Authentication Tab

Use this tab to define how Costpoint verifies user login.

Authentication is a process by which Costpoint verifies that the individuals logging into the system are who they claim to be.

Costpoint security supports in-house users, consultants, and remote office users.

  • In-house users are members of the corporate active directory and are always logged into the corporate LAN.
  • Consultants are also members of the corporate active directory, but may or may not be logged into the corporate LAN.
  • Remote office users are not members of the corporate active directory and are not logged into the corporate LAN.

    Costpoint has a number of authentication methods available but all methods ultimately require the use of a password.

    Use this screen whenever you need to set up or maintain the authentication method you want your users to access.

Authentication Settings

Use this group box to establish the process by which to authenticate this user.

Field Description
Authentication Method

Use this drop-down list to select the authentication method to use for this user. The following table lists the different authentication methods available.

Authentication Method Description
Kerberos Single Sign-on This method enables users to log in to a network and access all authorized resources within the enterprise or at different web sites on the internet. A single sign-on program accepts the user's name and password and automatically logs in to all appropriate servers. In this method:
  • The user ID is stored in both the Active Directory and a Costpoint database.
  • The Costpoint user ID can be mapped to a different Active Directory user ID.
  • The password is stored only in the Active Directory.
  • Users should not enter their user ID and password on the login screen.
  • This method can be used only for in-house users.
FIDO In the Fast Identity Online (FIDO) method:
  • The user ID is stored in the Costpoint database.
  • There is no password stored. Authentication is based on using private-key/public-key cryptography and is completely passwordless. To log in, a user must have a valid FIDO device such as a FIDO usb key or use a biometric (typically a fingerprint, face recognition, or personal PIN).
  • Users must enter their user ID on the login screen.
  • This method can be used for either in-house users or remote consultants or subcontractors.
SAML Single Sign-on This method enables users to log on to Costpoint in Single Sign-on mode through the Security Assertion Markup Language (SAML) tokens. This method is allowed if the user is previously authenticated with a third-party SAML Identity Provider, such as Microsoft Active Directory Federation Services (AD FS) or Microsoft Azure. User's credentials are stored and verified by SAML Identity Provider.
Kerberos Single Sign-on or SAML Single Sign-on This method enables users to log on to Costpoint Single Sign-on mode either through Windows AD Kerberos tokens (if a user is successfully authenticated to LAN), or through the SAML tokens.
Database In this method:
  • The user ID and password are stored in a Costpoint database.
  • Oracle or SqlServer database user accounts are not used.
  • The password is stored in a hashed form: SHA-2 (Secure Hash Algorithm-2) with the user ID used as a 'salt.'
  • A challenge-response algorithm is used for authentication with a server-side generated nonce ('nonce' - a random number that is generated to protect against 're-play' attack).
  • The user-credentials combined with a nonce pass from the client in an encrypted form (Advanced Encryption Standard).
  • Users must enter their user ID and password on the login screen.
  • This method can be used for all three security use-cases: in-house, consultants, and remote.
  • This is the only method that can be used for remote office users.
Active Directory This method is an advanced, hierarchical directory service that comes with Windows 2000 servers. In this method:
  • The user ID is stored in both the Active Directory and a Costpoint database.
  • The Costpoint user ID can be mapped to a different Active Directory user ID.
  • The password is stored only in the Active Directory.
  • Users must enter their user ID and password on the login screen.
  • Either Costpoint or Active Directory user ID can be used to log in to Costpoint.
  • This method can be used for either in-house users or consultants.
Kerberos Single Sign-on or Active Directory In this method:
  • The user ID is stored in both the Active Directory and a Costpoint database.
  • The Costpoint user ID can be mapped to a different Active Directory user ID.
  • The password is stored only in the Active Directory.
  • Users are allowed to log in using either the Active Directory or Single Sign-On methods.
  • The Single Sign-On method requires a user to be logged in to the LAN.
  • This method can be used either for in-house users or consultants but is intended for consultants. Users can take advantage of Single Sign-On while logged in to the LAN but will still be able to log in using the Active Directory method while traveling or at a customer site.
Kerberos Single Sign-on or Database In this method, you can use either the Single Sign-on or Database authentication approach. Single sign-on would only work if the client is already authenticated on the domain, which usually happens when the client is already within the network. If the end user is remote and not logged into the windows domain, then the User ID and password can be validated against the database (Database authentication).
Windows Domain and Active Directory In this method:
  • The user ID is stored in both the Active Directory and a Costpoint database.
  • The Costpoint user ID can be mapped to a different Active Directory user ID.
  • The password is stored only in the Active Directory.
  • The following two conditions should be met for successful login:
  • Users must enter their user ID and password on the login screen.
  • Users must be logged in to the LAN.
  • This method can be used only for in-house users.
  • This method provides extra security. The Active Directory method is used as a starting point but users must also be logged in to the LAN. Users cannot log in from outside of the corporate network.
Windows Domain and Database In this method:
  • The user ID and password are stored in a Costpoint database.
  • The same rules for password storage and transmission apply as for the Costpoint Database authentication method.
  • The following two conditions should be met for successful login:
  • Users must enter their user ID and password on the login screen.
  • Users must be logged in to the LAN.
  • This method can be used only for in-house users.
  • This method provides extra security. The Costpoint Database method is used as a starting point but users must also be logged in to the LAN. Nobody can log in from outside of the corporate network.
Certificate Single Sign-on Select this method if your server is Transport Layer Security (TLS)-enabled and you have a TLS client certificate installed on the work station.

With this authentication method, you do not need to enter a user ID and password to log in to Costpoint. The system matches the ID in the certificate to the Costpoint user with this authentication ID.

You must also enter the ID in the Active Directory or Certificate ID field. If the ID field is not populated when you insert or update a user record, this error displays: "With the authentication method you've selected, you must also enter an Active Directory or Certificate ID."

FIDO Single Sign-on

Select this check box to let the user login using FIDO/biometric Device such as FIDO usb key or biometric (a fingerprint, face recognition, or personal PIN). You can allow such user to register a new FIDO Device by executing the Generate new FIDO Device self-registration link action.

Password

Use this field to enter a password for this user. The format of the password must conform to the password requirements set up in the Corporate Settings block on the Configure System Settings screen. Rights to change or update passwords can be assigned on the Information tab.

Generate Random Password

Select this check box to enable the application to generate a random and temporary password based on your system password policy (minimum length, require number, mixed case, and so on). The password is then captured and communicated to the end user in an email.

A valid email address must be entered on the Workflow tab of this application. If email cannot be sent by the application, the following message displays: "Password generation requires the system to use an email server and either the email server has not been setup in Configure System Settings or the email server is currently not available. Please verify the email server setup or remove the check box to generate random password."

This option is available only if the Costpoint Database option is selected from the Authentication Method drop-down list. When this check box is selected, the Costpoint Password field is disabled (no password is required).

The email message sent to the user(s) is:

To: <Email address for this user>

Subject: Costpoint web account password

Content:

A temporary password has been assigned to your Costpoint web account. Please use this password and other information below for Costpoint web login. You will need to change your password on your initial login since this is only a temporary password.

URL: <http URL from System Settings>

User ID: <Costpoint Web User ID>

Password: <Random password assigned>

System: <System ID>

Verify Password

Use this field to re-enter the password for verification purposes. If the password entered on this line does not exactly match the password entered on the previous line, an error message displays when you attempt to save the page.

Active Directory or Certificate ID

Use this field to enter the user's active directory ID or certificate ID. The active directory ID is required for any of the authentication methods that require the Active Directory authentication method. The certificate ID is required when you select the Certificate SSO option from the Authentication Method drop-down list.

Manage User Groups in Active Directory

Select this check box to manage user groups in the Active Directory. This check box is enabled only when you select any of the following options from the Authentication Method drop-down list:

  • Single Sign-on
  • Active Directory
  • Single Sign-on or Active Directory
  • Single Sign-on or Database
  • Windows Domain and Active Directory
  • Windows Domain and Database

When you select this check box for this user, this user is automatically assigned to user groups mapped to the Active Directory entered in the Active Directory or Certificate ID field. Upon login, the user groups linked to the Active Directory where this user belongs display on the Assigned User Groups subtask. User groups linked to a user but are not mapped to the Active Directory still display on the Assigned User Groups subtask. A user can be a member of Costpoint-only user groups and can also dynamically become a member of other user groups linked to the Active Directory.

Note: If you clear this check box or change the authentication method after the user is assigned to user groups linked to the Active Directory, the user will remain assigned to those user groups.

When you remove the user from the Active Directory, the user will also be removed from the Costpoint user group linked to the Active Directory.

2FA Settings

Use this group box to establish two-factor authentication (2FA) settings for this user. If 2FA is enabled, Costpoint will ask this user to enter a one-time passcode after entering his/her user name and password on the Costpoint login screen.

This group box is disabled if the selected authentication method is Single Sign-on or Certificate SSO.

Field Description
None

Select this option if you do not want to enforce 2FA for this user.

Mobile Application

Select this option if you want to enforce 2FA for this user and allow this user to generate a one-time passcode through a mobile device.

Additional steps are required for the user to fully enable this authentication method. After installing a 2FA application on a mobile device, the user must go to the Configure User Preferences screen to display the 2FA activation barcode, scan it, and complete 2FA enrollment.

Email

Select this option if you want to enforce 2FA for the user and Costpoint to generate a one-time passcode that will be emailed to this user. The user can also receive the passcode by calling Help Desk.

FIDO

Select this option if you want to use FIDO Device as a 2FA for this user.

Effective Date

Enter the date the selected 2FA method becomes effective.

If you select Email, the current system date displays by default, but you can change it to a later date. If you select Mobile Application, the date that displays by default is seven days later than the system date to allow the user to complete the 2FA enrollment. You can still modify this date. If you select None, this field is disabled.

PIN

Enter a four-digit personal identification number (PIN) that this user will use together with the one-time passcode when logging in to Costpoint. You must enter a value in this field if the User Pin Required check box is selected on the Configure System Settings screen.

Allow Access to Integration Console

Select this check box to grant this user access to the Integration Console using his/her Costpoint user name and password.

Allow Access to Extensibility Console

Select this check box to grant this user access to the Extensibility Console using his/her Costpoint user name and password.