Is it possible to have multi factor authentication for access to Dataminer services? Specifically can it be used when providing access to on prem dataminer systems that are cloud connected?
As this question has now been inactive for a long time, I will close it. If you still want more information about this, could you post a new question?
Hi Mark,
I guess it's maybe best to configure the authentication of your DMS to SAML and make sure that everybody connecting to your DMS, internally or externally via dataminer.services is using e.g. their Microsoft account which is MFA protected...
More details: Configuring SAML with Microsoft Entra ID as identity provider | DataMiner Docs
Bert
Hi Bert, we currently use internal active directory(s) for our Dataminer systems, Are you saying that we would have to change to use the Azure version exclusively for a specific system or can we use Azure and our internal active directory at the same time?
Hi Mark,
It’s indeed one or the other. Either you authenticate against your internal AD, or you authenticate with SAML against Azure AD. You cannot combine both.
I assume that most companies have those two accounts synced anyhow, that’s at least how we work. We have an internal account on our internal AD, but this account is being synced to Azure AD. Therefore our Microsoft work account has the same password and is basically the same account although you use your email address to log in at Microsoft or Azure AD.
So, you have 2 choices:
1. you use those internal domain accounts, then you log in with your username and password and authenticate against a local domain controller.
2. you use SAML and when accessing DataMiner (Cube or webpages), you’ll first get a redirect to the Microsoft login page (or the SAML authentication provider of your choice), there you login with your email and password of your Microsoft work account (which is typically linked to your local domain account, but that’s irrelevant here), optionally you might get a MFA approval depending on the conditional access configured by your IT. Once authenticated, you can log in to DataMiner.
The second option is more secure because you use your well-protected Microsoft work account. This SAML authentication is more modern, and more and more being used. But in essence, it works the same as using authentication against your local AD, it will just authenticate against the Azure AD in a more modern way.
We can always schedule a meeting to discuss this in more detail and this can also be configured as a test on a staging system.
Bert
Hi Bert, I think that it would be too difficult to switch all of our current Dataminer users to SAML with Azure Active directory due to the complexity of our setup which already meets our needs for MFA and single sign on for internal use. Would it be possible to have MFA on the login to dataminer services rather than on the login to dataminer systems once authenticated to dataminer services? I have tried using the Microsoft login on the Dataminer services login page but it doesn’t work even though it uses the same login ID (my corporate email address) that I use when accessing with the user/password option and it suggests that I need to get something configured within the user that is associated with my corporate email address to allow dataminer.services to be approved.
Indeed, to allow dataminer.services to use your Microsoft account, your IT must approve this app. More information about this admin approval can be found here: https://dataminer.services/make-an-account/access_dcp.html
Nevertheless, this is a complicated discussion, so we’ll reach out to see if we can organize a meeting to discuss this in more detail.
I see that this question has been inactive for some time. Do you still need help with this? If not, could you select the answer that has been most helpful for you (using the ✓ icon)?