Applies to: OutSystems on-premises installations.

OutSystems Platform allows you to manage IT users (developers, testers, operations). By default, when these users access OutSystems Platform, they are authenticated using the built-in authentication mechanism.

Usually you have other systems and you want your users to only have one account to authenticate in all of them. OutSystems Platform allows it by enabling you to authenticate IT users using an authentication provider of your choice.

To ensure everything is secure, only IT users with permissions to manage the infrastructure are allowed to make these changes.

How OutSystems Platform Authenticates IT Users

When an IT user tries to access the OutSystems Platform, it checks which authentication method is configured:

Change the Authentication Provider

To change the authentication provider:

  1. Map users from the external system to the OutSystems Platform;
  2. Choose the new authentication method;
  3. Configure the provider in each environment of your infrastructure;
  4. Test your configurations, and save.

In this example we'll change OutSystems Platform to authenticate IT users through Active Directory.

Map users from the external system to the OutSystems Platform

Before changing the authentication provider, you need to ensure that each IT user that exists on the external directory service, has a corresponding OutSystems Platform user.

You can either create the IT users manually, using the infrastructure management console, or use the LifeTime Services API.

Notice that when creating new IT users on OutSystems Platform, you'll have to specify the user password. Since you'll be using an external authentication provider, you can simply use a dummy password when creating OutSystems Platform users, because it will not be used in the authentication process.

Change the Authentication Plugin

To change the authentication method, in the infrastructure management console, under 'Users & Roles', choose 'Authentication'.

Out of the box, the OutSystems Platform provides an Active Directory (AD) and LDAP authentication providers that you can see listed. To choose the AD authentication provider, click on 'ADAuthProvider'.

After setting a new provider, when an IT user connects to a specific environment, the  authentication provider is responsible for authenticating the user on that environment. This provides you flexibility to apply different configurations to the plugin on each environment.

Configure the Authentication Plugin

After choosing the AD authentication provider, it’s time to configure the provider. For each environment, perform the necessary configurations. Choose the environment to configure in the drop down below and click 'Configure'. It will open the configuration screen of the authentication provider in the selected environment.

In this example, the Active Directory domain is OUTSYSTEMS. So in each environment (Development, Quality Assurance, Production, and infrastructure management console environment) we head over to the 'Configuration' page made available by the provider to perform configurations, and set OUTSYSTEMS as the default domain.

Notice that 'Fallback to built-in authentication' (in blue) is checked . In this case, users can log in with the OutSystems platform built-in authentication when the external authentication fails. Use this feature if you have users that are exclusive to the Platform. However, you should be careful with this option as it is more secure to have all users managed and authenticated solely in the external system.

Test and Save the Authentication Provider

Now that all the necessary configurations are done for each environment, before making the changes effective, click the 'Test Authentication Provider' button. This tests if the plugin is properly configured on all environments, and can successfully authenticate IT users.

After testing the plugin successfully, click the 'Save Authentication Settings' button to make the change effective. As a consequence all IT users logged in OutSystems Platform, will need to login again, now with their Active Directory credentials.

Get or Customize an Authentication Provider

If the authentication providers that are included by default with the OutSystems Platform don't fit your needs, you can always customize them.

These providers are application modules that are included as part of the System Components application, and can be downloaded in the environment management console. Learn how to develop your authentication provider plugin. You can also check the OutSystems Forge for authentication providers made by the community.

Since the authentication provider can compromise the security of your infrastructure, when downloading one from the Forge, you should validate its author and implementation, before using it.

See Also

Implement an Authentication Plugin

Configure Security for an Infrastructure