Skip to content
OpenCms documentation
OpenCms documentation

Login

The login dialog is available under the /system/login URL path, or alternatively, under the /workplace path.

 

Login dialog

Enter your username and password in order to log into the workplace.

When clicking on the Show options button, one will get additional options. For example, this takes you to the password reset dialog, or a selection appears to log in to a specific organisational unit.

Login dialog options

The workplace login can be additionally secured by two-factor authentication. In order to activate two-factor authentication, a configuration setting is needed in OpenCms, and the workplace users have to install an authenticator app of their choice on their personal devices that supports the so-called TOTP procedure. TOTP stands for time-based one-time password. Suitable apps are the Google Authenticator or the Microsoft Authenticator app, for example.

Two-factor authentication can be activated in the WEB-INF/config/opencms-system.xml configuration file.

A minimal configuration looks like this:

<two-factor-authentication>
    <enabled>true</enabled>
    <secret>secretpassword123!</secret>
    <issuer>My OpenCms installation</issuer>
</two-factor-authentication>

The configuration must be placed directly below the <loginmanager> element:

<loginmanager>
...
</loginmanager>
<two-factor-authentication>
...
</two-factor-authentication>

The <issuer> element contains the name of the OpenCms installation as it will appear in the authenticator app of the workplace user. Since the <secret> password is used for user data encryption, it should be changed with caution only. If the password is changed, all workplace users have to reinitialize their two-factor login.

A restart of OpenCms is required in order to make the configuration active.

If two-factor authentication is configured in the way explained above, a QR code appears for each workplace user when they log in for the first time. The QR code must be scanned with the user's authenticator app. After successful scanning, the user device is linked to this very OpenCms installation.

Two-factor authentication initial dialog

For all subsequent logins, only one input field appears in which the workplace user must enter a verification code. The workplace user receives this verification code from his authenticator app.

Two-factor authentication login dialog

For the purpose of resetting a user's two-factor login, there is a respectice checkbox available in the authentication tab of the edit user dialog in the OpenCms accounts app. A reset can only be triggered by an OpenCms user administrator.

Two-factor authentication reset dialog

Two-factor authentication can also be activated for selected users only. Whole organizational units, groups or users can be included or excluded as shown below:

<two-factor-authentication>
    <enabled>true</enabled>
    <secret>secretpassword123!</secret>
    <issuer>My OpenCms installation</issuer>
    <include-users>
        <group>ABC</group>
        <orgunit>DEF</orgunit>
        <pattern>.*ABCDE.*</pattern>
    </include-users>
    <exclude-users>
        <group>GHI</group>
        <orgunit>JKL</orgunit>
        <pattern>.*QRSTU.*</pattern>
    </exclude-users>
</two-factor-authentication>

The <group>, <orgunit>, and <pattern> elements may appear 0 to n times. The <pattern> element matches account names. If no <include-users> element is defined, two-factor authentication is activated for all users except the ones defined in <exclude-users>.