User authentication
To use the System Management Console or the Search Console for the default tenant, a user needs to supply a username and password for authentication. User authentication is the process of checking whether the combination of the specified username and password is valid.
For user accounts defined in HCP, the system supports local and RADIUS authentication. User accounts defined in AD must be authenticated by AD. RADIUS and AD authentication are types of remote authentication.
To use the HCP management API with an HCP user account, the user specifies the account credentials in each request. To use the API with a recognized AD user account, applications must use the SPNEGO protocol to negotiate the AD user authentication themselves.
Local authentication
For locally authenticated users, the user account password is stored in the HCP system. At user login, HCP checks the submitted username and password internally.
HCP lets the user into the target Console if these conditions are true:
- The combination of the specified username and password is valid.
- The user account is enabled.
- The user account is associated with a role that grants permission to access the target Console.
If any of these conditions is not true, HCP doesn’t let the user in.
You can change the passwords of locally authenticated users in the System Management Console. These users can also change their own passwords in the System Management Console, if they have access to it, or in the Search Console, if they have access to that.
RADIUS authentication
For RADIUS-authenticated users, the user account password is stored outside the HCP system. At user login, HCP securely sends the submitted username and password to a RADIUS server. That server checks whether the username and password are valid and sends the result to HCP.
HCP lets the user into the target Console if these conditions are true:
- The combination of the specified username and password is valid.
- The user account is enabled.
- The user account is associated with a role that grants permission to access the target Console.
If any of these conditions is not true, HCP doesn’t let the user in.
All password management for RADIUS-authenticated users is handled by the RADIUS server. You cannot use the System Management Console to set or change the passwords of RADIUS-authenticated users.
Active Directory authentication
For AD-authenticated users, the username and password for the user account are stored in AD. If the user is signed into a Windows client, HCP relies on Windows to have already validated the username and password with AD (this is single sign-on). However, if the user provides an AD username and password on the System Management Console or Search Console login page, HCP securely sends the specified username and password to AD for authentication.
HCP lets an authenticated user into the target Console only if these conditions are true:
- The user belongs to at least one AD group for which a corresponding group account exists in HCP.NoteAlternatively, the user can belong to an AD group that’s nested at any level under another group for which a corresponding HCP group account exists. In this case, however, any parent groups that are defined in a domain other than the user’s domain must be universal.
- At least one such group account is associated with a role that grants permission to access the target Console.
If either of these conditions is not true, HCP doesn’t let the user in.
All password management for AD-authenticated users is handled by the AD. You cannot use the System Management Console to set or change the passwords of AD-authenticated users.