This section applies only to the authentication of end-users, i.e. the users of your OutSystems applications.
The authentication of IT users, like Developers and IT Administrators, is configured in LifeTime.
When you start developing a new module it has the built-in logic for end-user authentication. OutSystems comes with three distinct authentication modes: Internal, Active Directory, and LDAP (Lightweight Directory Access Protocol).
- The default authentication mode. The end-user information is stored in the OutSystems database. The credentials are not stored, but a cryptographic hash function is computed using the credentials and only its result is stored. When the end-user attempts to logs in, the hash function is computed again and its result is compared with what is in the database.
- Active Directory
- Uses your Active Directory to authenticate the end-users. Available only for the .NET stack and in on-premises installations.
Check how to Configure Active Directory Authentication.
- Authenticates the end-user against your LDAP server.
Check how to Configure LDAP Authentication.
If you use Active Directory or LDAP to authenticate users, you do not need to create the users manually. Instead they will be automatically created on the first login.
Configure the Authentication of End-Users
To configure how end-users are authenticated do the following:
In the Users application, click "Configure Authentication" in the sidebar.
Select one of the authentication methods in the Authentication drop-down list:
If you chose Active Directory or LDAP in the previous step, you will need to fill in other configuration fields specific to the authentication method you selected in step 2. Check the other topics in this section for more information on configuring these authentication methods.
When the end-user uses the application for the first time and the accessed screen allows only authenticated end-users to see it, a security exception is raised. OutSystems will do the following:
If the platform is configured to use Integrated Windows Authentication and the end-user is in the same domain as the platform server, the end-user is authenticated using Integrated Windows Authentication.
Once the end-user makes a request, the server replies with an HTTP 401 status, signaling to the end-user browser that authentication is required. If the browser already has the end-user credentials stored, it automatically sends the credentials to the web server. Otherwise, the browser displays a form for the end-user to input the credentials and sends them to the server. This means that even if you have a custom Login page, the end-user will not see it.
If the platform is not configured to use Integrated Windows Authentication, the end-user is redirected to a Login screen. When the end-user submits the credentials:
The credentials are validated against the OutSystems database.
The platform checks if the authentication is configured to use Active Directory or LDAP authentication and does does one of the following:
A) If the platform is configured to authenticate using Active Directory, the credentials are validated against the configured domain server.
B) If the platform is configured to authenticate using LDAP, the credentials are validated against the configured LDAP server.
If after this process the end-user could not be authenticated, then an "Invalid Login" message is displayed to the end-user.
User Data Synchronization
When end-user authentication is done using Active Directory or LDAP, the user data in the OutSystems database is updated, in one or more occasions, with the most recent data from the external authentication system. The updated attributes for each user are the following:
- Mobile Phone
This synchronization occurs at the following moments, depending on the configured authentication:
- After a successful login
- The data for the logged in user is updated. Occurs when using Active Directory or LDAP authentication.
- On a daily timer
- The data for all existing external users in the OutSystems database is updated. External users are the ones whose username contains a
The timer is named
SynchronizeDomainUsersand is configured in the Users module. This timer-based synchronization only occurs when using Active Directory.
Note that this process does not create any new users in the OutSystems database.