This section contains settings regarding authentication and authorization that you must consider when deploying the VSPC.
- Portal Users & Administrators
- Multi-Factor Authentication (MFA)
- Single Sign-On Authentication (SSO)
By default, the only user that can access the Administrator Portal on behalf of a Service Provider is the Portal Administrator. VSPC grants this role to members of the Local Administrators user group on the machine where the VSPC Server component is installed. It is highly recommended to change this and instead make use of dedicated Active Directory security groups.
In Active Directory Users and Groups create a new group called VSPC Admins.
Also in Active Directory Users and Groups, create a dedicated user account for each Administrator that requires access to the VSPC and add it to the AD security group we just created.
Login to VSPC using the Windows Local Administrator account and go to Configuration -> Roles and Users.
Under My Company select Windows Users and click New to enter the wizard.
At the Account step look for the VSPC Admins group.
Select the group and Click Next.
At the Role step click in the dropdown list and select Portal Administrator. Click Next.
Click Finish to add the AD group.
To be able to log in to the VSPC Web UI, users or groups must be specified in the Allow log on locally security policy setting on the machine where the VSPC Server component is installed.
Go to Start Menu -> Run -> type secpol.msc to open the Local Security Policy.
Under Local Policies -> User Rights Assignment edit the Allow to log on locally properties and add the AD security group with the Portal Administrators.
Now you can go back to the console url and login using the DOMAIN\USER format.
For additional security of user accounts, it highly recommended to enable MFA. By default it’s up to the user on whether to configure MFA for the account or not, however MFA can also be enforced by the portal administrator. It is a best practice to enforce MFA for all users and groups with the Portal Administrator role.
Note: If you configure MFA for an account that is used for API integration, make sure to first configure an API key or the integration will stop working.
VSPC supports SSO authentication based on the SAML 2.0 protocol. This way service providers and resellers (from within the VSPC) can leverage their existing SSO service in order to not work with local users or yet another user domain. Administrators, resellers and end-users can access the VSPC without the need to provide credentials.
SSO configuration examples: