Skip to content

Assisted Login Profiles

Assisted Login Profiles define the rules and participants for approver-based authentication workflows. An approver validates the identity of a requesting user before granting access. Mideye Server supports two profile types: Normal (LDAP-backed) and Federation (identity-provider-backed).

Navigate to Server Settings → Assisted Login Profiles to manage profiles.

The list view displays all configured assisted login profiles in a sortable data grid.

| Column | Description | |--------|-------------| | Profile name | Unique name identifying the profile. Default sort column (ascending). | | Federation | Boolean indicator — checked if the profile is a federation profile. | | Action | Edit and Delete buttons (visible to administrators only). |

Click the Settings button to choose between:

  • Add a Normal Profile — creates a profile backed by LDAP directory groups.
  • Add a Federation Profile — creates a profile backed by an external identity provider (e.g., Entra ID).

The profile type determines which tabs and fields appear in the editor.

The editor uses a tabbed form. Normal profiles display four tabs; federation profiles display three (the Additional Challenges tab is hidden).

| Field | Description | Default | |-------|-------------|---------| | Profile name | Unique identifier. Validated asynchronously against existing names. Max 255 characters. | — | | Notification attribute | LDAP attribute used to identify the user in notifications. Max 100 characters. | displayName | | Session timeout | Maximum session duration in seconds. | 120 | | Idle timeout | Inactivity timeout in seconds before the session expires. | 96 | | Groups matching part in CN | When enabled, allows partial matching of group common names. | Disabled |

| Field | Description | Default | |-------|-------------|---------| | Profile name | Unique identifier. Same validation as normal profiles. | — | | Resource | Federation resource identifier (e.g., application URI). | — |

Defines who is authorized to approve authentication requests.

  • Approver Id attribute — a multi-tag input specifying which LDAP attributes identify an approver. Default tags: sAMAccountName, mobile, userPrincipalName, mobilePhone, mail, uid. At least one attribute is required.
  • Require Manager — when enabled, the approver must be the requesting user's manager in the directory.
  • Approver Groups — a dynamic list of group names. For federation profiles, specify groups using the full Distinguished Name.
  • Approver Identities — a dynamic list of individual approver identifiers. For federation profiles, use userPrincipalName. The value root is explicitly blocked.

Defines which users may request assisted login through this profile.

  • User Groups — a dynamic list of LDAP group names whose members may request assisted login.
  • User Identities — a dynamic list of individual user identifiers. For federation profiles, specify users with userPrincipalName, domain, or regular expression. The value root is explicitly blocked.

Available for normal profiles only. Adds custom challenge questions that the user must answer during the assisted login flow.

Each challenge entry contains:

| Field | Description | |-------|-------------| | Question | The challenge question displayed to the user. Required, max 255 characters. | | Title | Label for the response field. Required, max 255 characters. |

Click the add button to insert a new challenge. Each challenge includes a delete button for removal. The list is scrollable when many challenges are configured.

| Action | Required Role | |--------|---------------| | View profiles | Any authenticated user | | Create, edit, or delete profiles | Administrator or above |