User authentication can be implemented either through LabKey Server's core authentication system or through an external authentication system such as LDAP, CAS single sign-on protocol, or Duo two-factor authentication.
LabKey allows authentication using any of the configured, enabled authentication providers. If a provider accepts the user credentials, the login is successful. If all providers reject the user's credentials, the login fails. This means that a user can successfully authenticate via multiple methods using different credentials. For example, if a user has both an account on a configured LDAP server and a database password then LabKey will accept either. This behavior allows non-disruptive transitions from database to LDAP authentication and gives users an alternate means in case the LDAP server stops responding or its configuration changes.
Authentication vs. Authorization
by any of the supported methods merely identifies the user to the server; authorization
is handled separately, by an administrator assigning roles to users and groups of users
To open the authentication page:
- Select (Admin) > Site > Admin Console.
- Click the Admin Console Links tab.
- Under Configuration, click Authentication. The options available will vary depending on your configuration.
The available primary authentication providers are described in the topics below:
If enabled, a secondary authentication provider requires additional validation beyond one of the above primary authentication methods:
- Test Secondary Authentication: Adds a trivial, insecure secondary authentication requirement (for test purposes only)
- Configure Duo Two-Factor Authentication: (Premium Feature) Requires users to provide an additional piece of information to be authenticated.
Other authentication options:
You can add logo images that will appear on the standard LabKey sign in page or on the page header "Sign In" link in the upper right. To add logo images, click Pick Logos
, and click Choose File
for the page header and/or login page links.
Self sign-up allows users to register for new accounts themselves when using database authentication. Use caution when enabling this if you have enabled sending email to non-users.
When enabled via the authentication page, users will see a "Register for a new account" link on the login page. Clicking it allows them to enter their email address, verify it, and create a new account.
To help prevent abuse by bots, when self sign-up is enabled, users will need to correctly enter a captcha sequence of characters before registering for an account.
Auto-create Authenticated Users
If one or more of the authentication providers is enabled, auto-creation of new accounts for users who are authenticated is enabled by default. You can disable it, but if you do so, be sure to communicate to your users the process they should follow for creating a LabKey account. For instance, you might require an email request to a central administrator to create accounts.
Self-Service Email Changes
Administrators can configure the server to allow non-administrator users to change their own email address (if their password is managed by LabKey Server). To allow non-administrator users to edit their own email address, click Enable
next to Self-service email changes
When enabled uses can edit their email address by selecting (User) > My Account
. On the user account page, click Change Email