Realms

A security realm defines the mechanism for user authentication and authorization. FlexDeploy provides a default internal realm for users, which is based on FlexDeploy database tables for users and groups. FlexDeploy also supports LDAP and SSO based realms for authentication and authorization using an external directory server. You can define multiple LDAP security realms, or one SSO realm. To configure and view the realms, navigate to Realms from the menu or global search. FlexDeploy’s out-of-the-box realm can be utilized alongside external directory servers.

image-20240321-032850.png

Drag and drop ordering of realms is supported to ensure that authentication checks are done in a particular order. If you define multiple realms, users are authenticated against each realm in the specified order until the first successful authentication occurs. Authentication will stop with the first successful authentication against any realm in the list.

If you re-order the realms FlexDeploy server restart is required for changes to take effect.

FlexDeploy’s internal realm (fdRealm) can be adjusted in the list of realms. FlexDeploy allows customers to adjust the internal realm order (possibly first), which would allow logging in with local users when external directory servers are having issues. For example, if directory servers are having performance issues, logging in with a local user may take a long time. However, if you adjust the internal realm to be first in the list, then you will notice faster login for local users. 

If group mapping is enabled for an external realm, an external user’s groups are derived from mapping configured for that realm. Groups assigned in the FlexDeploy internal realm are always used as well, so you can provide additional groups to users defined in an external realm from the groups screen or from individual user profiles. If you choose not to enable group mapping, you must assign groups to users manually in FlexDeploy.

External realm users will have their passwords managed in the external realm, not in FlexDeploy.

New User Process

A user account must exist in FlexDeploy even for external realm users. This is necessary so that users can control notification settings and administrators can provide additional security, if necessary. Administrators can create external realm users from the Users page, or external realm users can login and create their own account.

When users defined in an external realm login successfully for the first time, they will be redirected to a new user page. There, the user is asked to verify various information like first name, last name, and email for their account. The password for such users is always managed by the external server. Once the user provides the necessary details, their account will be created, an automatic logout will occur, and the user will have to login one more time. At this point, the user will be granted access based on realm group mapping configured by an administrator, which is explained later in this document. If the new user isn’t mapped to any FlexDeploy groups at this point, they will be assigned the new user role configured on the System Settings page, if one exists.

Login Flow with an External Realm

More information about realms in FlexDeploy

The following macros are not currently supported in the footer:
  • style