Authentication

Overview

ReportWORQ administrators can open the Administration screen from the Administration button on the top right side of the page and edit Authentication settings. The Authentication options allow the administrator to select Native authentication or Advanced options, including Microsoft Entra ID (Azure Active Directory), Custom OIDC, and Google authentication. Changes to authentication settings will require a restart of ReportWORQ.

Note: ReportWORQ uses AES encryption to store passwords and connection strings at rest.

Native Authentication

Within the Native authentication settings, there are options for setting the password complexity for newly created passwords and the lockout settings for failed login attempts. The password settings include rules for numbers, lower and uppercase letters, symbols, and minimum password length. The lockout settings are the number of login attempts a user has before being locked out and the length of time they will be locked out upon a failure to log in.

Advanced Options

In addition to Native authentication, ReportWORQ provides the option to select Microsoft Entra ID (Azure Active Directory), Custom OIDC, or Google Authentication. To Configure these different Authentication options select Authentication Provider on the Authentication page

Microsoft Entra ID (Azure Active Directory) 

Microsoft Entra ID requires Client ID, Tenant ID, and Secret values. Details for configuring Microsoft Entra ID (Azure Active Directory) can be found on the Microsoft 365 page.

Custom OpenID Connection (OIDC)

Custom OIDC Authentication requires a Client ID and Secret values, but a Tenant ID is optional. It will also need an Authority, User ID Claim name, Email ID Claim name, Role Claim Name, and Scope.

Google Authentication

A Google Authentication will require a Client ID and Client Secret and optionally a Tenant ID.

User Accounts

In the user account section, OIDC user accounts are added and configured to access ReportWORQ with or without administrative access to the Administration screen. If no accounts exist then the configuration wizard will launch to create the initial administrative user. If only one account has administrative rights exists, it cannot be disabled, deleted, or restricted from accessing the configuration area of the product. The number of enabled accounts may be limited based on the user’s license. Please contact Support if you require additional licensed users.

Creating Accounts

Accounts can be created by clicking the 'Create a new entry' button at the top right of the section.  Enter the user's email address to be used for authentication.

Enabled Accounts

Accounts can be enabled on the main Account screen by selecting the Enabled checkbox.

Newly created accounts are not enabled for ReportWORQ use by default. Enabled accounts are not limited by the licensed user count, however, if more accounts are enabled than the number allotted to the license key an error message will be generated when attempting to run a job until enough users become disabled.

There must be one enabled user with administrative rights at all times. Disabled accounts will not be able to log in.

Administrative Rights

By default, only the Admin account has access to the system settings, integrations, accounts, and version management. Other accounts can also gain access to these sections by checking the 'Administrative Rights' checkbox.

Workspace Assignments

Administrative users have access to all workspaces, whereas all non-administrative users will only have access to the workspaces they are assigned. If a non-administrative user is not assigned any workspaces they will need to be assigned a workspace before they can log in. Users can be assigned to multiple workspaces. Administrative users will have the right to update and change the datasource settings of the workspace environment. More details about workspaces can be found here: https://docs.reportworq.com/docs/workspaces

Switching Authentication Providers

Changing from any of the alternative Authentication providers back to native authentication will require a restart of ReportWORQ. Then the configuration wizard will run to create the first native user account, if necessary. This user will be given special EVERYONE permissions to be able to login with any account. After this is completed it is recommended that this account be deleted and replaced with the email address of the preferred administrator.

Unlimited License Users

For unlimited license users, rather than an email address for the user, a role name can be provided which allows the Administrator to manage all ReportWORQ users in the authentication provider group and role support. That role name will need to show up in the user’s claims after authentication to be authorized for that permission set (e.g. a user, admin, workspace user or workspace admin). In Microsoft Entra this can be accomplished by creating custom roles in the App Registration with matching Values to the claims entered in the ReportWORQ Authentication Screen, creating an Enterprise Application to associate Users/Groups with the Roles defined in the App Registration.

Logon Screen Authentication Settings

With Version 5.0.0.69, there is an “Authentication Settings” button located in the bottom right-hand corner of the login screen. Clicking the button will open the Authentication settings screen. From this screen, a user can enable or disable users, delete users, assign workspaces to users, and change the authentication provider settings. If a user is having difficulty logging in to ReportWORQ, this screen can be opened to reset a password or assign a workspace. Keep in mind that this option is only available on the local machine using this URL format: http(s)://localhost:8300/ (default port setting used).

Password Reset

There are several options available if a user forgets their password:

Option 1: If a user forgets their password then they can choose the Forgot Password link from the login screen to receive a reset password email.

The Forgot Password feature is only available if Email has been configured in the ReportWORQ integration screen.

Option 2: If an administrative user has access to ReportWORQ, they can reset a user’s password by navigating to the Account Management page and choosing the Reset Password option for that user.

Option 3 (Please refer to the previous section for ReportWORQ version 5.0.0.69 or later):

If no user can access ReportWORQ then an administrator will need to delete certain files in the ReportWORQ Data Repository on the server.

Navigate to the ReportWORQ Repository Directory and delete the following folder which will reset authentication settings to Native and remove all configured user accounts.

{install_dir}\Repository\Authentication

Restart ReportWORQ to launch the configuration wizard where you can setup a new administrative user account.