Summary of Configuration Settings Relating to External Authentication

Use the tables below to determine the database items and configuration settings that you should use to enable log on to ClearSCADA according to the required external authentication criteria.

The Example Configuration section contains several worked examples. Where an example relates to a particular setting that is listed in the table below, the check mark (✓) provides a link to the relevant example.

Key:

✓ indicates the particular properties that you have to configure for a requirement

✘ indicates a check box that should be left clear, or a field that should be left empty (to disable the feature or option)

(Be aware that in some cases, disabling an option might result in other related fields being unavailable for use, or being hidden from display. For example, if the ‘Enabled’ check box is left clear in the External Authentication section of the Server Configuration tool, other external authentication related properties will be unavailable for use in that section of the tool, and will either be unavailable for use or omitted from User Forms and User Group Forms).

O indicates a setting that is optional - you can enable or disable the feature, depending on your external authentication requirements.

The External Authentication feature is only supported on ViewX clients that use a Secure Connection to communicate with the server (see Define Whether the ViewX Client Uses a Secure Connection in the ClearSCADA Guide to Client Administration).

Requirement:

  1. No external authentication required. User account management is handled directly in ClearSCADA and is completely independent of any Windows domain or LDAP user accounts.
  2. Enable external authentication, so that the server verifies any attempts to log on to ClearSCADA against the credentials of a valid Windows domain or LDAP user account.

    Restrict users so that they have to log on to ClearSCADA using a ClearSCADA user name (rather than a Windows domain group or LDAP user name).

  3. Enable external authentication, so that the server verifies any attempts to log on to ClearSCADA against the credentials of a valid Windows domain or LDAP user account.

    Allow users to log on to ClearSCADA using their Windows domain group or LDAP user name, instead of their ClearSCADA user name. A corresponding valid and enabled User account has to exist in ClearSCADA unless the system is configured to Create users automatically from group membership (see below).

  4. Enable external authentication, so that the server verifies any attempts to log on to ClearSCADA against the credentials of a valid Windows domain or LDAP user account.

    In addition to requirement 2 or 3 above, allow ClearSCADA to maintain a User’s User Group membership automatically. Whenever a user logs on to ClearSCADA, their User Group membership is updated automatically, to align with the user group membership of that User account’s corresponding Windows domain or LDAP user account. To enable this, equivalent User Groups have to exist in the database to match the Windows domain groups or LDAP user groups of which the user is a member.

  5. Enable external authentication, so that the server verifies any attempts to log on to ClearSCADA against the credentials of a valid Windows domain or LDAP user account.

    In addition to requirement 4 above, allow ClearSCADA to create a User account automatically if a logon attempt is made for which no User account exists in the database, but the logon credentials match those of a valid Windows domain or LDAP user account.

Property on Server Configuration Tool Requirement
1 2 3 4 5
Select the ‘Enabled’ check box in the External Authentication section of the Server Configuration tool, and populate the relevant fields in that section of the tool
Select the ‘Allow Login to ClearSCADA with Windows/LDAP User Names’ check box in the External Authentication section of the Server Configuration tool   O
Select the ‘Create users automatically from group membership’ check box in the External Authentication section of the Server Configuration tool  
Property on database Configuration Form Requirement
1 2 3 4 5
Select the ‘Use External Authentication’ check box on the User Forms, and suitably populate the ‘Windows/LDAP User Name’ field on the Forms*
Use the ‘Link to Windows/LDAP Group’ section of fields on each User Group Form to associate the User Group with a corresponding Windows domain group or LDAP user group**  
Configure 1 or more User Patterns        
Configure at least 1 User Group to Allow Automatic User Creation, and specify the User Pattern that ClearSCADA is to use for creating new User accounts automatically        

* Clear the ‘User External Authentication’ check box on User Forms of User accounts that are not associated with a Windows domain or LDAP user account. With such user accounts, you can only disable, enable, or change the password settings of, the User account from within ClearSCADA.

If you select the ‘Use External Authentication’ check box on a User Form, but leave the ‘Windows/LDAP User Name’ field empty, ClearSCADA will only be able to authenticate those user credentials against a Windows domain or LDAP user account for which the user name exactly matches that of the ClearSCADA User account. (If your system is configured to Create users automatically from group membership, ClearSCADA will populate these fields automatically on any User accounts that it creates as part of the external authentication process.)

** Clear the ‘Enabled’ check box in the ‘Link to Windows/LDAP Group’ section on the Forms of any User Groups that are not associated with a Windows domain group or LDAP user group. ClearSCADA will not update the membership of such User Groups automatically (you have to manage such User Groups manually, directly in ClearSCADA).


Disclaimer

ClearSCADA 2017 R3