Authentication

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Server Admins can set or change the site authentication mechanism. This is typically completed during the initial configuration of your Alation system, however, changes can be applied at any time.

On the Authentication tab of the Admin Settings page, you can configure and test the parameters for LDAP authentication and select and save the authentication type. Starting in 2023.3, for Alation Cloud Service customers on the cloud native architecture, you can also manage OAuth client applications and rotate signing keys. Starting in 2025.1.2, you can configure user impersonation.

Alation supports the following types of authentication for logging into the Alation application:

  • Built-in this is the default authentication with a login and password created by a user. Users can sign up for an account on the login screen and log in after confirming their email.

  • LDAP requires configuration. You can configure LDAP authentication on the Authentication tab, test it, select LDAP as the active authentication method. For details about LDAP configuration, see User Authentication with LDAP.

  • SAML requires configuration and cannot be configured in Alation UI. Selecting and saving this value on the Authentication tab only serves informational purposes. SAML authentication should be configured and applied using the Alation backend. For details about SAML configuration, see Configure Authentication with SAML from Alation Shell.

User Signup Moderation Preference

By default, Server Admins moderate all new user access to an instance. When a new user registers from the login page, Alation automatically generates a sign-up request and places it in the User Signup Requests queue, located under the Users section of Admin Settings. Server Admins receive an email notification whenever a new user requests an account, allowing them to approve or deny the request. Upon approval, a Server Admin can assign a specific role to the new user. Learn more in Manage Signup Requests.

User signup moderation can be disabled; however, it’s not recommended due to security considerations.

Note

It is possible to enable automatic suspension and activation of users accounts based on custom group membership. When this option is turned on, the User Signup Moderation Preference will be deactivated. For details, see Use Custom Groups to Assign User Roles.

To disable user sign-up moderation:

  1. Locate the User Signup Moderation Preference setting at the top of the Authentication tab.

  2. Under User Signup Moderation Preference, click the toggle next to Require Server Admin’s approval before new accounts become active to deactivate it.

To re-enable sign-up moderation:

  • Click the toggle Require Server Admin’s approval before new accounts become active to activate it.

To view all current user sign-up requests:

  • Click the View User Signup Requests link on the right side of the Authentication tab. This will direct you to the Users tab where you can access this information.

User Impersonation

Allows for enabling, disabling, and configuring user impersonation. See User Impersonation.

Default User Role for New Accounts

Informs which role is currently the default. The default role is the role that all new users are assigned when they sign up for an account.

From release 2020.3, the default role can be configured. To set a default role, select a role from the role dropdown list and Save:

../../../_images/AuthTab_03.png

The default role applies to all new users and all authentication methods (built-in, LDAP, or SAML):

  • New users who sign up using built-in authentication will be assigned the default role;

  • New users who log in using LDAP authentication will be assigned the default role;

  • New users who sign up using SAML authentication will be assigned the default role.

The default role assignment can be changed for each individual user on the Admin Settings > Server Admin > Users tab. See Manage Users.

Inactive User Suspension Setting

Users who don’t log in into the system for extended periods of time may need to be suspended.

A Server Admin can set an auto-suspension period for inactive users. By default, inactive users are not automatically suspended. Once this period is configured, any user who has not logged into Alation within the specified period will be automatically suspended. See Suspend Users for more details on suspending users.

In addition to all user interface login activities, access to the catalog via API tokens by service accounts is also considered as login activity. However, OAuth system users and SCIM-provisioned users will not be automatically suspended due to inactivity.

To configure an auto-suspension period for inactive users:

  1. Locate the Inactive User Suspension Setting section on the Authentication tab.

  2. Enter a value between 30 and 365 days in the Inactive User Suspension (in days) field. The default setting is 0, indicating that auto-suspension is disabled.

    ../../../_images/Authentication_InactiveSuspension_Commercial.png

  3. Click Save. Users who haven’t logged in for the specified period will be immediately suspended. This applies to all user accounts except for OAuth system users and SCIM-provisioned users.

To disable auto-suspension, reset the field to 0.

Note

The system executes a daily Celery task to identify and suspend users who meet the inactivity criteria. Users who are reactivated but do not log in before the next task execution will be suspended again.

Use Custom Groups to Manage User Suspension and Activation

From version 2021.1, it is possible to enable automatic suspension and activation of users accounts based on custom group membership. When this option is turned on, the default role and the User Signup Moderation Preference will be deactivated. For details, see Use Custom Groups to Assign User Roles.

OAuth Client Applications

Applies to 2023.3 and newer

Applies only to Alation Cloud Service on the cloud native architecture

In this section, you can create and edit OAuth client applications for the purpose of authenticating against Alation APIs. See Authenticate API Calls with OAuth 2.0 for more information.

Signing Keys

Applies to 2023.3 and newer

Applies only to Alation Cloud Service on the cloud native architecture

In this section, you can rotate signing keys for your OAuth client applications. See Rotate the Signing Key for more information.