Authentication Flashcards
(130 cards)
1
Q
What is the new Feature Permissions system in Relativity as of February 2025?
A
It redefines security management by shifting focus from Object Types and Tab Visibility to feature-based permissions.
2
Q
What does the new interface for managing permissions in Relativity enable administrators to do?
A
Manage permissions at the feature level, ensuring comprehensive control and reducing complexity.
3
Q
What are the authentication methods supported by RelativityOne?
A
- Password
- OpenID Connect
- SAML 2.0
4
Q
What is OpenID Connect?
A
A protocol for an external identity provider, authenticating against it using OpenID Connect.
5
Q
What is SAML 2.0?
A
An older authentication protocol that authenticates against an external identity provider.
6
Q
True or False: PIV/smartcards are directly supported in RelativityOne.
A
False
7
Q
What is Two-factor Authentication in Relativity?
A
A method that requires an additional two-factor check when logging in with the Password method.
8
Q
What does the Trusted IP Range setting do?
A
Limits access to the Relativity application based on the user’s source IP address.
9
Q
What is the Authentication Provider in Relativity?
A
It allows you to configure specific settings for a login protocol.
10
Q
What type of users can view authentication provider permissions?
A
Anyone with the ability to view a user.
11
Q
What must system admins assign to users for them to log in?
A
At least one authentication method.
12
Q
What happens if a new authentication provider of the same type is added?
A
It overwrites the existing ones of the same type.
13
Q
Fill in the blank: Authentication providers may have associated settings, and each provider instance has at least one setting: _______.
A
Enabled
14
Q
What does the maximum password attempts setting control?
A
The maximum number of consecutive unsuccessful login attempts before being locked out.
15
Q
What is the Invitation workflow in Relativity?
A
A mechanism for users to set and manage their own passwords via an invitation email.
16
Q
What happens when a user logs in with the Password Outside Trusted IP method?
A
A passcode is required only if logging in outside of a specified IP range.
17
Q
How can you define a Trusted IP range for a user?
A
By entering valid IP addresses or ranges in the Trusted IPs field.
18
Q
What is the purpose of the Maximum Password History setting?
A
Sets the maximum number of previous passwords that users can’t use for a new password.
19
Q
What does enabling the two-factor authentication toggle require?
A
A passcode in addition to a password.
20
Q
How is the expiration time for the password reset email link configured?
A
The link is valid for one week by default, but this can be increased using the InvitationLinkLifetimeInMin setting.
21
Q
What is the purpose of the Trusted IPs setting for users?
A
To specify valid locations from which users can log in.
22
Q
What is the purpose of entering trusted IPs?
A
To specify valid IP addresses or ranges for accessing the system
Each IP range should be entered on a new line, and by default, no value is empty, allowing any IP address.
23
Q
What format is used for entering IP addresses?
A
This includes individual addresses, ranges, or combinations separated by a carriage return.
24
Q
What does the asterisk (*) wildcard match?
A
Zero or more characters
Example: 192.168.31.*
25
What does the hash (#) wildcard match?
Any single digit 0-9
## Footnote
Example: 192.168.31.##
26
What does the [start-end] wildcard match?
A range of digits
## Footnote
Example: 192.168.31.[0-255]
27
What is a 16-bit mask in IP addressing?
A number that masks an IP address, for example, 192.168.0.0/16
## Footnote
This is equivalent to 192.168.0.0/255.255.0.0.
28
What is the network address range for a 16-bit mask?
192.168.0.0-192.168.255.255
29
What is a 24-bit mask in IP addressing?
A number that masks an IP address, for example, 192.168.31.0/24
## Footnote
This is equivalent to 192.168.31.0/255.255.255.0.
30
What is the network address range for a 24-bit mask?
192.168.31.0 - 192.168.31.255
31
What is a 25-bit mask in IP addressing?
A number that masks an IP address, for example, 192.168.31.0/25
## Footnote
This is equivalent to 192.168.31.0/255.255.255.128.
32
What is the network address range for a 25-bit mask?
192.168.31.0 - 192.168.31.127
33
What is the procedure to reset a user's password in Relativity?
Send a password reset email
## Footnote
The reset link in the email is valid for 15 minutes.
34
What should be done to manually set passwords in Relativity?
Add the AdminsCanSetPasswords instance setting to True
## Footnote
This setting is not present in the default installation.
35
What are the steps to set a password for a user?
1. Open user profile
2. Click New in Login Method section
3. Select password provider
4. Set Password to True
5. Enter and re-enter the password
6. Click Save
## Footnote
Password information is not displayed except during editing.
36
What is OpenID Connect?
An identity layer on top of the OAuth 2.0 protocol
## Footnote
It verifies end-user identity based on authentication performed by an authorization server.
37
What is required to configure an OpenID Connect authentication provider?
Enter user-friendly name, select OpenID Connect, set Site URL, and specify Authority URL
## Footnote
Additional settings include OAuth2 Flow, Client ID, and Scopes.
38
What does the 'Scopes' field determine in OpenID Connect configuration?
Claims associated with the requested scopes
## Footnote
The default value is openid.
39
What is SAML?
An open-standard format for exchanging authentication and authorization data between an identity provider and a service provider
## Footnote
Relativity supports SAML IdP-initiated single sign-on (SSO) but not SP-initiated SSO.
40
What must SAML assertions be for Relativity to verify their authenticity?
Cryptographically signed
## Footnote
Ensure your SAML IdP is configured accordingly.
41
What is required to configure a SAML 2.0 authentication provider?
Enter friendly name, select SAML2, set Site URL, and specify Audience and Issuer URL
## Footnote
Also include the X.509 certificate from the identity provider.
42
What is the default claim type for the Subject Claim Type in OpenID Connect?
sub
## Footnote
This represents a unique identifier for the user within the system.
43
What is the purpose of the Scopes field in OpenID Connect?
To set a property available from the identity provider
## Footnote
Different identity providers have different properties.
44
What does the identity token contain?
Claims for the selected scopes
45
What claim type is used when requesting only the openid scope?
sub
46
What does the sub claim often represent?
A unique identifier for the user within your system
47
Where can you find the full list of token identifiers for Azure AD?
Microsoft identity platform ID tokens
48
What does the Resource field specify in OpenID Connect?
What is being accessed by your OIDC provider
49
What should remain unchanged unless instructed otherwise by the IT department?
Resource value and Response Type
50
What does Trusted IPs specify in OpenID Connect?
A list of trusted IP addresses for a user
51
What happens if a user attempts to log in from an unauthorized OP address?
Authentication fails
52
What is the purpose of Alternative Issuer(s) in OpenID configuration?
To set the issuer if it does not match the authority URL
53
What are the two authentication provider flows used with Relativity?
* Code flow
* Implicit flow
54
What does just-in-time provisioning control?
Access to Relativity environments through an external ID provider
55
How are groups created in a JIT provisioning system?
In an external provider like Okta
56
What does JIT provisioning use to set up a User for login to Relativity?
User claims from the access token
57
What automatically creates the objects necessary for login in JIT User Provisioning?
User claims
58
What feature restricts users from using JIT User Provisioning?
Required Claims feature
59
What does Relativity check when a user logs in?
* If the client exists
* If the user exists
* If the user group exists
60
What is checked on every login in Relativity?
Personal group and Group claim mapping assignments
61
Is JIT User Provisioning supported for SAML?
No
62
What does the Implement field specify on the authentication provider page?
Whether JIT Provisioning is enabled or disabled
63
What does the Client field set in JIT Provisioning?
The Relativity Client a user is assigned to
64
What should the Username Claim Type be mapped to?
The claim containing the email address
65
What does the Personal Group toggle do?
Sets if a Personal Group should be created for a user
66
What is the purpose of the Group Claim Type in JIT Provisioning?
To determine group assignments for a user
67
What does the Default Trusted IPs field contain?
Automatically set IP address values for the user’s TrustedIPs setting
68
What is the purpose of Group Claim Mapping in Relativity?
To add users to the specified group on login based on existing groups in Relativity.
69
How does Relativity handle user claims during login?
Relativity checks that the claims are present in the access token provided by the client’s identity provider.
70
True or False: Just-in-time user provisioning can query external endpoints to determine group membership.
False
71
What happens if user claims do not match any Group Claim Mappings?
The user is removed from that group.
72
What are Required Claims in Relativity?
An optional setting that controls what users gain access to a tenant.
73
Fill in the blank: A user must have at least one _______ to be a provisioned user.
required claim
74
When does the Required Claims check take place?
Only on the initial login.
75
What does the Personal Group feature in Relativity allow?
Controlling permissions at the user level.
76
What is Okta used for in the context of Relativity?
As an OpenID Connect authentication provider.
77
What must be set up in Okta to configure it as an OpenID Connect provider for Relativity?
The Relativity app.
78
What OAuth2 Flow must be selected when configuring Okta?
Code
79
What is required in the Authority URL when configuring Okta?
The Okta domain parameter.
80
What does the Scopes field default to in Okta configuration?
openid
81
What is the default Subject Claim Type value in Okta configuration?
sub
82
What is the purpose of the Redirect URL in Relativity OpenID Connect?
To complete the OAuth2 client setup.
83
What is Microsoft Entra ID used for in Relativity?
As an OpenID Connect authentication provider.
84
What must be done before configuring Entra ID in Relativity?
Add Relativity as an application within Entra ID.
85
What is the default setting for the supported account type in Entra ID registration?
Accounts in this organizational directory only.
86
Fill in the blank: The identity provider sends an identity token that contains the claims for your selected _______.
scopes
87
What is the purpose of OAuth2 clients in Relativity?
To enable third-party applications to authenticate against Relativity securely.
88
What happens if a user already exists in the system regarding Required Claims?
Required Claims does not affect login.
89
How can permissions be set for individual users in Relativity?
By creating a personal group for every user.
90
What is the first step in configuring Okta as an OpenID Connect provider?
Set up the Relativity app in Okta.
91
What should be done after configuring the authentication provider in Relativity?
Assign it as a login method to users.
92
What does the 'Enabled' setting do in the authentication provider configuration?
Determines if the provider is enabled by default.
93
What setting must be selected in the Scopes field when configuring Okta?
openid checkbox
94
What is required for the Subject Claim Type when using OpenID and email in the Scopes field?
It must be set to upn.
95
What is the purpose of OAuth2 clients in Relativity?
To configure external services and applications to authenticate against Relativity in a secure manner
## Footnote
OAuth2 clients enable client applications to obtain access tokens to call Relativity APIs.
96
What are the key components needed to set up an OAuth2 client in Relativity?
* Client ID
* Redirect URI
* Client secret key
## Footnote
These details are used to validate the application and authorize API calls.
97
What does the Flow Grant Type indicate in OAuth2 client setup?
The mechanism for acquiring an authentication token, also known as OAuth2 grant type.
98
What is the Client Credential grant type used for?
For applications that need to get an access token for their own account, outside the context of any specific user.
99
True or False: The Implicit grant type supports the issuance of refresh tokens.
False.
100
What is the recommended Access Token Lifetime for Client Credentials and Code Flow?
1 hour (60 minutes).
101
What must be done to obtain a refresh token?
Use an Authorization Code with a Proof Key for Code Exchange (PKCE) flow.
102
What happens if a token request comes from an IP address outside the specified Trusted IPs range?
The system returns a 400 error with the message 'invalid_client. IP address not allowed.'
103
What is the purpose of the OAuth2 client audit history?
To view all actions taken on a record and what the values were prior to a change.
104
What is RelativityOne Connect used for?
To securely connect multiple Relativity instances and allow users to navigate between them with a single login.
105
What must each party's RelativityOne primary contact do to enable RelativityOne Connect?
Complete a RelativityOne Connect Request form.
106
What is the OpenID Connect Subject when connecting users to different instances?
The user email address in the other instance.
107
What is the significance of the User Type in RelativityOne Connect?
It is used to tag a user as someone coming from another instance for organizational purposes.
108
How many recent error messages does the SSO Troubleshooting console display?
The 10 most recent error messages.
109
What should you do after resolving errors in the SSO Troubleshooting console?
Clear the error log.
110
What is a caution when using RelativityOne Connect?
Granting Connect access to internal users could compromise security, allowing unauthorized access.
111
Fill in the blank: The OAuth2 client setup includes a _______ that is a unique identifier for the client.
Client ID.
112
What is the role of the Admin Guide in the context of OAuth2 clients?
To provide instructions on creating, editing, resetting, and deleting OAuth2 clients.
113
What is required if Client Credentials is selected as the OAuth2 flow?
A Context User must be specified.
114
How do you view and manage errors in the SSO Troubleshooting console?
1. Navigate and select your authentication provider
2. Click on the Errors Log button
3. Review the errors and make the necessary updates to resolve the issue
4. Once resolved, clear the error log.
115
What are federated instances in Relativity?
Federated instances provide a way for reviewers to easily switch to other Relativity environments.
116
How can federated instances be used with OAuth2 clients?
They enable single sign-on for multiple environments in your Relativity ecosystem.
117
What is the purpose of the Authentication provider's HRD hint?
It streamlines the connection process by eliminating the need for manual linking when utilizing the same third-party OIDC provider.
118
What is the first step to create a federated instance?
Open the Federated Instances tab.
119
What information must be completed when creating or editing a federated instance?
You must complete the following fields:
* Name
* Instance URL
120
What should the 'Name' field for a federated instance reflect?
A name that makes the instance easy for users to recognize, like RelativityOne Reviewer.
121
Can you change the name of an existing federated instance?
No, you can't change the name of an existing federated instance.
122
What is the Home Realm Discovery (HRD) parameter?
It is a redirect URL to a configured authentication provider for the federated instance.
123
What must be set up correctly for single sign-on to work?
The authentication provider must be set up correctly.
124
What happens if authentication by the provider fails?
The user will be presented with the login screen of the Federated Instance.
125
How do you restrict access to a federated instance?
Using the padlock icon and assigning the appropriate groups access to the instance.
126
What is the process to delete a federated instance?
1. Navigate to the Federated Instance tab
2. Locate and open the federated instance
3. Click Delete
4. Click Ok in the confirmation dialog.
127
What can you view in a federated instance's audit history?
All actions taken on a record and what the values were prior to a change.
128
What details can be exported from the federated instance audit history?
You can export the following details in a .CSV file:
* User Name
* Action
* Timestamp
129
Fill in the blank: To create a federated instance, click _______.
New Federated Instance
130
What is the last step after viewing the audit history of a federated instance?
Close the dialog.
