Configuring User Authentication on Replicated System

By default, Sensor Management uses its own local user accounts to control access to its web-based user interface.

The Sensor Management web user interface also supports ZITADEL-based user authentication.

This section explains how to log in to Sensor Management as a ZITADEL user.

ZITADEL Configuration Required Before Logging Into Sensor Management

Because the Orchestrator application is always associated with the Analytics project, both the Analytics project and Orchestrator application must be automatically created under the <Tenant_name> organization in your ZITADEL after deploying the Sensor Management replicated system.

Note: Default tenant name is pca.

Configuration Details

• Analytics project must be enabled under Assert Roles on Authentication.
• The Orchestrator application uses the Authentication Code Flow with Proof Key for Code Exchange (PKCE) for secure OpenID Connect (OIDC) configuration. This setup requires specific App, Grant, and Response Types, as well as an Authentication Method.
  • Application Type: Web (PKCE)
  • Response Types: Code
  • Authentication Method: None
  • Grant Types: Authorization Code
  • Using the Token with:
    • Auth Token Type: JWT
    • Three settings must be checked:
      • Add user roles to the access token
      • User roles inside ID Token
      • User Info inside ID Token
  • The redirect URI is where the ZITADEL authorization server redirects the user after they have been authenticated.
    • Redirect URI: https://<sever_IP>/businessweb/login/oauth2/code/zitadel
    • Post logout URL: https://<server_IP/businessweb

Configure ZITADEL to Add Roles to the Project

After the ZITADEL server authenticates a user, it sends Sensor Management a list of roles for the user. These roles must match those recognized by Sensor Management. See Managing User Accounts.

Your ZITADEL server must be configured to send the list of roles to Sensor Management after authentication.

The key contains the list of user roles as configured in ZITADEL, shown below for the Roles configuration:

• ROLE_USER
• ROLE_ADMIN
• ROLE_OPERATOR
• ROLE_FW_MGMT
• ROLE_VIEWER
• ROLE_WS

Configure ZITADEL to Add Authorizations for the Project

If ZITADEL provides any roles that are not recognized by Sensor Management, the login attempt to Sensor Management will fail. Additionally, if the resulting list of roles is empty, or if ZITADEL sends an empty list, Sensor Management will deny access to the user.

During authentication, the user must be assigned one of the following roles for the Authorizations configuration in ZITADEL:

• ROLE_USER, ROLE_ADMIN
• ROLE_USER, ROLE_OPERATOR
• ROLE_USER, ROLE_FW_MGMT
• ROLE_USER, ROLE_VIEWER
• ROLE_USER, ROLE_WS

Log in to Sensor Management as a ZITADEL User

Administrators define user accounts in the ZITADEL server. When you have your account, you can log in as explained below.

This section provides instructions on how to configure and log in to Sensor Management.

To log in to Sensor Management:

1. Open a supported browser.
   See About the User Interface for the list of supported web browsers.

2. Enter the following URL in the browser's address bar: http://< serverIPaddres>/businesweb
   The login dialog is displayed.
   

3. Enter your ZITADEL username and password.

Automatic ZITADEL User Creation in Sensor Management

When a user logs in to Sensor Management using a ZITADEL account, a corresponding Sensor Management user account (with User Type set to OAUTH_JWT) is automatically created in the Sensor Management data store.

These OAUTH_JWT user accounts cannot be converted to LOCAL or RADIUS users in Sensor Management.

The Admin ▶ Users page displays operational data on ZITADEL authentication.

Note: Sensor Management does not support logging in to the mgr-commands and API directly via the ZITADEL user. However, after successfully logging in to Sensor Management using a ZITADEL user, you can create a local user account. This local user can then be used to log in to the mgr-commands and API.