Authentication FAQ
This article answers common questions about LifeOmic Platform Authentication. For additional documentation, see Access Control Overview.
What do I do if I lost my password or forgot my password?
Click the Forgot your password? link on the LifeOmic Platform login screen to receive an email with a passcode that will let you reset your password. You can also use the Sign into the LifeOmic Platform without a Password procedure.
What methods are available for authentication?
- User credentials (Traditional username and password)
- Single Sign-on (SSO)
- Passwordless (One-time Passcode (OTP))
- API key (JSON Web Token (JWT))
What is user credential authentication?
A user credential is a username and password pair that allows access into the platform. Sometimes organizations configure a Single Sign-On provider (SSO) that unifies a username and password credential to allow access to many systems.
Complete user credential authentication at the following locations:
Web App: https://apps.us.lifeomic.com/login
LifeOmic CLI - lo auth
LifeOmic Notebook Service - The authentication token and refresh token are automatically made available when a Notebook is launched. Those are available in the environment under:
PHC_REFRESH_TOKEN
PHC_ACCESS_TOKEN
When presented with a valid username and password, the authentication API responds with a JSON Web Token
(JWT) for the user. Use the
HTTP Authorization
header and set the value format as: Authorization=Bearer <token>
.
How do I configure Auth Client and SSO?
Customers with stringent security concerns can set up SSO authentication. Most SSO providers, such as Okta, let you specify two-factor authentication (2FA) or multi-factor authentication (MFA).
For more information and a configuration procedure, see Auth Clients and Single Sign-on.
Are external Identity Providers (IdP) supported?
The LifeOmic Platform supports Single Sign-On (SSO). SSO providers must support either SAML2 or OpenID.
For example, the LifeOmic Platform is validated with Okta and Shibboleth IdP.
Is Passwordless login a secure authentication method?
Yes. When a user selects the Passwordless option at the login screen, the LifeOmic Platform generates a secure, unique token and emails the requestor a link for password-free authentication. In general, passwordless authentication with a One-Time Password (OTP) token is regarded as more secure than traditional password schemes. It prevents the common security breaches that result from stolen or guessed passwords.
The LifeOmic Platform passwordless method requires that you log in with the same device and browser used to initiate the request. The generated link also expires after five minutes. Both of these measures further mitigate security risks.
For more information and a configuration procedure, see Sign in without a Password.
Can I prevent my users from using the Passwordless authentication option?
Once SSO is configured, the LifeOmic Platform admin can invite users with an invitation that requires the user to log in with SSO authentication. A LifeOmic Platform invitation encapsulates both the user-email and required authentication method. If you invite a user with the requirement that they use SSO, they must use SSO for their initial login. If on a subsequent login, the user attempts to use passwordless authentication, the user would not be able to authenticate as the original invited user and would not have the permissions granted to that user by the admin.
What is API key authentication?
Instead of having to do the normal authentication process of entering in user credentials (username and password), you can create an API key unique to a user. For more information and a configuration procedure, see API keys.
What access control does an API key have?
An API key created by a user acts on behalf of that user and provides the same level of access within the account. Secure your API key like you secure your username and password.
How often do API keys expire?
A new API key requires you to set an expiration time, configurable
in days. The minimum expiry is 1 day
and the maximum is 365 days
.
A best practice is to set a cadence of API key rotation throughout the year.
Where can I use an API key?
API keys may be used in scripted environments like Linux based machines with
Bash to interface with the LifeOmic Platform API. Use the
HTTP Authorization
header and set the value format as: Authorization=Bearer <api key>
.
The LifeOmic CLI may be used to further enhance those scripts where the API is abstracted away. The CLI supports Linux, MacOS, and Windows environments.
The SDK for Python also supports API keys for automation and interacting with the LifeOmic Platform API through a Python interface.
What access token methods can a customer use with the LifeOmic Platform API?
- Authorization code - This is a common grant type used in OAuth flows. The
access_token
is usually short-lived. Arefresh_token
allows getting newaccess_token
s for a longer period.
OAuth 2.0 specifies different grant_types
that allow access token grants. For more information, see authorization code request. The authorization grant is also used to log in a LifeOmic Platform user.
- API key - This is a self-encoded access token and has a long life. Each LifeOmic Platform API key represents a user and receives the same ABAC enforcement that the associated user would have. If the user associated with an API key is added or removed from groups (and therefore policies), the API key reflects those changes. For more information, see API keys.