Admin Page - Authentication Tab
Authentication settings to configure authentication methods, sign-up restrictions, LDAP settings, and account lockout behavior.
The Authentication tab of the Content Fusion Administration page contains the following options:
- Single Sign-On Authentication
- Use this section to configure single sign-on authentication settings for solutions
such as Microsoft Entra ID or Okta.
- Use OIDC single sign-on
- Select this option if you want to use your own OIDC configuration instead of the built-in authentication. When you select this checkbox, it will expand and provide options to configure the details of your OIDC authentication. For details about configuring the options, see Configuring Single Sign-On in Content Fusion Enterprise.
Make sure you click Save Configuration when you are finished.
- Email and Password Authentication
- If the Enable Sign Up option is enabled (default state), users
are allowed to sign up using email and password credentials. You can use the
Permitted Email Addresses field to restrict the sign-up to
specific email addresses or to emails that match a specific pattern (e.g. to permit all
email addresses with a specific domain suffix). Here are some example email patterns you
can use:Leaving the Permitted Email Addresses field empty signifies that all emails are permitted.
- Allow all emails from a specific domain
*@example.com- Allow emails with a specific username
user@example.com
- LDAP Authentication Settings
- Use this section to configure LDAP authentication settings.
- Use LDAP Authentication
- Select this option if you want to use your own LDAP configuration instead of
the built-in authentication. When you select this checkbox, it will expand and
provide options to configure the details of your LDAP authentication.Note:If your LDAP server uses a self-signed SSL certificate, select the Use SSL option and choose your certificate.Tip:It is also possible to configure your Oxygen Content Fusion Enterprise Server to accept Google or GitHub authentication.
- Allow both LDAP accounts and standard email accounts
- If this option is not selected, users will only be able to log in using their LDAP credentials. If you select this option, users will be able to log in using their LDAP credentials or sign up using their email address.
Tip:For information about testing your configuration, see Testing the LDAP Configuration. - Account Lockout
-
The account lockout mechanism helps prevent brute-force attacks. After a configurable number of consecutive failed email/password sign-in attempts, the account is locked for a configurable duration. Configuration is done via environment variables (there is no UI for these settings).
The following environment variables control the behavior:
max_failed_auth_attempts(default: 5)- Maximum number of consecutive failed sign-in attempts before the account is locked.
account_lockout_duration_minutes(default: 30)- Duration of the lockout period in minutes.
Attention:Lockout applies only to email and password authentication. Sign-in with Google, GitHub, or OIDC is not affected.
Make sure you click Save to apply your changes.