Authentication

Helix TeamHub supports two authentication types: SSH key authentication and password-based authentication.

SSH Key Authentication

SSH key authentication can be used when accessing repositories. This authentication type will always use a SSH key pair to authenticate an account. Helix TeamHub accounts may have multiple SSH keys, but a single SSH key is unique within a Helix TeamHub instance. The same key cannot be shared along accounts even if they are from different companies.

Password-Based Authentication

Password-based authentication can be used when accessing Helix TeamHub data from repositories, APIs, or the user interface. Helix TeamHub can be configured to use one of the three (built in, ldap and both) supported password authentication methods. The effects of each of them for Helix TeamHub accounts are listed below.

User and Collaborator Accounts

Built in LDAP Both Use case
New accounts can sign up by logging in using LDAP password and email or accountID.
New accounts can be added to Helix TeamHub from LDAP by email or accountID.
New accounts outside of LDAP can be added to Helix TeamHub by email.
New accounts will receive a registration email to set the initial password.
New accounts will receive a welcome email.
Only accounts found from LDAP can be added to Helix TeamHub.
Accounts can login with local password and email or accountID.
Accounts can login with LDAP password and email or accountID.
Accounts can use password recovery unless password is synchronized.

Collaborator Accounts without LDAP Support

When LDAP authentication is also enabled for collaborator accounts, they will behave the same way as normal users regarding authentication (see listing above). When LDAP authentication is disabled for collaborators, the following listing is applicable instead.

Built in LDAP Both Use case
New collaborators can be added to Helix TeamHub by email.
New collaborators will receive a registration email to set the initial password.
Collaborators can login with local password and email or accountID.
Collaborators can use password recovery unless password is synchronized.

Bot Accounts

Bot accounts will always use local password regardless of the authentication method.

Built in LDAP Both Use case
Can access repositories using local password and accountID.

Instance Admin Accounts

Users with admin privileges can always use local password to login to Helix TeamHub Admin.

Built in LDAP Both Use case
Can login to Helix TeamHub Admin using local password and email or accountID.
Can login to Helix TeamHub Admin using LDAP password and email or accountID.
Can use password recovery.

Password expiration

Passwords for built in authentication can be configured to expire after a number of days since the last change. This feature can be turned on by defining password_expire_days via configuration flags. A notification will be shown in Helix TeamHub UI when the password is close to expiration. The number of days before the notification is shown can be configured by password_expire_notify flag.

When the feature is enabled for the first time, the last changed timestamp is set for accounts and the expiration period starts. Changing the password will reset the period for the account. If the password is not changed before the expiration period ends, the forgot password feature can be used to request a link to the account's email to reset the password. Password expiration only affects users and collaborators, passwords do not expire for bots.

Company admins can disable password expiration for an account in account details view. This is recommended for service accounts that are used with integrations and whose passwords are managed separately.

Preventing password reuse

Preventing password reuse for built in authentication can be turned on by defining password_expire_count via configuration flags. This setting controls how many old passwords are prevented from being used again when changing password. This setting only affects users and collaborators.

Updated on: 17 November 2017