Operator Authentication Modules

Overview

Integriti’s Operator Authentication Modules allow you to control how Operators authenticate when logging into the Integriti software. Authentication can be managed entirely by Integriti, or delegated to an external authentication service to centralise operator credentials across multiple systems.

Three authentication modules are supported:

Module	Description	Licensing
Built-In Authentication	Credentials stored and managed entirely within the Integriti database.	Included with all editions.
Windows Active Directory	Authenticate operators against a Windows AD domain using their Windows credentials.	Business Edition or higher.
OAuth Authentication	Authenticate against a compatible OAuth/OpenID Connect provider (Okta, Microsoft Entra ID, Google, or Custom).	Business Edition or higher.

Important: Keep Built-In Authentication enabled until external authentication is tested. Disabling it prematurely (or losing connection to the external system) can result in permanent lock-out from Integriti.

Prerequisites

• Integriti System Designer with installer-level access.
• Integriti Business Edition or higher (for AD/OAuth authentication).
• Network connectivity between the Integriti Application Server and the external authentication system.
• For OAuth: an Application registered in the OAuth provider with Client ID, Client Secret, and appropriate user assignments.
• For Active Directory: trust relationship between the Integriti server and the target AD domain.

Step-by-Step

Configure OAuth Authentication System (External Provider)

1. In your OAuth provider (Okta, Entra ID, Google, or Custom), create an Application representing the Integriti integration.
2. Retrieve the Issuer URL (for Custom providers) or note the Tenant ID (Entra ID) / Okta Domain.
3. Note the Client ID (sometimes called Audience) for the Application.
4. Enable Client Secret Authentication and save the generated Client Secret immediately (it may only be visible once).
5. Assign users in the OAuth system to the Application.
6. Optionally configure the Application to provide the groups claim in ID tokens (for automatic Operator Type assignment).

Configure Authentication Modules in Integriti

1. Open Integriti System Designer and go to System → System Settings.
2. Under Configuration, locate the Authentication section.
3. Built-In Authentication: Leave Allow Built-In Authentication enabled (recommended).
4. Active Directory Authentication:
   • Enable Allow Active Directory Authentication.
   • Optionally enable Allow Login With Current Windows User (lets operators log in without typing credentials).
   • Configure Use User Credentials to Connect to Extra Domains as needed.
   • Add additional domains via External Authentication Providers if required.
5. OAuth Authentication:
   • Enable Allow OAuth Authentication.
   • Under External Authentication Providers, add a provider:
     • Label: Display name in the login dialog.
     • OAuth Provider: Select Entra ID, Google, Okta, or Custom.
     • Enter Tenant ID, Okta Domain, or Issuer URL as applicable.
     • Enter Client ID and Client Secret from the OAuth provider.
     • Optionally enable Always Require Password and Automatic Operator Creation.
     • Under Groups, assign OAuth groups to Integriti Operator Types.

Configure Operators

1. Navigate to Administration → Operators.
2. Click Add New to create an operator.
3. Set Name, User Name (must match external username for AD/OAuth), and Operator Type.
4. Set Authentication Mode to the desired module or OAuth provider.
5. If using Built-In, enter and confirm a password.
6. Optionally set Password Expired to force a password change on first login.
7. Click Save.

Configure Operator Type Authentication (Optional)

1. Navigate to Administration → Operator Types.
2. Edit an Operator Type.
3. For AD: set Active Directory Group to the AD group name. All AD users in that group will be automatically assigned this Operator Type.
4. For OAuth: configure group-to-Operator-Type mapping in the External Authentication Providers settings in System Settings.

Verification

1. Log out of Integriti and re-open the login dialog.
2. For Built-In: select Username and password, enter credentials, and verify login.
3. For AD: select Username and password (or Current Windows user if enabled), enter AD credentials, and verify login.
4. For OAuth: select the OAuth provider from the Log in with list, click Login, complete the provider’s web authentication, and verify login.
5. Verify that automatically created operators (via AD group or OAuth group) appear in the Operators list.
6. Check Integriti Review for any authentication failure messages.

Troubleshooting

Symptom	Resolution
Unable to log on: Authentication scheme not licensed	Ensure the system has Business Edition or higher licensing.
Unable to log on using Active Directory: The server is not operational	Check network connectivity to the domain controller.
Unable to log on using Active Directory: Current security context…	The domain user doesn’t exist or doesn’t belong to an AD group assigned to an Operator Type.
Unable to log on using OAuth: Unknown operator or incorrect password	Check Integriti Review for username/subject ID/group info. Ensure the Integriti username matches the external username. Verify Automatic Operator Creation is enabled or the operator was manually created. Verify the user belongs to a group mapped to an Operator Type.
Locked out of Integriti (Built-In disabled)	Contact Inner Range Technical Support. Always keep Built-In Authentication enabled as a fallback.
OAuth Client Secret expired	Update the Client Secret in System Settings immediately. If Built-In is also disabled and the secret is invalid, this can cause permanent lock-out.

Related Pages

• Active Directory Operator Authentication — Detailed Active Directory setup guide.
• Integriti System Configuration — System Settings reference.
• Integriti Software Editions — Licensing tier details.
• Integriti Operator Guide — Day-to-day operator tasks.
• Two Factor Authentication — Additional layer of login security.