User management and authentication

User management

As a directory service, Projektron BCS can work together with other programs that query user data via the LDAP application protocol. Whether credentials for same sign-on or data on groups of people for assignment of rights in the file system - the required data can be easily reused. The reverse path is also possible: Data located in other directory services, for example in Microsoft Active Directory, can be imported into Projektron BCS via the LDAP application protocol (not with BCS.start). Projektron BCS provides various mapping functions for this purpose. Already imported data can be updated automatically.

Authentication

There are several ways in which people can authenticate themselves in Projektron BCS: 

• User account with user name and password securely managed in Projektron BCS.
• LDAP authentication
• Kerberos network protocol - ticket-based authentication without transferring passwords
• Standard protocol OAuth 2.0 / OpenID Connect - modern and token-based authentication against a service such as the Microsoft Cloud or PingFederate
• Two-factor authentication using TOTP

Kerberos in particular and many OAuth 2.0 / OpenID Connect services also support single sign-on.

The method of two-factor authentication using TOTP is based on the fact that the BCS server and smartphone share a secret. Using the current time, both devices can create a hash that results in a 6-digit number. This number is entered by the person next to the password when logging on to BCS. The server compares it with the self-calculated number and can thus ensure that the 2nd factor is present.

Each user can activate the two-factor authentication for himself in his user account. After entering the user name and password, BCS requires scanning a QR code or entering an authentication code using the TOTP method.