Managing user authentication methods

As a system admin, you must assign at least one authentication method to each user in order for them to log in. A user can have multiple login methods but only one Password.

Invitation workflow

A significant security improvement to the Relativity authentication process is that the system admin no longer knows or can set user passwords. The invitation workflow, called that because you invite users to log in to Relativity, is the new mechanism for them to set and to manage their own passwords. Now, a system admin (when creating a new user), or a user (if they forget their password) initiates an email sent to them at their specified address, and they create or reset their password directly within Relativity.

Note: For help with single sign-on error messages, please see the SSO Troubleshooting console.

The invitation workflow applies to the following methods:

Password

The password option requires the user to enter only a password for authentication. It does not require an additional check or two-factor criterion.

To assign and to configure this option for a user:

  1. After creating a new user, edit their profile (Users tab, and click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information pop-up window, select the password provider method from the Provider drop-down list.
    The Default Password Settings section appears.
  4. Disable the Enable Two-factor Authentication toggle. For more information, see Two-factor authentication.
  5. Set the Default Password Settings.
    • Can Change Password - enable to let user change the password at any point.
    • Require Change Password on Next Login - enable to have user change given password.
    • Maximum Password Age - enable to set number of days a password can work. Set the number of days in the text box.
    • Set Password for User - enable to create a password for the user.
  6. Click Save.
  7. Click Send Invitation Email.
    User console

    This sends an invitation email to the user at the email address listed in their profile’s User Information section. By default, the link in the email is valid for one week (10080 minutes).
    Note: You can use the instance setting to increase the default invitation link expiration period.
    If the email can't be sent because your system email SMTP settings are not configured properly, a warning is displayed.

    You can also use the Invite mass action on the Users tab to send invitation email to multiple users. For more information, see Invite users.

Two-factor authentication

The two-factor authentication is a variation of the Password method that requires a passcode in addition to a password.

To assign and configure this option for a user,

  1. Edit their profile (Users tab, and click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information pop-up window, select the password provider method from the Provider drop-down list.
    The Default Password Settings section appears.
  4. Enable the Enable Two-factor Authentication toggle.
  5. Select the Mode, "always provide passcode" or "ignore passcode for Trusted IPs."
  6. Select the Method, use an "authenticator app" or "email" address.
  7. Set the preferred Default Password Settings.
  8. Click Save.

For authenticator app, the user will follow the instructions on the app or enter the app's passcode. For email two-factor authentication, the system emails a passcode to the user during logon, and it's different each time. For more information on signing in with an authenticator app, see Two-factor authentication.

Note: The link in the email is valid for 5 minutes, and only the most recently-sent email can be used. The link expiration time is not configurable.

Password Outside Trusted IP

The Outside Trusted IP is a variation of the Password method that requires a passcode only if the user logs in outside of a specified IP range. If the log on is inside the trusted range, then only a password is required.

Note: Password reset emails are not generated for users logging in via 2FA from an untrusted IP address. To initiate a password reset in these cases, an administrator must send a reset link from a trusted IP address.

To assign and to configure this option for a user:

  1. After creating a new user, edit their profile (Users tab, and click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information section, select the password provider method from the Provider drop-down list. The Login Method Settings section appears. You can assign only one instance from among Password and RSA methods.
  4. Select Require only for non Trusted IPs in the Two-factor Authentication section.
  5. Enter the user’s email address you want to send the password to in the Email Address field. This address can be different from the email in the user’s profile.
  6. Click Save and then Back.
  7. Click Send User Invitation Email.

To define a Trusted IP range:

You define an IP address or addresses as valid locations from which users can log in from in a combination of two settings.

The second setting specifies a valid IP address or addresses for each user. This can be an individual address, a range of addresses, or combination of either. The specified range is called the Trusted IPs. Users outside of this range or ranges won't be able to login except by using Password authentication with the Two Factor Mode set to Outside Trusted IPs.

To set the user Trusted IP range:

  1. Select the Users tab.
  2. Click the user's name.
  3. Click Edit.
  4. Enter the IP range in the Trusted IPs field. If you have multiple trusted IPs, enter each IP range on a new line.
    Trusted IPs field
  5. Click Save.

By default, no value is empty, which indicates any IP address is valid.

In case of setting the user's Trusted IP range, you can specify an individual address, a range of addresses, or a combination of either, separate each one with a carriage return.

Addresses use the "###.###.###.###" format. The following wildcards are available for both settings:

Description Example

Asterisk (*)

(Asterisk wildcard)

 Matches zero or more characters.

192.168.31.*. You can't use this notation with the match range of digits wildcard.

Hash (#)

(Hash wildcard)

 Matches any single digit 0-9. 192.168.31.##. You can't use this notation with the match range of digits wildcard.

[start-end]

(Match range of digits wildcard)

 Matches a range of digits.

192.168.31. [0-255]. You can't use this notation with the asterisk and/or hash wildcards.
16-bit mask A 16-bit number that masks an IP address. 192.168.0.0/16 is the same as 192.168.0.0/255.255.0.0.
Network address range is 192.168.0.0-192.168.255.255.
24-bit mask A 24-bit number that masks an IP address. 192.168.31.0/24 is the same as 192.168.31.0/255.255.255.0.
Network address range is 192.168.31.0 - 192.168.31.255.
25-bit mask A 25-bit number that masks an IP address. 192.168.31.0/25 is the same as 192.168.31.0/255.255.255.128.
Network address range is 192.168.31.0 - 192.168.31.127.

Password reset

Sometimes it may be necessary to reset a user's password. In Relativity, passwords are reset by sending the user an email with a reset link.

To reset a user's password:

  • Click Send Password Reset Email.
    User console

    The link within the email is valid for 15 minutes, and only the most recently sent email can be used.
    Note: You can use the instance setting to increase the default reset link expiration period.

Manually setting passwords

By default, system admins can't set or see user passwords. Instead, system admins can send a password reset email, and users create and manage their own passwords. However, there are some situations, such as for testing or project development, that may require system admins to explicitly and manually set passwords.

To set this option in your Relativity instance, add the AdminsCanSetPasswords instance setting to the Relativity.Authentication section and set it to True. You must manually enter this setting and value because it is not present from the default Relativity installation.

To set a password, use the following procedure.

  1. After creating a new user, open their profile (Click the Users tab, and then click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information section, select the password provider method from the Provider drop-down list.
    The Login Method Settings section appears.You can assign only one instance from among Password and RSA methods.
  4. Select Set Password to True
    The password requirements appear.
  5. Enter the password in the Password field.
  6. Re-enter the password in the Retype Password field.
  7. Click Save and then Back.

The password information doesn't appear except when you're editing it. If a current password exists, it doesn't appear either. Each new password overwrites the existing password.

OpenID Connect

  1. After creating a new user, edit their profile (Users tab, and click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information section, select the OpenID Connect provider method from the Provider drop-down list. The Login Method Settings section appears.
  4. Enter the subject identifier for the authentication provider as the OpenID Connect Subject.
  5. Click Save and then Back.

SAML 2.0

  1. After creating a new user, edit their profile (Users tab, and click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information section, select the SAML 2.0 provider method from the Provider drop-down list. The Login Method Settings section appears.
  4. Enter the subject identifier for the authentication provider as the SAML2 Subject. For example, if you select Email as the application username in Okta, you must enter the Relativity user's email here.
  5. Click Save and then Back.