Plugin Version: 2.6|Release Notes


Overview

The Enhanced Login plugin provides a higher level of security by creating and managing security policies inside ProcessMaker according to the settings made by an administrator user. The plugin monitors login sessions through the IP address from which they started a session or through the direction of the device (or both). It can block duplicate login sessions from the same user or login sessions from multiple devices.

It also adds a security layer to the user login through a "2 Step Verification" method. Users who are configured to have 2-step verification will receive an email with a verification token or a token matrix generated by the plugin. After logging into ProcessMaker with their user credentials (step 1), they must enter the code (step 2) to enter ProcessMaker.

In addition, the plugin also provides an easy-to-use interface to add password policies which normally must be set inside a configuration file of ProcessMaker.

Requirements

  • ProcessMaker Enterprise version 3.0 or higher with the corresponding license .

Supported Stacks

  • Check this documentation to view the table of ProcessMaker supported stacks.

Browser Requirements

  • To view the browsers supported check the following documentation.

Setup

  • Import the Enhanced Login plugin. See: How to import plugins.
  • Enable the plugin inside the Enterprise Plugin Manager. Go to "ADMIN", then under the "Plugins" tab, enter the "Enterprise Plugin Manager" to access all available plugins. Select the "Enhanced Login" option and enable it.

Glossary

  • Coordinate Matrix. Matrix or printed serial numbers (usually paired data) ordered in rows and columns. Rows are titled with ascending numbers starting from 1 and columns are ordered alphabetically starting from A.
  • Token. 5-digit code that is sent to the user in an email to allow the authentication under security policies set by the user login.
  • PP.Passwords Policies.

Managing the Plugin

To access the plugin, go to the ADMIN section of ProcessMaker. Then, look for the "Enhanced Login" tab using the arrow in the right, click on it to access its options.

The plugins has three options available to work with:

  • 2 Step Verification.
  • Session Control.
  • Password Policy.

Each of the options is explained next:

2 Step Verification

This option is a login method used by the plugin to add an extra layer of security making it<2 steps to login to ProcessMaker. The first step would be the normal login where users enter their username, their password and, optionally the workspace they are working on. The second step asks users to enter a verification code generated by the plugin sent to the users' email to allow access to ProcessMaker.

To configure this option, login to ProcessMaker as a user such as "admin" who has the PROCESSMAKER_ADMIN role. Then, go to the Enhanced Login tab inside ADMIN. Click on the 2 step verificationoption in the left panel to access the list of all users in the right:

There are two tabs available in this section: "Users" and Token Providers Setup".

Users

This tab shows a list of all the existing users and provides an option to select their login method:

Below find a description of each one of these options:

1. Regenerate Matrix. This option generates a new token matrix and emails it to users that are assigned with the "Verification Matrix" as the login method. Select one user from the list and click on this option, a message like the following figure opens:

Click on "Cancel" to close the message or click on "OK" to generate the new matrix and send it to the user's email. A new message opens:

Click "Ok" to close it.

2. Kill Session. Select a user that's been set with a verification type (4 or 5) and close any active session. A message like the following opens:

Click on "Cancel" to close the message or click on "OK" to close the sessions and a new message appears:

Click on "Ok" to close it.

3. Search. Enter the user name, first or last name in this field and click on the "Search" button.

Verification type. After configuring and enabling the token provider (token matrix or single token) the verification options are available in this column for each user. Click on the cell to expand a dropdown with the fopllowing options.

4. TWOSTEP_VERIFICATION_MATRIX. This option is only available if this method is enabled inside the token provider setup. By selecting this option the user receives an email with the token matrix generated by the plugin which will allow the user to enter ProcessMaker. The system asks a specific coordinate of the matrix in the format letterNumber. For a 100-cell matrix there will be 10 rows and 10 columns (matrix are always square) each row will be numbered starting from 1, and each column will be assigned a letter starting from A thus, the first cell will always be A1, the second cell in the first row will be B1 and so on.

5. TWOSTEP_VERIFICATION_EMAIL. This option is only available if this method is enabled inside the token provider setup. By selecting this option the user receives an email with a single token generated by the system which must be entered in order to access ProcessMaker.

6. Sort. The sort option is available for the User Name, Full Name and Status. Hover with the mouse pointer the left side of the name of the column until a down black arrow appears, click on it and a menu expands. The columns will be sorted alphabetically in ascending or descending order.

Token Provider Setup

In order to configure the plugin the type of token provider must be set. Click on this tab to access the two possible methods to provide users access tokens. These methods are: Matrix and Email and each of them is explained below.

Matrix

Click on the first tab ("Matrix") inside the "Token Provider Setup" section. Enable this option to assign users with this method to access ProcessMaker. When users login an email is sent with the generated token matrix to start the session.

The options that needs to be configured are explained below:

  1. Enable or disable this method in this section. If it is enabled, it will be available in the column of verification type in the list of users and it will be possible to assign them this method.
  2. Matrix size. Specify the size of the square matrix where the tokens will be generated.
  3. Token size. Number of digits or characters the generated token will have.
  4. Token type. Click on the down arrow to view the types of tokens that will be built, which could be: "Numeric", "Alphabetic" and "Alphanumeric".
  5. Generate matrix. Regenerates the matrix each "N" days and sends the new matrix to the user's email to login again.
  6. Usage Time. Enables or disables the generation of the new matrix.
  7. Save Settings. Click on this button to save all settings made. A message appears at the bottom of the page

To assign a user with this method go to the "Users" tab, select the user that will have to use a token of the matrix to login to ProcessMaker, and in the "Verification Type" column select this method.

After the user logs into ProcessMaker with the user name and password, an email is sent to the user and a window opens asking for the code in columnRow like the following:

The user must check his or her inbox mail and find email with the matrix of tokens generated. For this case, the size of the matrix is 5 and has alphanumeric tokens.

As the message asked for A3, the code that must be entered in the field would be in column A, row 3 (IIG5F7). Finally, enter the code and click on the '"Submit" button to access ProcessMaker.

Email

Click on the second tab ("Email") inside the "Token Provider Setup" section. Enable this option to send a single login token to the user's email.

The characteristics of this section are:

Where:

  1. Enable or disable this method in this section. If enabled, it will be available in the column of verification type in the list of users and it will be possible to assign them this method.
  2. PP Token Lenght. Number of digits or characters the generated token will have.
  3. PP Email Type. Types of generated tokens which could be: "Numeric", "Alphabetic" and "Alphanumeric".
  4. Save Settings. Click on this button to save all settings made on this section.

To assign a user with this method go to the "Users" tab, select the user that will have to use a token to login into ProcessMaker, then in the "Verification Type" column select this method.

After the user logs into ProcessMaker with the user name and password, an email is sent to the user and a window opens asking for the code in the column/row like the following:

The user must check his or her inbox mail and will find the token generated. For example:

The code (23W131D7) that must be entered in the field and click on the '"Submit" button to enter ProcessMaker.

Session Control

This options allows administrator to restrict open sessions of the same user. It has two ways to restrict the user's login:

  • Restriction by IP. Restricts logins made by the same user from different IP's.
  • Device restriction. Restricts logins made by the same user from different devices.

Both restrictions can be disabled, block another login with the same credentials while a session exists already, or kill an existing session to allow a new login.

To use this option access the Enhanced Login tab inside ADMIN, then click on the Session Control option of the left panel.

A window with the following characteristics opens:

  1. IP Restriction. There are three options in the radio group of this option:
    • Disable. Select this option to disable this restriction and allow a user to login in the same IP address.
    • Block Duplicate Session. Select this option to block any attempt to start another session of the same user with the same IP address. The following message will be shown if a user is trying to login with credentials of a user that has already a session open:
    • Kill Existing Session. Select this option to kill the existing session of a user. This is very helpful, for example, if a user is trying to login in another browser or in the same browser but the session information has not been deleted. With this option the user will be able to normally enter ProcessMaker with the same IP address but with a new session.
  2. Device Restriction. There are three options in the radio group of this option:
    • Disable. Select this option to disable this restriction and allow a user to login from different devices.
    • Block Duplicate Session. Select this option to block any attempt to start another session of the same user in another device. The following message will be shown if a user is trying to login with credentials of a user that has already a session open:
    • Kill Existing Session. Select this option to kill the existing session of a user. With this option, if a user is trying to login but there is already a session open in another device, the first user that logged into ProcessMaker will lose the session so the other starts a new session in another device.
  3. Save Settings. Click on this button to save all configuration made in this section.

It is also possible to make any combination and use both restrictions at the same time. For example if the following has been set:

It means that the user will be able to login inside the same device but ProcessMaker will kill the previous session and start a new one each time the user logins. But, the user will lose the session if the same login credentials are used in another device.

Password Policy

This option enables the different policies a password should have. To use this option access the Enhanced Login tab inside ADMIN, then click on the '"Password Policy" option of the left panel.

Its options are detail below:

  • Numeric characters. Enable this option when passwords should have numeric characters. If the next time a user changes his or her password and it does not have numeric characters, the following message will be shown:
  • Uppercase characters. Enable this option so that passwords should contain uppercase characters. If the next time a user changes his or her password and it does not have uppercase characters, the following message will be shown:
  • Special characters. Enable this option so that passwords contain special characters. This characters could be:

    [ ? / < ~ # `! @ $% ^ & * ( ) + = } |: " ; ' , > {

    If the next time a user changes his or her password and it does not have special characters, the following message will be shown:

  • Minimum Length. Set the minimum size of the password. The field is remarked in red because if set, passwords' length must have at least four characters. If the next time a user changes his or her password and it does not have the minimum length set in this section, the following message will be shown:
  • Maximum Length. Set the maximum size of the password. If the next time a user changes his or her password and it overpasses the maximum length set in this section, the following message will be shown:
  • Password Expiration in. Set the expiration of the password, so users change it in the specified number of days. The field is remarked in red because if set, the minimum accepted value is 1.
  • Logins Failed. Number of failed logins before setting the user's status to "Inactive". If the number of attempts overpass the number set in this section the following message is shown to the user:

And immediately the user will be set in the "Inactive" status.

Only an administrator user will be able to change the user's status. It is possible to view the log of failed attempts inside the file: loginFailed.log. This file contains the date, time, user, IP address, workspace and browser of the last failed attempt. For example:

The db.php file for the default "workflow" workspace is generally found in Linux/UNIX at:

/opt/processmaker/shared/log/loginFailed.php

In Windows, it is generally located at:

C:\Program Files\ProcessMaker\processmaker\shared\log\loginFailed.php

Note: The time and date won't be shown if the available hotfix ProcessMaker 2.5.2.4 is not installed.

  • Save Settings. Click on this button to save all settings made in this section. The following message will be shown in the bottom of the page: