Authentication using domain accounts

To allow users to perform authentication in the KUMA console using their own domain account credentials, perform the following configuration steps.

1. Enable domain authentication if it is disabled.

   Domain authorization is enabled by default, but a connection to the domain is not configured.

2. Configure a connection to the domain controller.

   The following connections are available:

   • Active Directory (AD)
   • Active Directory Federation Services (ADFS)
   • FreeIPA

   The AD and ADFS connection settings can be configured at the same time.

   You can connect to one domain only.

3. Add groups of user roles.

   You can specify a domain group for each KUMA role. After authenticating using their domain accounts, the users from this group get access to the KUMA console in accordance with the specified role.

   The application checks whether the user group matches the specified filter according to the following order of roles in the KUMA console: operator → first line analyst → analyst → tenant administrator → general administrator. Upon the first match, the program assigns a role to the user and does not check any further. If a user matches two groups in the same tenant, the role with the least privileges will be used. If multiple groups are matched for different tenants, the user will be assigned the specified role in each tenant.

Special considerations for logging in after configuring domain authentication

For successful authentication, the following conditions must be met:

• FreeIPA: when logging into the system, the user must capitalize the domain name in the login. Example: user@FREEIPA.COM.
• AD/ADFS: when logging into the system, the user must specify UserPrincipalName in the login. Example: user@domain.ru.

If you complete all the configuration steps but the users are not able to use their domain accounts for authentication in the KUMA console, we recommend checking the configuration for the following problems:

• An email address is not indicated in the properties of the user account in Active Directory. If this is the case, an error message is displayed during the user's first authentication attempt and a KUMA account is not created.
• There is already an existing local KUMA account with the email address indicated in the domain account properties. If this is the case, the error message is displayed when the user attempts to perform authentication with the domain account.
• Domain authorization is disabled in the KUMA settings.
• An error occurred when entering the group of roles.
• The domain user name contains a space.

In this section Enabling and disabling domain authentication Configuring connection between KUMA and FreeIPA Configuring connection between KUMA and Active Directory Configuring connection between KUMA and Active Directory Federation Services

Page top