Authentication and authorization

When using XClarity One in the cloud, after your user administrator adds you as a new user in the portal, you will receive an email from XClarity One that lets you know that you have access to an organization in the XClarity One portal. Click the Get started link in the email to configure your user account and sign in to XClarity One.

Note

• The Get started link in the email expires after 72 hours. If you do not click the link within that time, contact your user administrator to resend the invitation.
• When you are on the sign-in page, you have 1 hour to complete the sign-in process before you must start over.

When running XClarity One as a virtual machine, after your user administrator adds you as a new user in the portal, you can sign in to the portal by pointing your browser to the IP address of the XClarity One virtual appliance. If you specified an IPv4 address during installation, use that IPv4 address. If a DHCP server is set up in the same broadcast domain as XClarity One, use the IPv4 address that is displayed in the XClarity One virtual-appliance console.

https://{IPv4_address}

For example, https://192.0.2.10

During the setup, you are prompted to:

1. Read and accept the End User License Agreement.

2. Configure your password.

   It is recommended that you use strong passwords of 16 or more characters. By default, passwords for local user accounts must have 8 – 256 characters, including one or more uppercase and lowercase alphabetic characters, numbers, and special characters. Consider the following recommendations when creating passwords.

   • Do not use known passwords obtained from earlier breaches, leaks, or hacks.
   • Do not use dictionary words.
   • Do not use context-specific words, such as the name of a service, an email address, or derivatives thereof.
   • Do not use more than two repetitive or sequential characters (for example, aaa or 123abc).
   • Do not reuse any of the last five passwords.

3. Configure your account settings, including your first and last name.

4. Set up a two-factor authenticator (2FA) application on a mobile device and connect it to XClarity One to obtain the six-digit passcode that is needed each time you sign in. Lenovo requires all users to enable 2FA as an extra layer of security. You can manage your 2FA settings from your account preferences at any time.

   The following applications are supported.

   • FreeOTP
   • Google Authenticator
   • Microsoft Authenticator

5. Sign in using your new user credentials and one-time passcode.

After logging in to your company’s identity provider, you can access XClarity One portal without providing additional credentials.

The sign-in dialog shows different options according to your authentication settings. When your LDAP server is set up, you can click the Login with LDAP link to sign in with your corporate user account. When your external IDP is set up, you can log in with your corporate user account, or click the Return to local authentication link to sign in with your local user account.

Note

Multi factor authentication (MFA) using a one-time passcode is imposed by XClarity One for every user if your external IDP is not set up with MFA (does not have the “amr” claim with value “mfa” set in the JWT tokens).