Authentication methods
Axiom supports several different ways to perform user authentication into Axiom. Axiom can be the sole method of authentication, or you can integrate with other methods of authentication used at your organization. Axiom supports the following authentication options:
- Axiom Financial Institutions Suite Prompt Authentication
- Windows Authentication
- LDAP Authentication
- OpenID Authentication
Axiom Financial Institutions Suite Prompt Authentication is always available and does not need to be explicitly enabled. All other authentication options must be enabled during the Axiom Application Server installation if you want to use them. You can also modify authentication options post-installation using the Axiom Financial Institutions Suite Software Manager: Installation Manager > Configure Authentication Methods.
When you set up users in Axiom security, you specify which method of authentication should be used for each user. If an integrated authentication option is enabled for your system, that method is the default method.
Axiom Prompt Authentication
When using Axiom Prompt Authentication, users are authenticated based on their Axiom credentials. When the Axiom login screen displays, users must type their Axiom user name and password. In Axiom security, users must be assigned to the Axiom Prompt authentication type.
Axiom Prompt Authentication is always available and applies to all components of Axiom. You can use Axiom Prompt Authentication as the primary authentication method for your installation (meaning no other authentication method is enabled), or you can use it in conjunction with another authentication method. If you are also using another authentication method, then the Axiom Prompt behavior is as follows:
-
If LDAP Authentication or Windows Authentication is enabled, Axiom Prompt users simply enter their Axiom user name and password at the Axiom login prompt. If the login screen is configured to show the domain selector, Axiom Prompt users must select Axiom Named User.
-
If OpenID Authentication is enabled, Axiom Prompt users must go to a special area of the web site in order to log in. For example:
https://ServerName/Axiom/Home/Login
Windows Authentication
When using Windows Authentication, users are authenticated based on their Windows credentials. When the Axiom login screen displays, users must enter their Windows user name, domain, and password. If the current domain is an allowed domain and the Windows user name matches a user name in Axiom, then the credentials are passed to Windows for authentication into Axiom. Windows Authentication applies to all components of Axiom.
Users must be set up in Axiom security using their Windows user names and assigned to the Windows User authentication type. This can be done manually, or you can optionally import and synchronize users from Active Directory using a Scheduler task.
Windows Authentication is enabled during the Axiom Application Server installation. When enabling Windows Authentication, you must specify allowed domains for authentication. You can modify this configuration later as needed using the Axiom Financial Institutions Suite Software Manager, or by using a Save Type 4 utility to the system configuration table.
If the Windows Authentication configuration only allows one domain, then that domain is assumed for authentication and users do not need to specify it when logging in. If multiple domains are allowed, then the domain must be specified in one of the following ways:
- The user must include the domain with their user name, such as: DomainName\UserName.
- The user must specify the appropriate domain using the Domain selection list on the login screen. This is an optional setting that can be enabled for your installation. For more information, see Domain prompt.
Users must enter their credentials each time they log in, unless they select Remember me to store their credentials for future login. For more information, see Remember me.
The Cloud Integration Service is required when using Windows Authentication in Axiom Cloud systems. For more information, see the Cloud Technical Guide.
LDAP Authentication
When using LDAP Authentication, users are authenticated based on their LDAP credentials. When the Axiom login screen displays, users must enter their LDAP user name (with or without the suffix) and their LDAP password. If the LDAP user name matches a user name in Axiom, then the credentials are passed to LDAP for authentication into Axiom. LDAP Authentication applies to all components of Axiom.
Users must be set up in Axiom security using their LDAP user names and assigned to the LDAP Prompt authentication type. The user name can contain the LDAP suffix or not as desired. Note that the user name must include the suffix if there is a user name conflict with another user that is configured with a different authentication type (or with a different LDAP suffix). For example, if you have an Axiom Prompt user jdoe, and you have an LDAP user jdoe, then the LDAP user must include the suffix on their user name to differentiate the two users.
LDAP Authentication is enabled during the Axiom Application Server installation. When enabling LDAP you must specify the connection information to the LDAP server, as well as the allowed LDAP suffixes. You can modify this configuration later as needed using the Axiom Financial Institutions Suite Software Manager, or by using a Save Type 4 utility to the system configuration table.
If only one LDAP suffix is allowed by the configuration, then that suffix will be used for all LDAP authentication. The user can include the suffix or not when logging in, and the Axiom user name can contain the suffix or not. Axiom will automatically append the suffix as needed when sending the credentials to LDAP for authentication. However, if multiple suffixes are allowed, then the suffix must be specified using any of the following approaches:
- The Domain selector must be enabled for login, and the user must select the appropriate suffix.
- The user must include the suffix as part of their user name when logging in.
- The user names in Axiom must include the appropriate suffix for each user.
Users must enter their credentials each time they log in, unless a user chooses to select Remember me to store their credentials for future login. For more information, see Remember me.
OpenID Authentication
When using OpenID Authentication, users are authenticated based on their credentials for the designated OpenID provider (such as Google OpenID Connect). OpenID Authentication is a web-based authentication method. Users access Axiom by going to the Axiom Web Client, where they must enter their user name and password for their OpenID provider. Once a user is authenticated, if the user name matches a user name in Axiom, then the user can access the Web Client and launch the Axiom Excel Client or Windows Client from the web page.
Users must be set up in Axiom using their OpenID user names, and assigned to the OpenID authentication type. This user name must exactly match the OpenID user name, including the @suffix.
Users assigned to OpenID Authentication can only access Axiom from the web. The Excel Client and Windows Client cannot subsequently be launched using a shortcut on the user's computer; the user must continue to log into the Axiom Web Client in order to start the Desktop Client. When using OpenID Authentication, you may want to configure the Axiom Application Server installation so that no shortcuts are placed on user computers during the client installation, since users will not be able to use these shortcuts.
OpenID Authentication is enabled during the Axiom Application Server installation. When enabling OpenID Authentication, you must specify the Client ID and Client Secret for the OpenID provider. You can modify this configuration later as needed by performing a Repair on the installation.
OpenID Authentication may require additional configuration steps for IIS, the Axiom Application Server, and the OpenID provider. These steps may vary depending on your particular environment. At minimum, you must configure the OpenID provider with the redirect URI to the Axiom login page (such as <URLtoAxiom>/openid/login
). Please contact Axiom Support for assistance if you are interested in enabling OpenID Authentication.
Logging in as an Axiom Prompt user when OpenID Authentication is enabled
You can set up Axiom Prompt users when OpenID Authentication is enabled, such as to allow Axiom Support to access the system without using OpenID credentials. These users must go a special area of the web site in order to log in:
https://ServerName/Axiom/Home/Login
Where ServerName is the name of your Axiom Application Server and Axiom is the name of the virtual directory.
Login behavior
This section details some options for the Axiom login behavior. These options apply to all authentication types except OpenID.
Domain prompt
When a user logs in, Axiom looks for a matching user name within Axiom security and applies the specified authentication type for that user. For LDAP Authentication and Windows Authentication, if only one allowed domain or suffix is specified, that information can be assumed and the user does not need to include it when logging in. If multiple domains or suffixes are specified, then the user must include that information as part of their user name. For example: DomainName\UserName for Windows Authentication.
Alternatively, you can configure your system so that all users must specify their authentication type / domain when logging into Axiom, using the Domain selection list. The Domain selection list displays the following:
- Axiom Named User (for Axiom Prompt login)
- Each allowed Windows Authentication domain (if Windows Authentication is enabled for the installation)
- Each allowed LDAP suffix (if LDAP Authentication is enabled for the installation)
When the Domain selection list is enabled, the user must make the appropriate selection in order to log in. For example, a Windows Authentication user must select their Windows domain name. Because it is specified separately, the domain or suffix does not need to be added to the user name, even when there are multiple allowed domains or suffixes.
The following screenshot shows an example of the Domain selection list. In this example, the installation has enabled Windows Authentication with two allowed domains. The two domain names display on the selection list as well as the choice to log in as an Axiom Named User.
The Domain selection list can be enabled or disabled using the AuthenticationDomainSelectionListRequired system configuration setting. By default this is set to False, which means the Domain selection list only displays if your system contains duplicate user names that require the domain to be specified to differentiate those users. If you set this to True, then the Domain selection list displays at all times.
If the Domain selection list is enabled, and if Windows Authentication is enabled for the installation, then by default the user's current domain will be selected in the list (if that domain is one of the allowed domains). Otherwise, the first option in the list is selected by default. Options are ordered as follows: LDAP suffixes, Windows domains, Axiom Named User.
Remember me
Users can optionally select Remember me at the login screen to store their Axiom authentication for future use. This information is encrypted and only applies to the current user for the current machine. The next time the user starts Axiom on the current machine, they will not be prompted to log in.
Although all Axiom clients have a Remember Me check box on the login screen, note that the remembered status is stored separately for access to the Web Client versus the Desktop Client. For example, a user can choose Remember Me when logging into the Excel Client, and then that user will not be prompted when subsequently accessing either the Excel Client or the Windows Client. However, if the user attempts to access the Web Client, they will be prompted for credentials (and can then choose to be separately remembered for the Web Client).
NOTE: Logging out of a client will clear the remembered status for that client type. Although the Excel Client and Windows Client do not have an explicit log out feature, logging out of the Word or PowerPoint add-in will clear the remembered status for the Desktop Client (but only if you are not also currently logged into another instance of the Desktop Client).
If you do not want users to have access to the Remember Me option, so that they must log in each time, then you can disable the feature by setting the system configuration setting ShowRememberMe to False. This will hide the option from the various login screens. Keep in mind that if a user has already used the Remember Me option, hiding the setting will not clear the user's stored credentials. The user will continue to be remembered until they log out and cause their credentials to be cleared.
Using SSL
You can set up the Axiom Application Server to use Secure Socket Layer (SSL) security, assuming that you have provided a certificate and configured IIS appropriately to support it.
When installing the application server, specify the URI as HTTPS if you will be using SSL. Additionally, if you want the site to require SSL, you can select the Require SSL option for the application server. Please see Installing the Axiom Application Server for more information, and contact Axiom Support if you need assistance configuring SSL for your Axiom implementation.
NOTE: Syntellis does not support self-signed certificates for on-premise installations. The Axiom code does not explicitly prevent these certificates from working, however, Axiom Support will not provide assistance for any issues arising from self-signed certificates.