Determining the type of authentication method that is used by Lenovo XClarity Administrator

You can determine the type of authentication method that is used currently from the LDAP Client and SAML Settings tabs on the Security page.

About this task

The authentication server is a user registry that is used to authenticate user credentials. Lenovo XClarity Administrator supports the following types of authentication servers.
  • Local authentication server. By default, XClarity Administrator is configured to use the embedded Lightweight Directory Access Protocol (LDAP) server that resides in the management server.
  • External LDAP server. Currently, only Microsoft Active Directory and OpenLDAP are supported. This server must reside on an outboard Microsoft Windows server that is connected to the management network.

    When an external LDAP server is used, the local authentication server is disabled.

    Attention: To configure the Active Directory binding method to use login credentials, the baseboard management controller for each managed server must be running firmware from September 2016 or later.
  • External identity-management system. Currently only CyberArk is supported.

    If user accounts for a ThinkSystem or ThinkAgile server are onboarded onto CyberArk, you can choose to have XClarity Administrator retrieve credentials from CyberArk to log in to the server when initially setting up the servers for management (with managed or local authentication). Before credentials can be retrieved from CyberArk, the CyberArk paths must be defined in XClarity Administrator and mutual trust must be established between CyberArk and XClarity Administrator using TLS mutual authentication through client certificates.

  • External SAML identity provider. Currently, only Microsoft Active Directory Federation Services (AD FS) is supported. In addition to entering a user name and password, multi-factor authentication can be set up to enable additional security by requiring a PIN code, reading smart card, and client certificate.

    When an SAML identity provider is used, the local authentication server is not disabled. Local user accounts are required to log in directly to a managed chassis or server (unless Encapsulation is enabled on that device), for PowerShell and REST API authentication, and for recovery if external authentication is not available.

    You can choose to use both an external LDAP server and an external identity provider. If both are enabled, the external LDAP server is used to log in directly to the manage devices, and the identity provider is used to log in to the management server.

Procedure

To determine the type of authentication server that is being used by the management software, complete the following steps.

  1. From the XClarity Administrator menu bar, click Administration > Security.
  2. Click LDAP Client under the Users and Groups section to display the LDAP Client Settings dialog.
    Verify which user-authentication method is selected:
    • Allow logons from local users. Authentication is performed using the local authentication. When this option is selected, all user accounts exist in the local authentication server on the management node.
    • Allow logons from LDAP users. Authentication is performed by an external LDAP server. This method enables remote management of user accounts. When this option is selected, all user accounts exist remotely in an external LDAP server.
    • Allow local users first, then LDAP users. The local authentication server performs the authentication first. If that fails, an external LDAP server performs the authentication.
    • Allow LDAP users first, then local users. An external LDAP server performs the authentication first. If that fails, the local authentication server performs the authentication.
  3. Click SAML Settings under the Users and Groups section to display the SAML Settings page.

    If SAML Enabled is selected, then a identity provider is used.