Managing user authentication methods

As a system admin, you must assign at least one authentication method to each user in order for them to log in. A user can have multiple login methods but only one Password.

This page contains the following sections:

This page contains the following information:

Invitation workflow

A significant security improvement to the Relativity authentication process is that the system admin no longer knows or can set user passwords. The invitation workflow, called that because you invite users to log in to Relativity, is the new mechanism for them to set and to manage their own passwords. Now, a system admin (when creating a new user), or a user (if they forget their password) initiates an email sent to them at their specified address, and they create or reset their password directly within Relativity.

Note: For Relativity 9.4.378.21 and above, you must set the RelativityInstanceURL instance setting if you want to use this feature and don't have OpenID Connect or SAML providers configured in your environment. Ensure that the value for this setting is the URL for your Relativity instance. For example, the URL would have the format: https://example.relativity.com/Relativity. The user receiving the invitation email must have access to this URL.

The invitation workflow applies to the following methods:

Password

The password option requires the user to enter only a password for authentication. It does not require an additional check or two-factor criterion.

To assign and to configure this option for a user:

  1. After creating a new user, edit their profile (Users tab, and click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information pop-up window, select the password provider method from the Provider drop-down list.
    The Default Password Settings section appears.
  4. Disable the Enable Two-factor Authentication toggle.
  5. Set the Default Password Settings.
    • Can Change Password - enable to let user change the password at any point.
    • Require Change Password on Next Login - enable to have user change given password.
    • Maximum Password Age - enable to set number of days a password can work. Set the number of days in the text box.
    • Set Password for User - enable to create a password for the user.
  6. Click Save.
  7. Click Send Invitation Email.

    User console

    This sends an invitation email to the user at the email address listed in their profile’s User Information section. By default, the link in the email is valid for one week (10080 minutes).

    Note: You can use the instance setting to increase the default invitation link expiration period.

    If the email can't be sent because your system email SMTP settings are not configured properly, a warning is displayed.

    You can also use the Invite mass action on the Users tab to send invitation email to multiple users. For more information, see Invite users.

Two-factor authentication

The two-factor authentication is a variation of the Password method that requires a passcode in addition to a password. The system emails a passcode to the user during logon, and it's different each time.

To assign and configure this option for a user, follow the Password method above, but Enable the Enable Two-factor Authentication in the Login Method section.

Select the Mode, always provide passcode or ignore passcode for Trusted IPs, and Method, use an authentication app or email address.

Note: The link in the email is valid for 5 minutes, and only the most recently-sent email can be used. The link expiration time is not configurable.

Password Outside Trusted IP

The Outside Trusted IP is a variation of the Password method that requires a passcode only if the user logs in outside of a specified IP range. If the log on is inside the trusted range, then only a password is required.

To define a Trusted IP range:

  1. After creating a new user, edit their profile (Users tab, and click their full name).
  2. Click Save.

To assign and to configure this option for a user:

  1. After creating a new user, edit their profile (Users tab, and click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information section, select the password provider method from the Provider drop-down list. The Login Method Settings section appears.You can assign only one instance from among Password and RSA methods.
  4. Select Outside Trusted IPs from the Two Factor Mode drop-down list.
  5. Enter the user’s email address that the password is emailed to in Two Factor Info. This address can be different from the email in the user’s profile.
  6. Click Save and then Back.
  7. Click Send User Invitation Email.

Password reset

Sometimes it may be necessary to reset a user's password. In Relativity, passwords are reset by sending the user an email with a reset link.

Note: If using a Relativity version earlier than 9.4.378.21, the Send Password Reset Email is also used to send out invitations for new users.

To reset a user's password:

  • Click Send Password Reset Email.

    User console

    The link within the email is valid for 15 minutes, and only the most recently sent email can be used.

    Note: You can use the instance setting to increase the default reset link expiration period.

Manually setting passwords

By default, system admins can't set or see user passwords. Instead, system admins can send a password reset email, and users create and manage their own passwords. However, there are some situations, such as for testing or project development, that may require system admins to explicitly and manually set passwords.

To set this option in your Relativity instance, add the AdminsCanSetPasswords instance setting to the Relativity.Authentication section and set it to True. You must manually enter this setting and value because it is not present from the default Relativity installation.

To set a password, use the following procedure.

  1. After creating a new user, open their profile (Click the Users tab, and then click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information section, select the password provider method from the Provider drop-down list.
    The Login Method Settings section appears.You can assign only one instance from among Password and RSA methods.
  4. Select Set Password to True
    The password requirements appear.
  5. Enter the password in the Password field.
  6. Re-enter the password in the Retype Password field.
  7. Click Save and then Back.

The password information doesn't appear except when you're editing it. If a current password exists, it doesn't appear either. Each new password overwrites the existing password.

OpenID Connect

  1. After creating a new user, edit their profile (Users tab, and click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information section, select the OpenID Connect provider method from the Provider drop-down list. The Login Method Settings section appears.
  4. Enter the subject identifier for the authentication provider as the OpenID Connect Subject.
  5. Click Save and then Back.

SAML 2.0

  1. After creating a new user, edit their profile (Users tab, and click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information section, select the SAML 2.0 provider method from the Provider drop-down list. The Login Method Settings section appears.
  4. Enter the subject identifier for the authentication provider as the SAML2 Subject. For example, if you select Email as the application username in Okta, you must enter the Relativity user's email here.
  5. Click Save and then Back.

Client Certificate

This client certificate authentication uses a smart card assigned to a user. Contact your smart card provider for card details.

To assign and to configure this option for a user:

  1. After creating a new user, edit their profile (Users tab, and click their full name).
  2. In the Login Method (User) section, click New.
  3. In the Login Method Information section, select the client certificate provider method from the Provider drop-down list.
    The Login Method Settings section appears.
  4. Enter the subject alternate name in Certificate Subject in Certificate Subject. The subject alternate name is the value from the certificate's Subject Alternate Name. In the following example, use jsmith@example.com. However, your smart card vendor may provide a different specification and you should use that instead.
  5. Certificate
  6. Click Save and then Back.