Local user database

  • 2 minute read
Prev Next

This section explains how local user accounts are managed in AppGate ZTNA.

"Local users" are user identities that have been added to the local (Controller) system database. The "Builtin Administrator" Local User account is pre-configured in the Local Database to enable full system administration and cannot be deleted.

Local users can be added to the Local Database to provide accounts for other administrators or for temporary users not listed in an external Identity Provider.

The local user database is not intended as an IdP for large user groups in a production environment. An external IdP must be configured for this purpose.

Use the Identity Providers UI to configure Local

System administrator account

The "Builtin Administrator" system administrator account is pre-configured in your AppGate ZTNA system. Note that the Builtin Administrator account should not be changed or deleted.

To provision access for other administrators, refer to Admin user access.

Managing accounts and passwords

To create local user accounts, edit account details, or change the user's password for an existing local user account:

  • Use Local Users.

  • Use + Add New or select the name of the user to open the editing window.

Password policy

The local user database has:

  • A minimum password strength setting. The default setting is five characters.

  • A built-in, configurable lockout policy. The default setting will lock out the user for one minute after five consecutive failed attempts within one minute.

This can be configured in Identity Providers > Local.

Client authentication

Client sign-in. When Local has been selected on the Client sign-in screen, the username and password must be entered and the user can select the Keep me signed in option. This will remember the credentials and use them to auto start the client and automatically sign the user in next time. The Controller will map attributes based on the username entered to populate user Claims and issue Claims and Entitlement tokens.

Claims token renewal. When the user's Claims token expires, the Client uses the cached username/password credentials (if available) to handle token renewal automatically. Normally this is transparent to the user. When the user credentials no longer match, the user will be prompted to re-authenticate to renew the token.

Password user interaction. If a password user interaction is triggered, the Client will ask the user to type in a password. This might be from the IdP used for signing in or it could be a different IdP.

Administrator authentication

This method can also be used to authenticate an administrator signing in to the admin UI and for REST API calls.

Related articles
  • Local Users
    Admin Guide > Admin Guide v6.7 > Admin UI  > Identity > Local Users
  • Local user database
    Admin Guide > Admin Guide v6.7 > General administration > System configuration > Authentication services
  • Local user database
    Admin Guide > Admin Guide v6.5 > General administration > System configuration > Authentication services