Logging In

Stellar Cyber supports local or SSO authentication and, as of v4.3.4, supports override of the global authentication method for individual tenants. With local authentication, you log in directly to Stellar Cyber and user credentials are managed locally by Stellar Cyber. For SSO, your Stellar Cyber server is integrated with an IDP for authentication purposes. For either authentication model, two factor authentication (2FA) may have been enabled. Use the sections below to understand how the login behavior may vary with the way your administrator has configured authentication. For setup steps, refer to Configuring Authentication

  • A Global selection of Authentication and Authorization applies to all users, so the option to change authentication method for a specific tenant is not applicable when the Global method is set to Authentication and Authorization. You can not log in to Tenant SSO when Global SSO is set to Authentication and Authorization. If you want to use SSO but also allow local users and tenant override, you must set the Global authentication method either to Local or to use the IdP with Authentication Only.

  • The Root Tenant must be configured to the Default (same method as the Global authentication) or Local. It is not supported for configuration with an independent SSO.

  • For Authentication Only SSO: All users must first be added manually in the data processor (DP). Subsequent to that manual entry, the user can log in with SSO.

  • For Authentication & Authorization SSO: All users are configured through the IdP.

  • You enable SSO for all users except the root admin user. The root admin user must always use local authentication (https://Stellar Cyber DP address/login).

  • For Local access (bypass) when SSO is enabled: If Stellar Cyber loses connectivity with your IdP, users configured for SSO cannot log in. As a preventive bypass method, manually create a new user in the DP with root scope and with a valid email address that has "+admin" appended to a valid user name, as follows:  <user>+admin@yourorganization.com (joe+admin@yourorganization.com). The user you create must be able to receive a password reset email at <user>@yourorganization.com. This process an email alias for that valid user that Stellar Cyber uses to permit bypass of an SSO for local login. After you create this separate manual user account, that user can log in two ways:

    • an SSO user with <user>@yourorganization.com

    • or as a local user at https://Stellar Cyber DP address/login) using <user>+admin@yourorganization.com

    If SSO is configured, it is recommended to keep an active administrative account in Stellar Cyber's user management.

  • When the serveris configured globally to use SSO, and there are no tenant-specific authentication overrides, Stellar Cyber is automatically loaded without further authentication. (Unless the tenant/user has NOT already logged into the global SSO. In that case, a login screen similar to the one below is displayed.) If the server's IDP setting is set to both Authentication and Authorization, any tenant-specific authorization methods are not applied.

  • When the serveris configured globally to use Local authentication, or when at least one tenant is configured to use a different method of login than the global setting

    1. A login screen prompts for your username/email address.

    2. Then after the user is identified, one of the following occurs:

      • If the user is Local - A password prompt is displayed if the serveris configured globally to use Local authentication or is configured for SSO but that tenant 's configuration has an override to use Local authentication.

      • If the user has tenant-specific SSO - That tenant's SSO login screen is displayed if the serveris configured globally for SSO but the tenant is configured to use a different SSO, or the serveris configured globally for Local, but the tenant is using SSO.

If Stellar Cyber loses connectivity with your IdP, users configured for SSO cannot log in. See the note for Local Access above.

Logging in with 2FA Enabled

Two factor authentication is independent of whether Stellar Cyber is configured for local or SSO authentication. The server's main Authentication settings specify whether 2FA is mandatory, optional, or off at the global level for all users. This can be configured at the tenant level, as well. If 2FA is required and enabled, use this example to understand how to log in with 2FA for the first time:

  1. On your smartphone or other device, install an authentication application, such as Google Authenticator.

  2. Browse to your Stellar Cyber server and enter your user name. When 2FA is enabled for your account, the following screen displays:

  3. Open the Authenticator app mentioned above.

  4. Scan the QR code that Stellar Cyber has displayed. The Authenticator application displays a 6 digit authenticator code.

  5. Enter that authenticator code in Stellar Cyber.

  6. Click Verify. Backup codes are displayed. These are one-time codes you can use if you do not have access to the authentication app. Copy them, as they will not be displayed again.

  7. Click Continue. Stellar Cyber logs you in.

The next time you log in, enter the two factor verification code, when prompted.

  • After you have done this one time, the Authenticator application associates you with Stellar Cyber, so you do not need to scan the QR code again.

  • You can reset the Authenticator application from your User Profile menu if you want to use a different Authenticator application.

Account Lockouts

For user accounts with Local authentication, Stellar Cyber protects against brute force login attempts by locking the user account when 5 failed login attempts have occurred in a 5 minute period. This protection occurs for either password authentication or 2FA authentication modes. (Lockout of users authenticated through SSO is managed according to the policies implemented on their corresponding IdP.)

Lockout Rules

  • When a user is locked out, an error message displays. The first time a user is locked out, they may try again in 10 minutes. After a second lockout, the duration is 20 minutes. All future lockout periods for that user are 30 minutes.

    The error message is dynamically updated with a countdown timer so the user knows how much longer the timeout will persist (10 minutes, then 9 minutes, then 8 minutes, and so on).

  • After a user with appropriate privileges (such as security, partner or super admin) unlocks the user account, the lockout duration for that user is reset. Subsequent failed attempts will start at the 10 minute duration.

  • Any user, including those with partner and super admin privilege, can be locked out.

Monitor and Reset Lockout Activity

  • Users with appropriate privileges (such as security, partner or super admin) can access the System | Administration | Users list to review lockout status and unlock user.

  • After a lockout has occurred, a small lock icon appears to the left of a user's table entry and the Account Lockouts button is enabled. Click the lock icon to view the user's activity or to unlock the account. You can also click the Account Lockouts button to view all users who are locked out and manage the lockouts in bulk.

  • From the Account Lockouts button, you can display the activity log for a single user, or select one or more users unlock them all at the same time.

  • Lockouts and Unlock actions are reported in the User Management | Activity Log page.

  • In the unlikely event that all of your administrative accounts are locked out, contact Stellar Cyber Customer Success for assistance.