Remote authentication
The Configuration > Account Management > Remote Authentication page specifies the sequence in which Flow Gateway checks authentication sources when a user logs in. It also provides tabs for setting up authentication and authorization using RADIUS, TACACS+ or SAML 2.0.
Types of authentication and authorization
Flow Gateway authenticates and authorizes user logins in three ways:
Authenticated and authorized by Flow Gateway - The user has an account on Flow Gateway. This account specifies their login credentials and their user role. If Flow Gateway can authenticate their login credentials in its local user database, it logs the user in and authorizes permissions based on the user role assigned to their account.
Authenticated remotely, authorized by Flow Gateway - The user has an account on Flow Gateway. This account specifies their user role, but not their login credentials. It specifies that their credentials are to be authenticated remotely. If Flow Gateway can authenticate their login credentials using a remote authentication server, it logs the user in and authorizes permissions based on the user role assigned to their account.
Authenticated and authorized remotely - The user does not have an account on Flow Gateway. When the user attempts to log in, Flow Gateway uses a remote authentication server to both authenticate their login credentials and authorize permissions based on their user role.
Authentication sequence
When Flow Gateway is in the SAML 2.0 authentication mode, it does not log a user on unless the user can be authenticated by a SAML Identity Provider (IdP). Users cannot be authenticated locally or by RADIUS or TACACS+ when SAML authentication is enabled.
When Flow Gateway is not in the SAML 2.0 authentication mode, it logs a user on if the user can be authenticated locally or by RADIUS or TACACS+. The authentication sequence when Flow Gateway is not in the SAML 2.0 authentication mode proceeds as follows.
Flow Gateway checks its local database first to authenticate a user's login credentials. If it cannot authenticate the user locally, it attempts to authenticate the credentials using the protocol specified in the Authentication Sequence section of the page. You can specify that Flow Gateway is to check RADIUS servers or TACACS+ servers, or first one and then the other, or neither (that is, use only local authentication).
Flow Gateway attempts to contact the first authentication server in its list of configured servers. If that server is unreachable, it checks the next authentication server in the list. It continues until it succeeds in connecting to an authentication server.
When searching for RADIUS authentication, Flow Gateway contacts RADIUS servers in the order in which they are listed on the RADIUS tab. When searching for TACACS+ authentication, Flow Gateway contacts TACACS+ servers in the order in which they are listed on the TACACS+ tab.
When it succeeds in connecting and receives a valid message back from an authentication server, Flow Gateway stops searching for authentication servers, regardless of whether the message is a pass/success or a "user not found" or other failure message. If authentication and authorization succeed, Flow Gateway logs the user in. If either authentication or authorization fail, Flow Gateway displays an error message and records an unsuccessful login attempt in the audit logs.
Configuring remote authentication