Managing user authentication methods

As a system admin, you must assign at least one authentication method to each user in order for them to log in. A user can have multiple login methods but only one from among Password, RSA, and Active Directory.

This page contains the following sections:

• Invitation workflow
• Manually setting passwords
• Active Directory
• Integrated Authentication
• Client Certificate
• RSA
• OpenID Connect
• SAML 2.0

Invitation workflow

A significant security improvement to the Relativity authentication process is that the system admin no longer knows or can set user passwords. The invitation workflow, called that because you invite users to log in to Relativity, is the new mechanism for them to set and to manage their own passwords. Now, a system admin (when creating a new user), or a user (if they forget their password) initiates an email sent to them at their specified address, and they create or reset their password directly within Relativity.

Note: For Relativity 9.4.378.21 and above, you must set the RelativityInstanceURL instance setting if you want to use this feature and don't have OpenID Connect or SAML providers configured in your environment. Ensure that the value for this setting is the URL for your Relativity instance. For example, the URL would have the format: https://example.relativity.com/Relativity. The user receiving the invitation email must have access to this URL.

The invitation workflow applies to the following methods:

• Password Only
• Password Two-Factor
• Password Outside Trusted IP

Password Only

The password only option requires the user to enter only a password for authentication. It does not require an additional check or two-factor criterion.

To assign and to configure this option for a user:

1. After creating a new user, edit their profile (Users tab, and click their full name).
2. In the Login Method (User) section, click New.
3. In the Login Method Information section, select the password provider method from the Provider drop-down list. The password provider name may vary for each Relativity instance. See Authentication for creating and naming a password method instance. The Login Method Settings section appears. You can assign only one instance from among Password, RSA, and Active Directory methods.
4. Select None from the Two Factor Mode drop-down list.
5. Click Save and then Back.

6. Click Send User Invitation Email.

   

   This sends an invitation email to the user at the email address listed in their profile’s User Information section. By default, the link in the email is valid for one week (10080 minutes).

   Note: You can use the InvitationLinkLifetimeInMin instance setting to increase the default invitation link expiration period.

   If the email can't be sent because your system email SMTP settings are not configured properly, a warning is displayed.

   You can also use the Invite mass action on the Users tab to send invitation email to multiple users. For more information, see Invite users.

   To customize the invitation email, use the following instance settings:

   • InvitationEmailRequestBody (Relativity.Authentication section) - the invitation email message text. The email text must be formatted as HTML.
   • InvitationEmailRequestFrom (Relativity.Authentication section) – the invitation email message sender's email address.
   • InvitationEmailRequestSubject (Relativity.Authentication section) – the invitation email message subject.
   • InvitationLinkLifetimeInMin (Relativity.Authentication section) – the number of minutes the link sent in the invitation email remains valid.

Password Two-Factor

The two-factor password is a variation of the Password method that requires a passcode in addition to a password. The system emails a passcode to the user during logon, and it's different each time.

To assign and to configure this option for a user:

1. After creating a new user, edit their profile (Users tab, and click their full name).
2. In the Login Method (User) section, click New.
3. In the Login Method Information section, select the password provider method from the Provider drop-down list. The password provider name may vary for each Relativity instance. See Authentication for creating for creating and naming a password method instance. The Login Method Settings section appears. You can assign only one instance from among Password, RSA, and Active Directory methods.
4. Select Always from the Two Factor Mode drop-down list.
5. Enter the user’s email address that the password is emailed to in Two Factor Info. This address can be different from the email in the user’s profile.
6. Click Save and then Back.
7. Click Send User Invitation Email.

Note: The link in the email is valid for 5 minutes, and only the most recently-sent email can be used. The link expiration time is not configurable.

Password Outside Trusted IP

The Outside Trusted IP is a variation of the Password method that requires a passcode only if the user logs in outside of a specified IP range. If the log on is inside the trusted range, then only a password is required.

To define a Trusted IP range:

1. After creating a new user, edit their profile (Users tab, and click their full name).
2. In the User Information section enter the IP range in the Trusted IPs field.
   You can specify an individual address, a range of IP addresses, or multiple addresses. Each address must be on a separate line, and you can use wildcards. See Setting IP address range for additional information. The default value of empty defines all IP addresses as untrusted. You can enter *.*.*.* to trust any IP address.
   
   

   Note: Relativity only supports the IPV4 format for Trusted IP addresses. It doesn't support the IPV6 format.

3. Click Save.

To assign and to configure this option for a user:

1. After creating a new user, edit their profile (Users tab, and click their full name).
2. In the Login Method (User) section, click New.
3. In the Login Method Information section, select the password provider method from the Provider drop-down list. The password provider name may vary for each Relativity instance. See Authentication for creating and naming a password method instance. The Login Method Settings section appears.You can assign only one instance from among Password, RSA, and Active Directory methods.
4. Select Outside Trusted IPs from the Two Factor Mode drop-down list.
5. Enter the user’s email address that the password is emailed to in Two Factor Info. This address can be different from the email in the user’s profile.
6. Click Save and then Back.

7. Click Send User Invitation Email.

Password reset

Sometimes it may be necessary to reset a user's password. In Relativity, passwords are reset by sending the user an email with a reset link.

Note: If using a Relativity version earlier than 9.4.378.21, the Send Password Reset Email is also used to send out invitations for new users.

To reset a user's password:

• Click Send Password Reset Email.

  

  The link within the email is valid for 15 minutes, and only the most recently sent email can be used.

  Note: You can use the PasswordResetEmailExpirationInMinutes instance setting to increase the default reset link expiration period.

Manually setting passwords

By default, system admins can't set or see user passwords. Instead, system admins can send a password reset email, and users create and manage their own passwords. However, there are some situations, such as for testing or project development, that may require system admins to explicitly and manually set passwords.

To set this option in your Relativity instance, add the AdminsCanSetPasswords instance setting to the Relativity.Authentication section and set it to True. You must manually enter this setting and value because it is not present from the default Relativity installation.

To set a password, use the following procedure.

1. After creating a new user, open their profile (Click the Users tab, and then click their full name).
2. In the Login Method (User) section, click New.
3. In the Login Method Information section, select the password provider method from the Provider drop-down list.
   The password provider name may vary for each Relativity instance. See Authentication for creating and naming a password method instance. The Login Method Settings section appears.You can assign only one instance from among Password, RSA, and Active Directory methods.
4. Select Set Password to True. 
   The password requirements appear.
5. Enter the password in the Password field.
6. Re-enter the password in the Retype Password field.
7. Click Save and then Back.

The password information doesn't appear except when you're editing it. If a current password exists, it doesn't appear either. Each new password overwrites the existing password.

Active Directory

The Active Directory method uses Windows Active Directory to authenticate the user.

To assign and to configure this option for a user.

1. After creating a new user, edit their profile (Users tab, and click their full name).
2. In the Login Method (User) section, click New.
3. In the Login Method Information section, select the active directory provider method from the Provider drop-down list. The provider name may vary for each Relativity instance. See Authentication for creating and naming a password method instance. The Login Method Settings section appears. You may have only one instance from among Password, Active Directory, or RSA methods.
4. Enter the user’s Windows domain and username in Active Directory Account.
   An example of the domain\username format is if the user's email address is jsmith@example.com, you'd enter example\jsmith. Alternatively, you can use the user's email address without the domain ending, such as jsmith@example. If an LDAP server is installed, you can use the full email address, such as jsmith@example.com.
5. Click Save and then Back.

Integrated Authentication

Integrated Authentication (previously called Windows Authentication or Integrated Windows Authentication) uses Windows supported authentication protocols, such as Kerberos, to automatically log in users. Make sure the following instance settings are configured correctly.

• UseWindowsAuthentication - must be set to True to use Integrated Authentication. If False, Integrated Authentication isn't active.
• WindowsAuthIpRange - set this to the IP address or addresses for a trusted range of computers. If a user logs in within the trusted IP range, they will automatically be logged in with their integrated authentication credentials. If a user logs in outside of the trusted IP range, the user will be prompted with the login page. If the user has another assigned authentication method, they can use that to complete their login. The IP address can use wildcards.

To assign and to configure this option for a user:

1. After creating a new user, edit their profile (Users tab, and click their full name).
2. In the Login Method (User) section, click New.
3. In the Login Method Information section, select the integrated authentication provider method from the Provider drop-down list.
   The provider name may vary for each Relativity instance. See Authentication for creating and naming a password method instance. The Login Method Settings section appears.
4. Enter the user’s Windows domain and username in Windows Account.
   An example of the domain\username format is if someone's email address is jsmith@example.com, you'd enter example\jsmith.
5. Click Save and then Back.

Client Certificate

This client certificate authentication uses a smart card assigned to a user. Contact your smart card provider for card details.

To assign and to configure this option for a user:

1. After creating a new user, edit their profile (Users tab, and click their full name).
2. In the Login Method (User) section, click New.
3. In the Login Method Information section, select the client certificate provider method from the Provider drop-down list.
   The provider name may vary for each Relativity instance. See Authentication for creating and naming a password method instance. The Login Method Settings section appears.
4. Enter the subject alternate name in Certificate Subject in Certificate Subject. The subject alternate name is the value from the certificate's Subject Alternate Name. In the following example, use jsmith@example.com. However, your smart card vendor may provide a different specification and you should use that instead.

5. Click Save and then Back.

RSA

This method requires a user to have an RSA SecurID token that is registered with your RSA Authentication provider.

1. If you need to configure RSA files for the web server, see the RSA configuration
2. After creating a new user, edit their profile (Users tab, and click their full name).
3. In the Login Method (User) section, click New.
4. In the Login Method Information section, select the RSA provider method from the Provider drop-down list.
   The provider name may vary for each Relativity instance. See Authentication for creating and naming a password method instance. The Login Method Settings section appears.
5. Enter the subject identifier for the authentication provider as the RSA Subject.
6. Click Save and then Back.

OpenID Connect

1. After creating a new user, edit their profile (Users tab, and click their full name).
2. In the Login Method (User) section, click New.
3. In the Login Method Information section, select the OpenID Connect provider method from the Provider drop-down list. The provider name may vary for each Relativity instance. See Authentication for creating and naming a password method instance. The Login Method Settings section appears.
4. Enter the subject identifier for the authentication provider as the OpenID Connect Subject.
   
5. Click Save and then Back.

SAML 2.0

1. After creating a new user, edit their profile (Users tab, and click their full name).
2. In the Login Method (User) section, click New.
3. In the Login Method Information section, select the SAML 2.0 provider method from the Provider drop-down list. The provider name may vary for each Relativity instance. See Authentication for creating and naming a password method instance. The Login Method Settings section appears.
4. Enter the subject identifier for the authentication provider as the SAML2 Subject. For example, if you select Email as the application username in Okta, you must enter the Relativity user's email here.
5. Click Save and then Back.