User Creation, Management and Authentication

This section covers the available options for creation of Konfuzio Users, password management, and authentication within a Konfuzio self-hosted instance.

Some of these options require the presence of a Single Sign-On (SSO) provider, like Keycloak. SSO can simplify password management, improve user experience, and potentially enhance security: users only need to remember a single set of credentials, which is common for all services within your organization.

User Creation

There are three ways to create Konfuzio Users in a Konfuzio self-hosted instance.

Registration

User registration via email and password is enabled by default on the Konfuzio Server. You can disable it, which will also disable the possibility to login with passwords, by setting the PASSWORD_LOGIN_ENABLED environment variables to False. This will force users to use SSO to register and login.

Emails

The email address is used as the primary identifier for a Konfuzio User. It must be unique and is case-insensitive. The email address is also used for password recovery and for sending notifications. A confirmation email is sent to the user upon registration to ensure that the email address is valid.

By default, Konfuzio blocks registration from free email providers using a blocklist. This behavior can be disabled by setting the ACCOUNT_BLOCK_FREE_EMAIL_PROVIDERS environment variable to False.

Passwords

When a user registers via email and password, the password is hashed and stored in the database. The hashing algorithm used is PBKDF2, which is a widely accepted and secure algorithm for password hashing.

In addition, we enforce a set of reasonable password policies to ensure that users create strong passwords:

  • The password must not be similar to the email address.

  • The password must be at least 9 characters long.

  • The password must not be a common password.

  • The password must not be entirely numeric.

If you have more complex password requirements or expiration policies, we suggest using a Single Sign-On (SSO) provider, which can be seamlessly integrated with Konfuzio.

Project invitations

Within a Project, a Konfuzio User with the appropriate permission can invite an email address, at which point:

  • If a Konfuzio User with that exact email exists on the instance, it will be matched.

  • If a Konfuzio User with that exact email does not exist, a non active Konfuzio User will be created with no permissions, with last login date equals to None, without password and the current date will be set as the date joined.

Then an Invitation linking to the Konfuzio User and Project is created. An email is sent to the invited email address with a link to accept the invitation. If the invited Konfuzio User did not exist before, clicking the link will redirect the user to the registration page with the “email address” field pre-populated (refer to Registration). Once the user completes the registration process, the Invitation will be accepted automatically.

SSO registration

If the Konfuzio Server is configured to use SSO, registration can be skipped: a Konfuzio User matching the SSO credentials will be created automatically upon first login. (See Authentication for more information.)

Authentication

Requests to the Konfuzio server must always be authenticated. The available authentication methods depend on whether the request is being made to the API or the web interface and whether the Konfuzio Server is configured to use SSO.

With email and password

If the PASSWORD_LOGIN_ENABLED environment variable is True or absent, users can use their credentials from the User registration process to authenticate in the following ways:

Web interface

Users can log in via the web interface by entering their email and password. Then, based on the Konfuzio User’s status:

  • The user does not exist or is not active: The user is redirected to the login page with an error message.

  • The user exists and is active: The last login date of the Konfuzio User is set to the current date and time. A session cookie valid for one day is created, and the user is redirected to the web interface.

API

Users can authenticate API calls via email and password directly in the request headers, or by creating and using an API token. Refer to the API authentication documentation for more information.

After authenticating to the API in either way, based on the Konfuzio User’s status:

  • The user does not exist or is not active: The API returns a 401 Unauthorized response.

  • The user exists and is active: The API processes the request.

With SSO

If the Konfuzio Server is configured to use SSO, it will delegate authentication to the SSO provider. Once the provider validates the user, the Konfuzio server will create a new Konfuzio User with the specified email address, or match an existing one. During this process, the Konfuzio server will also update the Konfuzio User’s status (active or not) and groups based on the SSO provider’s response, if configured to do so (refer to the SSO documentation for more information).

The following authentication methods are available when using SSO:

Web interface

Users can log in via the web interface by clicking the SSO button, which will redirect them to the SSO provider’s login page. Once the user is authenticated on the SSO provider’s side, based on the Konfuzio User’s status:

  • The user does not exist on Konfuzio: The Konfuzio User is created as active, without a password, in the Default group (or other specified groups). The last login date of the Konfuzio User is set to the current date and time. A session cookie valid for one day is created, and the user is redirected to the web interface.

  • The user exists on Konfuzio and is active: The Konfuzio User’s groups are synchronized with the SSO. The last login date of the Konfuzio User is set to the current date and time. A session cookie valid for one day is created, and the user is redirected to the web interface.

  • The user exists on Konfuzio but is not active: The user is redirected to the login page with an error message.

API

Users can authenticate API calls via SSO by using an access token provided directly by the SSO provider. Refer to the SSO documentation for more information.

After authenticating to the API, based on the Konfuzio User’s status:

  • The user does not exist on Konfuzio: The Konfuzio User is created as active, without a password, in the Default group (or other specified groups). The API processes the request.

  • The user exists on Konfuzio and is active: The Konfuzio User’s groups are synchronized with the SSO. The API processes the request.

  • The user exists on Konfuzio but is not active: The API returns a 401 Unauthorized response.