Configuring Web App authentication
Introduced in 2024.2
Updated in 2026
Use the Authentication page under Apps and Portals > Web App in the Admin Center to manage how technicians can sign in to the Web App. On this page, you can configure password-based authentication settings and enable protection against brute-force sign-in attempts by limiting repeated failed sign-ins.
The availability of this page depends on the authentication method that was selected for this Web App instance on the server side, during the configuration. The Authentication page is available only when the Web App is configured for the Standard Authentication.
You can choose between those authentication types or combine both:
-
Password authentication
To allow Web App users to sign in by providing their username and password, select the Alloy password authentication checkbox under Password Authentication. You may also need to allow password authentication in the corresponding user accounts.
To help protect Web App accounts from brute-force attacks, you can limit how many times a user can try to sign in with an incorrect password within a short period of time.
This setting applies to failed password sign-in attempts for a specific user from a specific client, such as a browser. After the configured number of failed attempts is reached within the specified time window, the Web App temporarily blocks further sign-in attempts from that client.
To enable this protection, select Enable failed sign-in attempt limit (brute-force protection) and configure the following values:
-
[number] attempts: The maximum number of failed sign-in attempts allowed before the limit is triggered.
-
within [number] minute(s): The time window during which the failed attempts are counted.
-
then lock for [number] minute(s): The amount of time during which further sign-in attempts are temporarily blocked after the limit is reached.
For example, if you allow
5 attempts within 1 minute, then lock for 5 minutes, a user can make up to five failed sign-in attempts within one minute. If the fifth attempt also fails, further sign-in attempts from that client are blocked for five minutes.When the limit is reached, the user sees a general message explaining that sign-in is temporarily unavailable. The message does not provide technical details or indicate whether the user name exists.
By default, the failed sign-in attempt limit is turned off.
-
-
Single Sign-On (SSO) authentication
To enable single sign-on (SSO) authentication for Web App users, select the desired SSO services under Available Single Sign-On services. These services must be previously configured in Alloy Navigator as SSO Provider records. For details, see Managing single sign-on (SSO) providers
With SSO enabled, users may still be able to sign in using their username (email) and password. To make this happen, enable the password authentication in both the API and the user's account.
About LDAP authentication
Users can also sign in to the Web App using LDAP authentication, by providing their username (as DOMAIN\username) and password. This method requires that corresponding Domain Credentials records are configured in Alloy Navigator. For details, see Managing Domain Credentials and Administration Guide: Enabling LDAP Authentication.