Configuring authentication
Prerequisite
- Access to the Configuration > Authentication (CM008) menu.
Refer to the Identity and authentication document for a detailed description of the prerequisites and restrictions referring to authentication configuration for each mode available in SoftExpert Suite.
Introduction
Through SoftExpert Configuration, it is possible to set all configurations referring to the authentication of users in the system.
See how to perform these adjustments:
Configuring authentication
1. Access the Configuration > Authentication (CM008) menu.
2. Configure user authentication in SoftExpert Suite:
Authentication options
In this section, it is possible to define how users will be authenticated in the system.
To do so, in the Authentication mode section, check the desired option:
| Internal | It uses the SoftExpert Suite authentication standard, that is, the login and password configured when the user was created. |
| NTLM v2 | It allows the user to authenticate themselves and access the product with the ID and password they use on their operating system. It works through the NTLM protocol to ensure communication security. |
| LDAP | It allows the user to authenticate themselves and access the product with the ID and password they use on their operating system. It works through the LDAP protocol to ensure communication security. |
| SAML 2.0 | Suitable for scenarios in which the execution server, on which SoftExpert Suite is running, and the LDAP server, which contains the user repository, are installed in different domains. It allows the user to access the product through the Single Sign-On feature. |
| OpenID Connect | A more recent protocol built on OAuth 2.0, it provides a simpler and lighter approach to SSO on web and mobile applications. Suitable for authenticating users available in an external identity provider service. It allows the user to access the product through the Single Sign-On feature. |
To learn more about each authentication mode and find the best one for your organization, refer to the Authentication modes topic in the Identity and authentication document.
Authentications of the NTLM v2, LDAP, and SAML 2.0 types use an LDAP server to authenticate users. Refer to the Configuration for direct directory service access topic in the Identity and authentication document for more details on the configuration of this server.
Authentication services
The tabs in this section will only be enabled if the SAML 2.0 or OpenID Connect authentication mode is enabled.
With these authentication modes, single sign-on is enabled; the system uses the same login and password the user inserts to authenticate themselves in the operating system or in the identity service browser. This means that the user does not need to provide their credentials directly on the authentication screen of SoftExpert Suite, which makes the process more practical and convenient.
This approach uses the SAML 2.0 or OpenID Connect authentication protocols, which are considered more secure in comparison with previous methods. SoftExpert Suite integrates with the identity provider, allowing authentication information to be securely shared among systems.
Choosing between SAML 2.0 and OpenID Connect depends on the organization's specific requirements and on the applications being used. SAML 2.0 is more structured and secure, whereas OpenID Connect is simpler and lighter.
The toolbar located in the upper part of the tabs contains the following buttons:
 |
Click on this button to add a new configuration. |
 |
Click on this button to edit the configuration selected in the list of records. |
 |
Click on this button to delete the configuration selected in the list of records. |
 |
Click on this button to reload the tab. |
See further details on adding new configurations in the Configuring single sign-on with OpenID Connect and Configuring authentication in AD FS with SAML 2.0 topics.
Directory integration
Domains
This section will only be enabled if the NTLM v2, LDAP, and/or SAML 2.0 authentication modes are checked.
The LDAP server must be configured in it. In corporate environments with branches or rules segmented by department or position, LDAP servers are oftentimes distributed as a "forest". The term "forest" is used to identify an infrastructure made up of one or more domain trees.
Use the buttons below to configure the connection with multiple LDAP domains:
|
Click on this button to add a new LDAP connection. See further details in the Configuration for direct directory service access topic. |
|
Click on this button to edit the connection selected in the list of records. |
|
Click on this button to delete the connection selected in the list of records. |
 |
Click on this button to disassociate the users from the domain. Select the desired records before clicking on the button. |
|
Click on this button to reload the tab. |
General options
| Option | Checked | Unchecked |
| Enable synchronization scheduling | The LDAP server synchronization scheduling will be enabled daily at midnight. This recurrence can be changed through the Monitoring > Scheduling (CM019) menu. | The synchronization will be executed manually only, by clicking on the  toolbar button located in the Authentication (CM008) menu. |
| Accumulate department and position of the users | When the synchronization is executed, user departments and positions will be updated, without previous departments and positions being removed. | Only the domain controller department will be maintained; the other ones will be unlinked from the user. |
| Log in automatically when integrated authentication is enabled | User sessions will be automatically started when any page is accessed in the system, such as a link received via e-mail, for example. Thus, the login screen will not be displayed for the credentials to be typed, and the system will use the directory service authentication credentials that the user provides when authenticating in the domain. The login screen will only be accessed if the entered URL is the specific page address – for example: https://example.softexpert.com/softexpert/login.* |
When a system URL is accessed, the login screen will be displayed and, after completing the authentication, the system will redirect the user to the requested page. |
| Enable logout with single sign-on | This option must only be checked if single sign-on is enabled for use. Thus, when the user logs in, they must select the desired license key. Only the keys associated with the access groups related to the user will be available for selection. |
The user will access the system with the license key from their last access. They may edit their license key after logging in, through the Edit license key menu in the suspended panel on the right side of the main screen of the system. |
| Enable integrated authentication for users that are not synchronized | This option must only be checked if single sign-on is enabled for use. Once the user logs out, SoftExpert Suite will delete their session. |
When the user logs out, their session remains active. |
| Synchronize inactive users | It allows users to single sign-on even without integration with AD. This parameter must be configured when it is necessary to import users in a way other than via direct integration with AD, as single sign-on (SAML) can work without this integration. If this parameter is enabled, a domain to synchronize AD users must not be registered, as this can cause conflicts in single sign-on. |
Only synchronized users will have single sign-on enabled. |
*When the user accesses the default system URL (or any other system URL), without being authenticated in the directory service, an authentication page from the domain controller itself may be displayed, depending on the applied infrastructure configurations.
If the user has the credentials for authentication in the service, they must provide them; then, the service will redirect the user to the SoftExpert Suite page. If the user does not have credentials to log in to the directory service, or did not have access to the domain controller login page, we recommend accessing through the SoftExpert Suite login URL.
It may be necessary to type the credentials on the login screen when:
- It is necessary to access the system with the admin user.
- The user does not have credentials in the directory service and only accesses the system through an internal user.
- The system is accessed through a network without access to the directory service, and there are other protocols allowed to be used, such as NTLMv2 or LDAP.
Licenses
In this section, it is possible to configure how the automatic process for license distribution will be carried out, which happens when the user logs in.
When the user logs in, the license will be prioritized according to the definition configured in the section. The admin user must choose among the following options:
- Use the last license chosen by the user.
- Use the lowest permission license.
- Use the highest permission license.
If this configuration is not defined/changed, the system's default behavior will be applied, with priority being given to the last license chosen by the user.
User synchronization history
This section displays the history of user synchronizations executed in the system.
It is possible to view the start and end date and time of the synchronization, its status (Executing, Executing with errors, Loading AD information, Loading SoftExpert Suite users, Comparing the users of SoftExpert Suite with the users of AD, Calculating permissions of users, Finished, and Finished with errors), the number of processed records, records with permission, and records with errors.
To track a synchronization being executed, click on the to update its status.
The Calculating permissions of users status indicates that new users are being added, and the system is creating the access permission structure for them. This step may take a while to complete, depending on the number of new users.
The progress of the user permission processing can be tracked in the With permission column. The statuses reporting errors refer to users with information missing, invalid formats, or conflicting information, and the reason for the error can be seen in the import details.
To view the details of an import (users with error, as well as updated, imported, and disabled users), select its history record and click on the 
button.
To see more details about possible errors in the synchronization process and how to fix them, refer to the Errors that can occur in user synchronization topic in the Identity and authentication document.
Use the button to delete the record selected in the list of records.
Team synchronization history
This section displays the history of team synchronizations executed in the system.
It is possible to view the start and end date and time of the synchronization, its status (Executing, Executing with errors, Loading AD information, Loading SoftExpert Suite users, Comparing the users of SoftExpert Suite with the users of AD, Calculating permissions of users, Finished, and Finished with errors), the number of processed records, records with permission, and records with errors.
To track a synchronization being executed, click on the to update its status.
The Calculating permissions of users status indicates that new teams are being added, and the system is linking them to users. This step may take a while to complete, depending on the number of new teams and on the number of users that will be linked to each one of them.
To see the details of an import (teams with errors, as well as updated, imported, and disabled teams), select its history record and click on the button.
Use the button to delete the record selected in the list of records.
SE-Identity history
This section displays the records referring to the simulation and synchronization processes of SoftExpert Identity (except for records prior to the time set in the audit configurations).
It is possible to identify where the application is installed and the network address of the computer on which it was installed, as well as the application version and other information regarding the executed process.
If any errors that prevent the synchronization/simulation process from starting occur, the record status will be shown as Error, and the details can be viewed by selecting the record and clicking on the button.
For more information about the configurations of the External user access section, refer to the Configuring external user access - Authentication article.
Available buttons
Learn about the operations that can be performed through the buttons located in the upper part of the Authentication (CM008) menu:
 |
Click on this button to save the configurations set on the authentication configuration screen. |
 |
Click on this button to execute a synchronization simulation, based on the applied authentication configurations, without actually making any changes in SoftExpert Suite. |
|
Click on this button to view the synchronization simulation. |
 |
Click on this button to release all connections for synchronization. |
|
Click on this button to synchronize the system. |
|
Click on this button to reload the authentication configuration screen. |
 |
Click on this button to download SoftExpert Identity (se-identity.zip). SoftExpert Identity is an application that synchronizes the SoftExpert Suite users with the Microsoft AD users, when SoftExpert Suite does not have direct access to the Microsoft AD server. Refer to the Configuration for synchronization without direct access to the directory service - SoftExpert Identity topic for details on how to configure and execute the synchronization with SoftExpert Identity. |
Conclusion
Thus, with this information, you will be able to choose the configuration mode that suits your organization and apply the necessary adjustments for it to work correctly.
Access the Configuring authentication security article to learn about the configurations related to passwords and logins in the system.