connect to SL1.
  1. Define one or more Authentication Profiles that tell SL1 how to recognize LDAP/AD users and which Authentication Resource to use with those users.
  2. After completing these steps:
  • Each LDAP/AD user must log in to SL1 using the user name and password for SL1. This user name must be identical to the LDAP or AD user ID for the user; the password must be identical to the LDAP or AD password.
  • SL1 will examine the hostname or IP address in the incoming URL request to align the user with an Authentication Profile.
  • The Authentication Profile tells SL1 which Authentication Resources to use to authenticate the user.
  • SL1 will use the settings and the credentials defined in the LDAP/AD Authentication Resource to query the LDAP or AD directory to authenticate each user.

Creating a User Account that Will Be Authenticated with Active Directory or LDAP

User accounts allow users to log in to SL1 and access pages and features in SL1. If you have already created a user account for a user in Active Directory or LDAP, you can create a separate user account for that user in SL1 and then ask Active Directory or LDAP to authenticate the user account.

There are two ways to create a user account in SL1:

  • Manually create a user account and define all account settings.
  • Manually create a user account and then apply a user policy to define additional account settings. User Policies allow you to define a custom set of account properties and privileges and then save them as a policy.

Both options will be described in the following sections.

Manually Creating a User Account and Manually Defining Account Settings

To manually create a new user account and manually define account settings:

  1. Go to the User Accounts page (Registry > Accounts > User Accounts).
  2. In the User Accounts page, click the Create button.
  3. The page appears.
  4. In the page, enter values in each of the following fields:
  • First Name. User's first name. This value can be up to 24 characters in length.
  • Last Name. User's last name. This value can be up to 24 characters in length.
  • Generate a unique name based on first and last name. Do not select this option.
  • Account Login Name. Enter a value that is included in the Active Directory entry or LDAP entry for the user. For example, you could enter the uid value for the user from LDAP or AD. This value will then be the login name for the user. To enable AD or LDAP to authenticate the user, the login name must match a value in the AD or LDAP entry for the user.
  • Primary Email. User's email address. This field can be up to 64-characters in length.
  • Password. You can enter any password that meets the minimum security requirements. The passwordmust be at least four characters in length and can be up to 64 characters in length.

NOTE: During authentication, LDAP or AD will ignore the value in the Password field and instead use the password stored in LDAP or AD.

  • Confirm Password. The user's password again. This value must be at least four characters in length and can be up to 64 characters in length. This password will be overwritten with the AD or LDAP password on first login.
  • Password Strength. Required strength of the user's password. Must be set to Strong. The password will not be able to be changed through SL1.
  • Password Expiration. Set this field to Disabled. The password will not be able to be changed through SL1.
  • Password Shadowing. Set this field to Default. The password cannot be changed through SL1.
  • Require Password Reset. Do not select this option. The password cannot be changed through SL1.
  • Multi-Factor Auth (MFA) User. If this user requires a different user name for Multi-factor authentication, enter the MFA user name in this field.

NOTE: For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  • Organization. The organization of which the new user account will be a member. Users can select from among all organizations in SL1.
  • Account Type. Specifies whether the user is a member of a user policy. Choices are:
  • Individual. Select this option.User account is not a member of a user policy.
  • Policy Membership. User will be defined with a user policy. When selected, the Policy Membership field becomes active.
  • Account Type. This drop-down contains an entry for each standard account type. These account types affect the list of Access Keys for the user. The choices are:
  • Administrator. By default, administrators are granted all permissions available in SL1. Administrators can access all tabs and pages and perform all actions and tasks.
  • User. Accounts of type "user" are assigned Access Keys. Access Keys are customizable by the administrator and grant users access to pages and tabs and permit users to view information and perform tasks in SL1. These Access Keys are defined by the system administrator from the Access Keys page (System > Manage > Access Keys).
  • Login State. Default login state for the user account. The choices are:
  • Suspended. Account is not active. User cannot log in to SL1.
  • Active. Account is active. User can log in to SL1.
  • Authentication Method. Specifies how the user's username and password will be authenticated. Select the following:
  • LDAP/Active Directory. Select this option. User's username and password are authenticated by an LDAP server or Active Directory server.
  • Restrict to IP. The user will be allowed to access SL1 only from the specified IP. Specify the IP address in standard dotted-decimal notation.
  • Time Zone. Select the appropriate time zone to associate with the user account.
  1. Click the Save button to save the new user.

Manually Creating a User Account and Using a User Policy to Define Account Settings

You can manually create a user account and then apply a user template to that user account.

If you want to use Active Directory or LDAP to authenticate the user when he/she logs in to SL1, you must:

  • Define a user policy before creating the user account. With the exception of the Authentication Method field, there are no further requirements for LDAP or AD authentication. You can define the user policy as you wish. For details on creating a user policy, see the Organizations and Users section.
  • Ensure that the user policy includes the following settings:
  • Authentication Method. Specifies how the user's username and password will be authenticated. Select:
  • LDAP/Active Directory. Select this option. The user's username and password will be authenticated by an LDAP server or Active Directory server.

To manually create a user account and apply a user policy to that account:

  1. Go to the User Accounts page (Registry > Accounts > User Accounts).
  2. In the User Accounts page, click the Create button.
  3. The page appears.
  4. In the page, enter values in each of the following fields:
  • First Name. User's first name. This value can be up to 24 characters in length.
  • Last Name. User's last name. This value can be up to 24 characters in length.
  • Generate a unique name based on first and last name. Do not select this option.
  • Account Login Name. Enter a value that is included in the Active Directory entry or LDAP entry for the user. For example, you could enter the uid value for the user from LDAP or AD. This value will then be the login name for the user. To enable AD or LDAP to authenticate the user, the login name must match a value in the AD or LDAP entry for the user.
  • Primary Email. User's email address. This field can be up to 64 characters in length.
  • Password. You can enter any password that meets the minimum security requirements. The passwordmust be at least four characters in length and can be up to 64 characters in length.

NOTE: During authentication, LDAP or AD will ignore the value in the Password field and instead use the password stored in LDAP or AD.

  • Confirm Password. The user's password again. This value must be at least four characters in length and can be up to 64 characters in length. This password will be overwritten with the AD or LDAP password on first login.
  • Password Strength. Required strength of the user's password. Must be set to Strong. The password will not be able to be changed through SL1.
  • Password Expiration. Set this field to Disabled. The password will not be able to be changed through SL1.
  • Password Shadowing. Set this field to Default. The password cannot be changed through SL1.
  • Require Password Reset. Do not select this option. The password cannot be changed through SL1.
  • Multi-Factor Auth (MFA) User. If this user requires a different user name for Multi-factor authentication, enter the MFA user name in this field.

NOTE: For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  • Organization. The organization of which the new user account will be a member. Users can select from among all organizations in SL1.
  • Account Type. Specifies whether the user is a member of a user policy. Choices are:
  • Individual. User account is not a member of a user policy.
  • Policy Membership. Select this option. User will be defined with a user policy. When selected, the Policy Membership field becomes active.

After you select Policy Membership, all remaining fields except Account Templates are disabled. This is because those fields are defined in the user policy.

  • Policy Membership. If you selected Policy Membership in the Account Type field, the Policy Membership field is activated. In this field, you can select a user policy to apply to the new user account.

NOTE: Ensure that you select a policy that specifies an Authentication Method of LDAP/Active Directory.

  • When a user policy is applied to a user's account, the user inherits the Access Keys specified in the user policy. Administrators cannot add additional Access Keys or delete Access Keys from the user's account unless they edit the user policy.
  • When a user policy is edited, each user account that is a member of that template will be dynamically updated.
  1. Click the Save button to save the new user.

Defining a Credential for Authenticating with Active Directory or LDAP

Credentials are access profiles (username and password plus additional information) for external systems. These profiles allow SL1 to access external systems while maintaining the security of the access accounts. Users see only the name of the credential, not the username, password, and network information contained in the credential.

When you define user accounts that are authenticated with Active Directory or LDAP, you must define one or more credentials, so SL1 can communicate with the Active Directory server or LDAP server. SL1 must communicate with the AD server or LDAP server to authenticate each specified user.

To define a credential for accessing Active Directory or LDAP:

  1. Go to the Credential Management page (System > Manage > Credentials).
  2. In the Credential Management page, click the Actions drop-down menu. Select Create LDAP/AD Credential.
  3. The Credential Editor modal page appears. In this page, you can define the new credential.
  4. Supply a value in each of the following fields:
  • Profile Name. Name of the credential. Can be any combination of alphanumeric characters.
  • LDAP Type. Specifies the type of LDAP implementation running on the directory server. Choices are LDAP or Active Directory.
  • Hostname/IP. Hostname or IP address of the LDAP or Active Directory server.
  • Secure. Specifies whether you are using LDAP over SSL.
  • Port. Port number on the LDAP or Active Directory server to which SL1 will send requests. If you specified No in the Secure field, the default value is 389. If you specified Yes in the Secure field, the default value is 636. However, you can specify a custom port used by your organization.
  • Timeout. Number of milliseconds during which the credential should continue to try to contact the LDAP or Active Directory server. After this time elapses, the credential will stop trying to contact the LDAP or Active Directory server.
  • RDN (Bind DN / bind user). To configure SL1 to automatically create accounts when a user logs in with an AD name and password or LDAP name and password, you must include the %u variable in this field.
  • If the LDAP or Active Directory structure does not contain all users in a single branch, in this field, you must specify a Bind DN that is allowed to search the LDAP or Active Directory for the user who is logging in. You must also supply a password for this Bind DN in the Bind Password field. SL1 will use the specified Bind DN and password to search the entire LDAP or Active Directory structure for the user who is logging in. When SL1 finds the user who is logging in, it will perform a bind using that user's Bind DN and the password supplied during login.
  • If the LDAP or Active Directory structure contains all users in a single branch, you can use a variable for username and then explicitly specify the appropriate ou and dc. In many LDAP or AD configurations, each user has read-access to his/her own account. Therefore, you might find it most useful to include the %u variable in this field. When an LDAP or AD user logs in to SL1, SL1 stores the username in the %u variable. SL1 then uses the %u variable to build the bind DN, uses the bind DN to communicate with the LDAP or AD server, and then authenticates the current user.
  • An example entry in the RDN field might be: uid=%u, ou=People, dc=sciencelogic, dc=com
  • This creates a DN using the current ScienceLogic login name as the uid.
  • You can also include the %d variable in this field. The %d variable represents the name of the LDAP domain, as specified in the LDAP Domain field.
  • Bind Password. Password that allows access to the Active Directory server or the LDAP server. In most cases, when you specify a bind password in a credential, you are creating a "write" credential (that is, a credential that allows SL1 to make changes to the LDAP or AD server). Most Active Directory and LDAP configurations do not require a password for "read-only" access. To import information from the AD server or LDAP server and authenticate the imported user, SL1 requires only "read-only" access.
  • LDAP Domain. If your LDAP or Active Directory configuration includes multiple domains, specify the domain components to bind to in this field. For example, you could specify:

dc=reston, dc=ScienceLogic, dc=local.

  • This example would bind to the sub-domain "reston", in the domain "sciencelogic", in the domain "local".
  • User Search Base. Specify the area in the AD directory or LDAP directory where users to be authenticated and automatically added to SL1 reside, using RDN notation. The search base tells SL1 which part of the external directory tree to search. For example, if you want all users in the ou called "Users", in the parent ou called "ScienceLogicHQ", in the domain ScienceLogic.local to be automatically added to SL1, you could specify the RDN that includes those ous and that specific domain.

ou=Users,ou=ScienceLogicHQ,dc=ScienceLogic, dc=local

  • This example would allow SL1 to authenticate users in the ou called "Users" in the parent ou "ScienceLogicHQ", and also authenticate all users in any ou underneath "Users".

NOTE: For details on search syntax for Active Directory, see http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx. For details on the search syntax for LDAP, see http://www.faqs.org/rfcs/rfc2254.html.

  • User Search Scope. In this field, you specify whether SL1 should search only the directory specified in User Search Base or whether EM7 should search the directory specified in User Search Base and all its child branches.
  • Subtree. SL1 should search the directory specified in the User Search Base field and also search all its child branches.
  • One Level.SL1 should search only the directory specified in the User Search Base field.
  1. Click the Save button to save your changes to the credential.

Creating an LDAP/AD Authentication Resource

An Authentication Resource is a configuration policy that describes how SL1 should communicate with a user store. In this section, the user store is an LDAP or Active Directory (AD) user store. The LDAP/AD Auth Resource Editor page allows you to define an Authentication Resource for use with an LDAP/AD user store. An LDAP/AD Authentication Resource specifies the connector (communication software) to use to communicate with the LDAP/AD user store and the credential to use to connect to the user store. An LDAP/AD Authentication Resource can also map attributes from the user's LDAP/AD account to fields in the user account on SL1.

In the In the LDAP/AD Auth Resource Editor page (System > Settings > Authentication > Resources > create/edit LDAP/AD Resource), you can:

  • Specify the credential that allows SL1 to communicate with the AD server or the LDAP server.
  • Specify the area in the AD server or LDAP server where the user's records reside.
  • Specify whether SL1 should automatically update each user's account in AD or LDAP when the corresponding account is edited in SL1.

Additionally, Authentication Profiles are policies that align user accounts with one or more Authentication Resource. Authentication Profiles are described later in this section.

To create an LDAP/AD Authentication Resource:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources)
  2. In the Authentication Resource Manager page, click the Actions menu and then select Create LDAP/AD Resource. The LDAP/AD Auth Resource Editor page appears.
  3. Complete the following fields:

Basic Settings

  • Name. Name of the LDAP/AD Authentication Resource.
  • User Display Name. The username, email address, or preferred display name. This value is determined by the user's authentication resource settings. Select what name to display from the following options:
  • disable. Uses the current default behavior, which displays the user's username in the SL1 user interface and in the logs.
  • e-mail address. Displays the user's email address in the SL1 user interface and in the logs.
  • user principal name. Displays the value from the UPN field on this page in the SL1 user interface and in the logs.
  • UPN. The value that displays in the SL1 user interface and in the logs. If you select user principal name in the User Display Name field, then the value from this field displays in the SL1 user interface and in the logs. This field is blank by default for all existing (pre-11.2.1) authentication resources, but can be manually updated.
  • Read Credential. Credential that allows SL1 to read data from an LDAP or AD server. Select from a list of all LDAP and AD credentials to which you have access. If this field has been set to a credential to which you do not have access, this field will display the value Restricted Credential. If you set this field to a different credential, the entry for Restricted Credential will be removed from the field; you will not be able to re-align the field with the Restricted Credential.
  • Write Credential. Credential that allows SL1 to write data to an LDAP or AD server. Select from a list of all LDAP and AD credentials to which you have access. If this field has been set to a credential to which you do not have access, this field will display the value Restricted Credential. If you set this field to a different credential, the entry for Restricted Credential will be removed from the field; you will not be able to re-align the field with the Restricted Credential.

NOTE: Your organization membership(s) might affect the list of credentials you can see in the Read Credential field and the Write Credential field.

  • User Name Suffix. Optional field. Because SL1 can authenticate against multiple LDAP or AD servers, there is a risk of collision among usernames. In this field, you can enter a string to append to the username in SL1, to minimize risk of collision. For example:

  • You can supply the value %attribute_name%, where attribute_name is an AD or LDAP attribute. SL1 will use the value of the attribute as the username.
  • You can enter one or more AD or LDAP attribute names, surrounded by percent signs (%), with text preceding it and/or text appended. SL1 will retrieve the value of the attribute and use that value plus any preceding text or appended text as the username.
  • You can enter a string, with no AD or LDAP attribute specified. When you don't specify an AD or LDAP attribute in this field, SL1 will retrieve the uid attribute and append the string you specify in this field. SL1 will then use the value in the the uid plus the appended string as the username.
  • Suppose we entered @ad.local in this field.

Suppose the next LDAP/AD user logs into SL1 with the username bishopbrennan.

SL1 will log in that user as bishopbrennan@ad.local.

  • Suppose we entered %sn%-external in this field.

Suppose the next SSO user logs in to SL1 with their sn (last name) attribute of krilly.

SL1 will log in that user as krilly-external.

NOTE: A best practice is to use email addresses as usernames to avoid collisions.

  • Search Filter. Specifies where to find the user's account information in LDAP or AD. You must tell SL1 where to find the LDAP or AD attribute that maps to the user's account name in SL1.

For example, an LDAP user might use his/her uid value to log in to SL1. In the user account in SL1, that uid value will then become the user's Account Login Name.

You can use the following variables in the search filter:

  • %u. Login name in SL1.
  • %e. Email address.

  • An example search filter for LDAP might be:

(&(objectClass=person)(uid=%u))

This says to search in the object class called "person" for the uid that matches the login name entered when the user logs in to SL1 and then stored in the variable %u.

  • An example search filter for AD might be:

(samaccountname=%u)

This says to search for the samaccountname attribute that matches the login name (entered when the user logs in to SL1 and then store in the variable %u).

  • For more information on the syntax of LDAP and AD search filters, see RFC 4515.
  • Sync directory values to EM7 on login. Select Disable. This feature is used to automatically update accounts in the SL1 .
  • Sync EM7 values to directory on save. If an administrator made changes to the user account in SL1, SL1 will automatically write those changes to the user's account in LDAP or AD. This option requires a write credential.

Attribute Mapping

Define these settings only if you have configured SL1 to automatically create accounts in SL1 for LDAP or AD users.

User Policy Alignment

  • Type. Specifies whether SL1 should automatically create accounts in SL1 for each LDAP or AD user in the search base (which is specified in the credential), whether SL1 should simply use LDAP or AD to authenticate one or more users, or whether SL1 will refuse to authenticate specific users. If you are using LDAP or AD to authenticate user but not automatically create new user accounts in SL1, your choices are:
  • Do not authenticate new users from directory. Only those users who have an account already created in SL1 can log in to SL1. However, if one or more users' Account Permissions page specifies LDAP /Active Directory in the Authentication Method field, SL1 will authenticate those users with either LDAP or AD, using the settings and credentials specified in this page.

  1. Click the Save button to save your changes to the new Authentication Resource.

Creating an Authentication Profile

An Authentication Profile is a policy for user authentication. Authentication Profiles align user accounts with one or more Authentication Resources.

  • Alignment by pattern matching. SL1 uses the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the criteria specified in an authentication profile, SL1 will automatically use the matching profile to perform user authentication.
  • Credential Source. Specifies from where SL1 should extract the user name and password or certificate to be authenticated. These credentials are passed to SL1 via HTTP. SL1 then passes the credentials to each Authentication Resource specified in the Authentication Profile. The Authentication Resources authenticate the credentials with user stores.
  • Authentication Resource. Specifies the connector to use to communicate with the user store, the credential to use to connect to the user store (if applicable), and the URLs to examine during authentication. Also maps attributes from the user's account in the user store to fields in the SL1 user account.
  • Multi-factor Resource. Specifies the connector to use to communicate with the multi-factor endpoint. A Multi-factor Resource specifies the hostname or IP address of the Authentication Agent, the access key for communicating with the endpoint, and the URL of the RSA REST endpoint.

To create a new authentication profile:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. Click the Create button. The Authentication Profile Editor modal appears.
  3. Enter values in the following fields:
  • Name. Name of the authentication profile.
  • Priority Order. If your SL1 System includes multiple authentication profiles, SL1 evaluates the authentication profiles in ascending priority order. SL1 will apply the authentication profile that matches the hostname or IP in the current URL AND has the lowest value in the Priority Order field.
  • Pattern Type. Specifies how SL1 will evaluate the value in the AP Hostname Pattern field. Choices are:
  • Wildcard. SL1 will perform a text match, with wildcard characters (asterisks).
  • Regex. SL1 will use regular expressions to compare the AP Hostname Pattern to the current session information.
  • AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the value in this field, SL1 applies the authentication profile to the user for the current session.
  • For example, if you specify "*" (asterisk), any IP address or URL will match. SL1 will then apply this authentication profile to every session on an Administration Portal, Database Server, or All-In-One Appliance.
  • If you enter "192.168.38.235", SL1 will apply the authentication profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters "192.168.38.235" into the browser.
  • If you enter "*.sciencelogic.local", SL1 will apply the authentication profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters a URL ending with ".sciencelogic.local" into the browser.

    • Do not include underscores ( _ ) in the AP Hostname Pattern field. URLs with underscores are not considered valid in SL1 authentication profiles.

  • Available Credential Sources. This field tells SL1 how to retrieve the user's credentials from the HTTP request to SL1. To align a credential source with the authentication profile, highlight the credential source and click the right-arrow button. You can select zero, one, or multiple credential sources for the authentication profile. Initially, this pane displays a list of all the credential sources:

    • For CAC authentication, align the CAC/Client Cert credential source. If this is your primary method of logging in to SL1, align CAC/Client Cert as the number one credential source. ScienceLogic recommends having EM7 Login Page aligned, as well, for administrator or maintenance access.

  • CAC/Client Cert. SL1 will retrieve a certificate from the HTTP request.
  • EM7 Login Page. SL1 will retrieve a user name and password from the ScienceLogic login page fields.
  • HTTP Auth. SL1 will retrieve a user name and password from the HTTP request.

    • If you are using Single Sign-On (SSO) authentication, the Available Credential Sources field is ignored. You do not have to align a credential source because credentials are submitted directly to an Identity Provider (IdP) instead of SL1.

  • Aligned Credentials Sources. This field displays the list of credential sources that have been aligned with the authentication profile. The authentication profile will examine each credential source in the order in which it appears in this list. When the authentication profile find the user's credential, the authentication profile stops examining any remaining credential sources in the list.
  • Available Authentication Resources. This field tells SL1 which authentication resources to use to authenticate the retrieved credentials. To align an authentication resource with the authentication profile, highlight the authentication resource and click the right-arrow button. You must select at least one authentication resource (but can select more than one). For details on creating an authentication resource, see the section on Authentication Resources.
  • Aligned Authentication Resources. This field displays the list of authentication resources that have been aligned with the authentication profile. The authentication profile will examine each authentication resource in the order in which it appears in this list. When an authentication resource successfully authenticates the user, the authentication profile stops executing any remaining authentication resources in the list.
  1. Click the Save button to save your changes to the new authentication profile.