Configure authentication authorities

Users gain access to a storage system or component either directly through a role assignment or indirectly through membership in a user group that has a role assignment, or both.

Prerequisites

When configuring authentication to use LDAP, obtain the LDAP-SSL server bind distinguished name (DN) and password from your LDAP Administrator.

When configuring authentication to use YubIKey, create the Yubico API key first. Go to Get API, enter your email address and YubiKey OTP, and click Get API key. Copy Client ID and Secret Key to use in step 7.

About this task

This procedure explains how to configure Unisphere to authenticate users.

NOTE: YubiKey and RSA MFA are mutually exclusive.

To configure authentication:

Steps

  1. Select Settings icon to open the Settings panel.
  2. Select Users and Groups > Authentication.
  3. Select the Authentication Authority to use during login. Possible values are:
    • Local Directory—You can disable this authority when it is enabled, and enable it when it is disabled. When it is enabled, users can log in as a user from the CST local directory.
    • LDAP-SSL—You can disable this authority when it is enabled, and enable it when it is disabled. When it is enabled, users can log in as a user from the configured LDAP directory.
    • Windows OS/AD—You can disable this authority when it is enabled, and enable it when it is disabled. When it is enabled, users can log in as a user from the Windows local host or from the Active Directory domain, or both. This option applies only to Windows installations.
    • RSA SecurID—When it is enabled, the RSA token must be entered into the password field immediately followed by the user password.
    • YubiKey—When YubiKey is enabled, the OTP (press button on the YubiKey) is entered into the password field immediately followed by the user entering the user password.
    • OIDC SSO—When OIDC SSO is enabled, you can log in using OIDC SSO.
  4. If you select the Windows OS/AD authority and click Modify, as an option you can specify to limit authentication to members of a specific Windows OS/AD group. To limit authentication, select the Limit authentication to members of a specific Windows OS/AD group(s) checkbox option, and type the Group Name(s), separated by commas.
  5. If you are configuring LDAP-SSL, click Enable or Modify and do the following:
    1. Specify values for the following parameters.
      • Server (IP or Hostname)—IP address or hostname of the LDAP server to use for authentication - only alphanumeric characters are allowed.
      • Port—Port number of the LDAP service. Typically, this value is 636 or 3269 for LDAP-SSL. Valid values range from 1 through 65,535.
      • Bind DN—Distinguished name of the privileged account used to perform operations, such as searching users and groups, on the LDAP directory - only alphanumeric characters are allowed.
      • Bind Password—Password of the privileged account- only alphanumeric characters are allowed.
      • User Search Path—Distinguished name of the node at which to begin user searches. Only alphanumeric characters are allowed.
      • User Object Class—Object class identifying users in the LDAP hierarchy - only alphanumeric characters are allowed.
      • User ID Attribute—Attribute identifying the user login ID within the user object- only alphanumeric characters are allowed.
      • Group Search Path—Distinguished name of the node at which to begin group searches - only alphanumeric characters are allowed.
      • Group Object Class—Object class identifying groups in the LDAP hierarchy - only alphanumeric characters are allowed.
      • Group Name Attribute—Attribute identifying the group name - only alphanumeric characters are allowed.
      • Group Member Attribute—Attribute indicating group membership for a user within the group object - only alphanumeric characters are allowed.
    2. To upload an SSL certificate, click Choose File, locate the certificate, and click Open. To view the contents of the certificate, click View Certificate. To clear the file selection, click Clear.
    3. Optional: To limit authentication to only members of specific LDAP groups, click Limit Authentication to members of LDAP group(s), select the option, and then type the Group Name(s), separated by commas.
  6. If you are configuring RSA SecurID, click Enable or Modify and do the following:
    Specify values for the following parameters:
    • Server (IP or Hostname)—IP address or hostname of the RSA SecurID server to use for authentication. Only alphanumeric characters are allowed.
    • Port—Port number
    • Client ID—Client identity
    • Token Length—Token length
    • Access key—Access key value - click Show to display the access key value and click Hide to hide the access key value.
    • To upload a root CA certificate of the RSA SecurID server click Choose File, locate the certificate, and click Open. To clear the file selection, click Clear.
    • RSA Username—RSA username
    • RSA Token—RSA token - click the eye icon when typing in the value for the token and you can see what you are entering.
    • REST API user exception—Select to configure a REST API user exception.
    • Username(s)—List the comma-separated usernames to which the exception applies.
  7. If you are configuring YubiKey, click Enable or Modify and do the following:
    Specify values for the following parameters:
    • Server (IP or Hostname)—IP address or hostname of the YubiKey server to use for authentication. Only alphanumeric characters are allowed.
    • Port—Port number
    • Client ID—Client identity (see Pre-requisites)
    • API key—API key value (see Pre-requisites) - click Show to display the access key value and click Hide to hide the access key value.
    • To upload a root CA certificate of the YubiKey server, click Choose File, locate the certificate, and click Open. To clear the file selection, click Clear.
    • YubiKey Username—YubiKey username
    • YubiKey OTP—YubiKey token- click the eye icon when typing in the value and you can see what you are entering.
    • YubiKey REST API user exception—Select to configure a REST API user exception.
    • Username(s)—List the comma-separated usernames to which the exception applies.
  8. If you are configuring OIDC SSO, click Enable or Modify and do the following:
    Specify values for the following parameters:
    • Server (IP or Hostname)—IP address or hostname of the OIDC SSO server to use for authentication. Only alphanumeric characters are allowed. Microsoft Entra ID is seleted by default.
    • Port—Port number
    • OIDC Client ID—Client identity
    • OIDC Client Secret—Client password
    • OIDC Metadata URL —Client password
    • To upload a root CA certificate of the OIDC SSO server, click Choose File, locate the certificate, and click Open. To clear the file selection, click Clear.
  9. Click OK.