Using Office 365 authentication (SSO)

 

By default, MantisHub has its own authentication system. It enables all users to sign-in with MantisHub specific usernames and passwords. This model is useful for the following use cases:

  • Users who don't use a cloud identity provider like Azure AD that is leveraged by Office 365.
  • If you have users that do not authenticate to the company identity provider. e g. 3rd party providers or external customers that are not in your directory.

For companies that use Office 365 and MantisHub, it is recommended to switch over to use of Azure AD authentication.

Benefits for the users:

  • Users don't have to manage yet another username and password.
  • Users get the advantages of single sign-on.
  • User password hashes are not stored on our servers.
  • User can be auto-provisioned to get instance access when they need it.

Benefits for administrators:

  • Users authenticating via Azure AD will honor policies configured by the administrator, e.g. FIDO authentication, multi-factor authentication, password complexity, regular password change, protection against password spray attacks, etc.
  • Users can't log in to MantisHub once they leave the company and Azure AD access has been revoked.
  • Users can be auto-provisioned into MantisHub if they authenticate successfully with a white-listed email address domains.  This reduces manual work to onboard your team and reduces human error.

Who can't use this feature (but can use MantisHub standard authentication):

  • Users that are not in your enterprise directory.
  • Users with consumer accounts (e.g. outlook.com or gmail.com addresses)

Implementing Office 365 authentication 

To enable the ability to authenticate MantisHub login via Office 365 (Azure AD) ensure you are on a qualifying plan. You will see the AuthHub plugin available in the 'Manage Plugins' page. Administrators can install the plugin at their convenience.

AuthHubpluginInstall-2-final.png

 

Next, you need to define 'microsoft' as your provider. Head to Manage - Manage Configuration and add the following config option:

Config Option:    plugin_AuthHub_federation_provider

Type:                  string

Value:                 microsoft

 

You will now see a Microsoft button available on your login page just below the username box. Your users can either click on that button to login using their Office 365 credentials or simply enter their email address and password in the MantisHub login. 

login_with_MS-2-final.png

When the plugin is installed, the default allows users to log in using either their Office 365 OR MantisHub credentials.  It is recommended to allow this for a test phase to make sure all works fine.  Once the testing is completed, you can secure the system further by requiring a subset or all users to use Office 365 login by configuring the list of domains that are forced to use Office 365 authentication. See the Configuration options below.

 

Configuration Options

Below are the configuration options for your AuthHub setup. To enter the configurations, an administrator can set this up from the web UI.  Head to the Manage - Manage Configuration - Configuration Report page and create the relevant configuration option.

AuthHub_configOpt-2-final.png

Authentication Provider

Set the authentication provider to Microsoft:

Config Option:    plugin_AuthHub_federation_provider

Type:                  string

Value:                 microsoft

 

Authentication Scope

Set the domain for your Azure AD/Office 365 tenant:

Config Option:    plugin_AuthHub_federation_tenant

Type:                  string

Value:                 <tenant e.g. example.com or example.onmicrosoft.com>

 

Lock users to Azure AD Authentication

To define users you wish to have ONLY use Azure AD authentication, create the following configuration.  You can specify list of users, domains, or a mix:

Config Option:    plugin_AuthHub_federation_force_list

Type:                  complex

Value:                 array()     <within brackets specify list of usernames, email addresses or domains. e.g. jsmith, jsmith@example.com or @example.com>

 

Permit users to use both credentials 

To define a list of users allowed to still use their MantisHub login as well as Azure AD authentication, create this configuration option. Note that this list has higher precedence over the force list. It is useful for administrator who may need to disable or troubleshoot sign-on federation issues.

Config Option:    plugin_AuthHub_allow_password_login

Type:                  complex

Value:                 array()     <within brackets specify list of usernames, email addresses or domains. e.g. jsmith, jsmith@example.com or @example.com>

 

Login Session Lifetime

To define the login session lifetime in seconds for users who log in via a federated provider, create this configuration option:

Config Option:    plugin_AuthHub_federation_session_lifetime

Type:                  integer

Value:                 <lifetime in seconds, default is 86400 (24hrs). Enter 0 to expire the session when the browser is closed.>

 

Auto-provisioning 

To enable auto-provisioning for users not already in MantisHub, create the following configuration option. Auto-provisioning will be based on sign-in information. 

Config Option:    plugin_AuthHub_provisioning_enabled

Type:                  integer

Default:              0

Value:                 1

 

To limit the domains for auto-provisioning:

Config Option:    plugin_AuthHub_provisioning_domains

Type:                  complex

Value:                 array( '@example1.com', '@example2.com' )

 

To define provisioning global access level for auto-provisioned accounts which applies to public projects:

Config Option:    plugin_AuthHub_provisioning_global_access_level

Type:                  integer

Value:               see access levels article   

 

To define a default access level per project (This is necessary for private projects and cases where project access level is not equal to global access level specified in `provisioning_global_access_level`).

Config Option:    plugin_AuthHub_provisioning_project_access_level

Type:                  complex

Value:                 array( 'project1' => 'REPORTER', 'project2' => 'DEVELOPER' )

 

 

Have more questions? Submit a Request

Comments

Powered by Zendesk