Previously, when a user was registered with multiple external providers and their primary provider became unavailable, login attempts would fail. Beginning with NetWitness Platform version 12.5.1, there is a new configuration parameter that can be enabled to automatically attempt authentication across all configured authentication providers. With this enhancement, administrators can now enable automatic authentication attempts across all configured external authentication providers. To use this feature, the retry-failed-external-authentication-with-all-available-external-providers parameter must be enabled, and the user must log in using the same username that is present on other external authentication providers as well. This improvement ensures uninterrupted access even if the primary authentication method becomes unavailable, providing users with a more robust and flexible authentication experience.

To enable this parameter, perform the following steps

  1. Log in to the NetWitness Platform.

  2. Go to AdminIcon_27x23.png (Admin) > Services.

    The Services view is displayed.

  3. In the Services panel, select the Security Server service and then select Actions_Icon.png> View > Explore.

    The Explore view is displayed.

  4. In the Explore view node list, select security > authentication > policy.

  5. On the right panel, set the parameter retry-failed-external-authentication-with-all-available-external-providers to true.

    1251_Authentication_Users_Retry1.png

Example Use Cases

  • Without Single Sign-On (SSO)

    • When the retry-failed-external-authentication-with-all-available-external-providers parameter is enabled and the user logs into the NetWitness Platform using their UPN, they will be authenticated against their primary provider. If that provider is offline or if authentication fails, authentication will be attempted against every other configured provider. If authentication fails for all providers, the user will be denied access. If authentication succeeds against one of the providers, the user will be granted access.

    • It's important to note that all subsequent authentications will need to use the user's UPN. If they switch to a fully qualified ID, it will be considered a different user.

  • With Single Sign-On (SSO)

    • The flow is identical to the example above. The main difference is that the user's primary provider will be automatically changed if authentication succeeds on a different provider.

    • For example, if a user has their primary authentication type set to Active Directory (AD), and SSO is enabled for the system then the user will be able to log in through SSO, and SSO will be set as their primary authentication provider.