Authentication
Authentication methods can be combined to accommodate the various types of workflows, whether they are web based interaction for human beings, or automated interactions for third party software, scripting, etc. Please see the individual pages in the Accounts: connecting/authenticating section under deployment for more information.
API Keys: Each account can optionally be associated with an API key. The API key is a long string of characters which does not automatically expire. API keys are typically used for machine to machine communication. API key authentication can not be disabled.
Username/Password: Each account can optionally be associated with a username/password combination. DCT stores passwords a cryptographic hash of the password and salt using the Bcrypt algorithm in its internal database. The password policies feature of DCT can be used to define the minimum requirements of valid passwords (min length, special characters requirements, etc.) and temporarily block accounts after failed login attempts. Username/Password authentication can be disabled across the DCT instance via the global properties feature, for instance when the company policy is to prefer delegated authentication (LDAP/Active Directory/SAML/SSO).
LDAP/Active Directory: When using LDAP/Active Directory, API clients authentication with a username/password combination, but DCT does not store the password locally in its internal database, and instead connects over the LDAP protocol to validate passwords. More over, additional attributes such as first and last name, email addresses and group membership can be read from the LDAP/Active directory system, enabling access to DCT to be controlled via enterprise systems like directory services.
SAML/SSO: The SAML 2.0 protocol, implemented by DCT, allows web UI sessions to authenticate via an enterprise identify provider (Active directory federation services, Azure active directory, Ping federate, Okta, Onelogin, etc.). When using the SAML/SSO authentication method, DCT does not store any credentials in its internal database, but instead delegates authentication to the identify provider, via web browser redirection. The SAML/SSO protocol is only intended for web browser based interaction.
OpenID connect: OpenID connect (an extension of OAuth2.0) can be used for computer based systems (scripts, integrations) to login to DCT, providing additional security over API keys.