Authentication

Overview

Mythradon provides configurable Authentication Settings to help meet your organisation's security requirements. These settings can be managed by your system administrator.

• Navigate to Administration → Authentication from the Menu Button
• Modify the desired fields
• Click the Save o apply the changes.

---

Authentication Settings

The following settings control how users authenticate to Mythradon, including support for built-in authentication, LDAP, and OpenID Connect (OIDC). System Administrators can configure session limits, password recovery options, 2FA, and integration with external identity providers.

Authentication Configuration

Field	Description
Authentication Method	Select the method of authentication: • Mythradon Built-in Authentication • LDAP (Lightweight Directory Access Protocol) • OIDC (OpenID Connect)
Auth Token Lifetime (hours)	Determines how long authentication tokens remain valid. A value of 0 means tokens never expire.
Only One Auth Token per User	Restricts each user to a single active session. Logging in from a second device will invalidate the first.
Auth Token Max Idle Time (hours)	Defines the maximum time a token can remain idle before expiring. A value of 0 disables the idle timeout.

2-Factor Authentication (2FA)

Field	Description
Enable 2-Factor Authentication	Turns 2FA on or off. Users must authenticate using an external app like Google Authenticator.
Available 2FA Methods	Choose one or more of the following methods: • Email • SMS • TOTP (Time-based One-Time Password)
Force Admin & Regular Users to Set Up 2FA	Enforces mandatory 2FA setup for all admin and standard users.

Password Policy & Recovery

Field	Description
Length of Generated Passwords	Specifies the length of system-generated passwords.
Minimum Password Length	Sets the shortest allowable password length for user-created passwords.
Number of Letters Required in Password	Minimum number of alphabetic characters required.
Password Must Contain Upper and Lower Case Letters	Enforces use of both uppercase and lowercase characters in passwords.
Number of Digits Required in Password	Sets the minimum number of numeric digits in a password.
Disable Password Recovery	Removes the Forgot Password option for all users (internal and portal).
Disable Password Recovery for Admin Users	Disables the password recovery feature specifically for administrators.
Disable Password Recovery for Internal Users	Prevents internal users from resetting passwords; portal users remain unaffected.
Prevent Email Address Exposure on Password Recovery Form	Enhances privacy by suppressing any indication of whether an email exists in the system during password recovery.

LDAP Settings

These fields apply when LDAP (Lightweight Directory Access Protocol) is selected as the authentication method.

Microsoft Active Directory

Select the LDAP Authentication Method if you need to use Microsoft Active Directory.

Field	Description
Host	The LDAP server hostname or IP address.
Port	The network port used to connect to the LDAP server.
Auth	Authentication credentials for binding to the LDAP server.
Security	Connection encryption: SSL TLS
Full User DN	The distinguished name (DN) of the system account used for searching users. Example: CN=LDAP System User,OU=users,OU=mythradon,DC=test,DC=lan
Username Attribute	LDAP attribute used to identify the user. (e.g. userPrincipalName, sAMAccountName, or uid)
User ObjectClass	LDAP object class used for users. (e.g. person, inetOrgPerson)
Account Canonical Form	Format used to represent usernames. Options: Dn – CN=tester,OU=mythradon,DC=test,DC=lan Username – tester Backslash – COMPANY\tester Principal – tester@company.com
Bind Requires DN	Indicates whether the username must be in DN format for binding.
Base DN	Base DN for user search queries. Example: OU=users,OU=mythradon,DC=test,DC=lan
User Login Filter	LDAP filter used to restrict access to specific users. Example: memberOf=CN=mythradonGroup,OU=groups,OU=mythradon,DC=test,DC=lan
Try Username Split	Attempts to split usernames using a domain delimiter.
Opt Referrals	Specifies whether LDAP referrals should be followed.
Create User in Mythradon	Automatically creates a new user record in Mythradon upon successful LDAP login.
User First Name Attribute	LDAP attribute for user's first name. (e.g. givenName)
User Last Name Attribute	LDAP attribute for user's last name. (e.g. sn)
User Title Attribute	LDAP attribute for user's job title. (e.g. title)
User Email Address Attribute	LDAP attribute for user's email. (e.g. mail)
User Phone Number Attribute	LDAP attribute for user's phone number. (e.g. telephoneNumber)
User Teams	Teams assigned to newly created users. See user profile settings for more.
User Default Team	Default team assigned to new users. See user profile for configuration.
Use LDAP Authentication for Portal Users	Enables LDAP login for portal users.
Default Portals for a Portal User	Sets default portal access for new portal users.
Default Roles for a Portal User	Sets default role(s) for new portal users.

OpenID Connect (OIDC) Settings

These fields apply when OIDC is selected as the authentication method.

Field	Description
Client ID	OIDC Client ID used to identify Mythradon to the identity provider.
Client Secret	OIDC Client Secret used for secure communication with the identity provider.
Authorization Redirect URI	URI where the identity provider redirects after authentication.
Authorization Endpoint	The identity provider's endpoint for user authorization.
Token Endpoint	Endpoint used to retrieve access tokens.
JSON Web Key Set Endpoint	URL to fetch public keys for verifying token signatures.
JWT Allowed Signature Algorithms	Accepted algorithms for verifying JWT tokens.
Scopes	Scopes requested during login (e.g., openid, email, profile).
Username Claim	JWT claim to use as the username for login and user mapping.
Create User	Automatically create a user in Mythradon if none is found during login.
Sync	Sync user details with the identity provider on each login.
Teams	Map identity provider groups/roles to Mythradon teams. If a team has no mapping value, it is always assigned.
Group Claim	JWT claim used for team mapping.
Sync Teams	Updates user teams on every login.
Fallback Login	Allows login using local username/password if OIDC fails.
Allow Fallback Login for Regular Users	Enables fallback login specifically for non-admin users.
Allow OIDC Login for Admin Users	Permits administrative users to authenticate via OIDC.
Logout URL	Redirect URL after logout. Often includes parameters to clear session data and return the user to Mythradon. Available placeholders: {siteUrl} {clientId}

---

Disabling Password Recovery

Mythradon offers flexible controls for managing how users can recover their passwords. These settings help align system behaviour with your organisation's security policies.

You can configure the following options:

• Disable Password Recovery
  Completely removes the Forgot Password link from the Mythradon login page and any associated portal login pages. Use this setting when you want to fully restrict self-service password resets across all user types.

• Disable Password Recovery for Admin Users
  Keeps the Forgot Password link visible, but prevents users with administrative privileges from using it. This ensures that password resets for admin accounts are handled through a more controlled or secure process.

• Disable Password Recovery for Internal Users
  Hides the Forgot Password link on the main Mythradon login page (used by internal users), while still allowing portal users (e.g., customers or partners) to use self-service password recovery.

Forgot Password Link

Disabling password recovery removes the Forgot Password link from the login interface.
The visual appearance of the login page may differ depending on the settings you choose—see below for a comparison.

---

Setting Up 2FA

Mythradon supports the following 2-factor authentication methods:

• TOTP
• Email
• SMS

There are separate processes for setting up 2FA for Standard Users and Portal Users. The following instructions are specifically for Standard Users. Click here for 2FA setup instructions for Portal Users.

There are a few steps required to setup 2FA within Mythradon.

1. Your System Administrator needs to Enable 2FA and the supported 2FA Methods within your instance of Mythradon
2. Individual Users need to Enable 2FA and select their preferred 2FA Method within their profile
3. Install an authenticator application (Only required if the TOTP 2FA method is selected by the user in their profile)

1. System Administrator 2FA Setup

2FA can only be enabled in your system by a System Administrator.

• Select Administration → Authentication from the Menu Button
• As per the following image:
• Enable the Enable 2-Factor Authentication setting
• Select the Available 2FA methods that you want your users to be able to use
• Click the Save button to commit the changes

2. User Preference 2FA Setup

Each user will need to perform the following:

• Select Your User Name from the Menu Button
• Click the Security button
• Select Enable 2-Factor Authentication
• Select the preferred 2FA Method
• Click the Apply button

Note

The 2FA Methods that will be available for the user to select from are the 2FA Methods that have been enabled by the System Administrator in the Mythradon Administration → Authentication settings.

The user will then be required to re-enter their current password

• Click the Apply button
• Copy the Secret value as shown below. You will need to create an entry in your 2FA Authenticator application using this secret value.

---

Logging in as Another User

System Administrators can log in as a Regular user without requiring their password, which is a helpful feature for providing customer service. However, it's important to note that this feature does not allow a System Administrator to log in as another System Administrator.

By default, this feature is not enabled in customer accounts, but you can contact Mythradon Support to have it enabled if needed.

To use this feature (Once Enabled):

• Select Administration → Users from the Menu Button
• Filter and select the required User
• Select Log In from the tool bar button at the top of the User Detail View

This will display the following dialog containing a link to the login as another user page.

As the message suggests it is best practice to open the link in incognito mode. You can quickly achieve this on most browsers using the right mouse button menu as per the following image:

The user will then be presented with the Mythradon Login Page with the Log In as... displayed. Use your System Administrator password to authenticate.

Note

If you have the setting Only one auth token per user set in the Administration → Authentication and you use this new feature to login as another user, you will log the other user out of their current session.

---

OpenID Connect

Mythradon support the ability to authenticate with identity providers that support OpenID Connect (OIDC).

Note

Mythradon cannot serve as an identity provider. This article focuses on configuring Mythradon to utilise a third-party identity provider for authentication purposes.

Features:

• Optional User creation.
• With Mythradon's team mapping feature, teams can be synchronised with groups, teams, or roles in the identity provider
• Mythradon allows for the synchronisation of user profiles and teams, which can be set to occur optionally upon each login
• Mythradon offers the capability to select a specific claim that will serve as the username for authentication purposes
• Both regular users and administrators have access to fallback login in Mythradon
• OpenID Connect can be disabled for System Administrators
• When a user logs out of Mythradon, a logout redirect is implemented to ensure that the identity provider session is cleared
• Mythradon provides a backchannel logout feature that enables administrators to forcibly log out a user. Use the: api/v1/backchannelLogout endpoint.
• The following signing algorithms are supported by Mythradon: RS256, RS384, RS512, HS256, HS384, and HS512.

Details:

• Portal Users are not supported.
• Mythradon's 2FA might not be compatible with certain identity providers that don't allow the reuse of authorisation codes.
• In certain scenarios, it may be necessary to increase the length of the userName field to up to 255 characters. By default, Mythradon has a limit of 50 characters for this field.

---

See Also

• Mythradon Bookshelf Home

• Mythradon Basics

• Mythradon Marketing
• Mythradon Sales
• Mythradon Service
• Mythradon System Administration
• Mythradon Tools

---