Google & G-Suite Authentication (SSO)

 

By default, MantisHub has its own authentication system. It enables all users to sign-in with MantisHub specific usernames and passwords. This model is useful for the following use cases:

  • Users who don't use a cloud identity provider like Google.
  • If you have users that do not authenticate to the company identity provider. e g. 3rd party providers or external customers that are not in your directory.

For companies that do use Google Suite and MantisHub, it is recommended to switch over to use Google authentication.

Benefits for the users:

  • Users don't have to manage yet another username and password.
  • Users get the advantages of single sign-on.
  • User password hashes are not stored on our servers.
  • User can be auto-provisioned to get instant access when they need it.

Benefits for administrators:

  • Users authenticating via Google will honour policies configured by the administrator, e.g. FIDO authentication, multi-factor authentication, password complexity, regular password change, protection against password spray attacks, etc.
  • Users can be auto-provisioned into MantisHub if they authenticate successfully with a white-listed email address domains.  This reduces manual work to onboard your team and reduces human error.

Implementing Google authentication 

To enable the ability to authenticate MantisHub login via Google, ensure you are on a qualifying plan. You will see the AuthHub plugin available in the 'Manage Plugins' page. Administrators can install the plugin at their convenience.

 

AuthHubpluginInstall_marked.png

 

Next, you need to define Google as your provider. Head to Manage - Manage Configuration and add the following config option:

Config Option:    plugin_AuthHub_federation_provider

Type:                  string

Value:                 google

 

You will now see a Google button available on your login page just below the username box. Your users can click on that button to login and will be prompted to enter their Google credentials or if they are already authenticated in the browser it will take them straight into MantisHub.

 

login_with_GG-2-final.png

The default setting allows users to log in using either their Google account OR with their MantisHub credentials.  It is recommended to allow this for a test phase to make sure all works fine.  Once the testing is completed, you can secure the system further by requiring a subset or all users to use Google login by configuring the list of domains that are forced to use AuthHub authentication. See the Configuration options below.

 

Configuration Options

Below are the configuration options for your AuthHub setup. To enter the configurations, an administrator can set this up from the web UI.  Head to the Manage - Manage Configuration - Configuration Report page and create the relevant configuration option.

AuthHub_configOpt-2-final.png

 

Authentication Provider

Set your authentication provider to Google:

Config Option:    plugin_AuthHub_federation_provider

Type:                  string

Value:                 github

 

Authentication Scope

Set the domain for your Google tenant:

Config Option:    plugin_AuthHub_federation_tenant

Type:                  string

Value:                 <tenant e.g. example.com or gmail.com>

 

Lock users to Google Authentication

To define users you wish to have ONLY use Google authentication, create the following configuration.  You can specify list of users, domains, or a mix:

Config Option:    plugin_AuthHub_federation_force_list

Type:                  complex

Value:                 array()     <within brackets specify list of usernames, email addresses or domains. e.g. jsmith, jsmith@example.com or @example.com>

 

Permit users to use both credentials 

To define a list of users allowed to still use their MantisHub login as well as Google authentication, create this configuration option. Note that this list has higher precedence over the force list. It is useful for administrator who may need to disable or troubleshoot sign-on federation issues.

Config Option:    plugin_AuthHub_allow_password_login

Type:                  complex

Value:                 array()     <within brackets specify list of usernames, email addresses or domains. e.g. jsmith, jsmith@example.com or @example.com>

 

Login Session Lifetime

To define the login session lifetime in seconds for users who log in via a federated provider, create this configuration option:

Config Option:    plugin_AuthHub_federation_session_lifetime

Type:                  integer

Value:                 <lifetime in seconds, default is 86400 (24hrs). Enter 0 to expire the session when the browser is closed.>

 

Auto-provisioning 

To enable auto-provisioning for users not already in MantisHub, create the following configuration option. Auto-provisioning will be based on sign-in information. 

Config Option:    plugin_AuthHub_provisioning_enabled

Type:                  integer

Default:              0

Value:                 1

 

To limit the domains for auto-provisioning:

Config Option:    plugin_AuthHub_provisioning_domains

Type:                  complex

Value:                 array( '@example1.com', '@example2.com' )

 

To define provisioning global access level for auto-provisioned accounts which applies to public projects:

Config Option:    plugin_AuthHub_provisioning_global_access_level

Type:                  integer

Value:               see access levels article   

 

To define a default access level per project (This is necessary for private projects and cases where project access level is not equal to the global access level specified in `provisioning_global_access_level`).

Config Option:    plugin_AuthHub_provisioning_project_access_level

Type:                  complex

Value:                 array( 'project1' => 'REPORTER', 'project2' => 'DEVELOPER' )

 

 

Have more questions? Submit a Request

Comments

Powered by Zendesk