UI

The CORE Web UI is designated for authorized users that have SOClosedSecurity officer - UKC partition administrator role. privileges among their roles.

Note
If your browser is set to validate the certificate presented by the CORE server, add the CORE trust certificate (root_ca.p7b file) to the personal trust certificates used by the browser. See Prepare Browser for Server-side Certificate Validation.

UI Sign-In

To access the CORE web UI, point your web browser at:

https://<EP>[:<EP Bootstrap port>]/login.

→ the Login page appears:

User sign-in options

The login procedure

  1. User selects the authentication method and provides the corresponding info:
  2. The credentials are validated and membership in the partition is confirmed. The login session is completed, unless the partition requires the 2nd authentication factor. See UI.
  3. By the end of the validation, the browser presents:

Note
Once logged-in, you may interrupt your current session and return back, or use the browser's page-refresh if you selected the Remember my login for this session check-box. Otherwise, you will have to re-login.

Login with CORE

Once the Continue with CORE option is selected, the user is asked to provide:

  • Partition name.
  • Credentials of the partition user.

The login is declined if the user doesn't have the SOClosedSecurity officer - UKC partition administrator role. role or is not a member user group that has SOClosedSecurity officer - UKC partition administrator role. role among the roles assigned to its members.

Login with SSO Provider

Continue with one of the presented Single Sign-on providers. In this case the specification of the partition is optional:

  • If a partition is specified - the user is (a) authenticated by the SSOClosedSingle Sign-On Provider and (b) its membership in the specified partition is confirmed by CORE .
  • If a partition is not specified - a user will be signed into one of the partitions where it is registered. Using the partition's UI, it may roam among all partitions where it is registered without need to login into each of them.

For further information, see SSO User.

The 2FA Option

Once the credentials are validated (by CORE or externally), the requirements for the 2nd authentication factor in the accessed partition are considered. CORE UI supports the following 2nd factor options: 

The decision which of these options to apply is based on the following settings:

  • System setting: no-cert.
  • Partition settings: default-client and enforce-2fa.

The following table summarizes the 2FAClosedTwo-factor authentication - Authentication method that requires both something a user has (for example, a certificate) and something the user knows (for example, a password) selection in a partition based on these settings.

setting default value Configurable options

no-cert

0 0 1 1

default-client

1 0 0 1
enforce-2fa 0 * * 0 1
2FAClosedTwo-factor authentication - Authentication method that requires both something a user has (for example, a certificate) and something the user knows (for example, a password) type in the partition     Certificate None TOTPClosedTime-based One Time Password

Note
The enforce-2fa option must not be enabled in inherited (part-inherit == true) partitions.

The following chart outlines the determination of the 2FAClosedTwo-factor authentication - Authentication method that requires both something a user has (for example, a certificate) and something the user knows (for example, a password) type and the corresponding validation.

To enable the 2nd factor validation in a partition, see the corresponding section:

Login with Certificate-based 2FA

This type of 2FAClosedTwo-factor authentication - Authentication method that requires both something a user has (for example, a certificate) and something the user knows (for example, a password) doesn't require user action per each login. Once the certificates of the required partitions clients are installed in the browser used by the user, the browser presents to the user the available partitions.

To install client certificate in web browser, see Prepare Browser for Client-side Certificate Validation.

Login with TOTP-based 2FA

This type of 2FAClosedTwo-factor authentication - Authentication method that requires both something a user has (for example, a certificate) and something the user knows (for example, a password) requires user action in each login.

During the 1st login to a partition that requires TOTPClosedTime-based One Time Password-based 2nd authentication factor, user is asked to enroll to the TOTPClosedTime-based One Time Password service and to confirm the enrollment by providing the TOTPClosedTime-based One Time Password-code generated by her device. The QR provided for the enrollment is compliant with the Google Authenticator.

During the subsequent login, user is asked to provide the TOTPClosedTime-based One Time Password-code presented by her Google Authenticator.