Login Methods

Universal Controller provides a Login Method option at the user account level that allows you to select the following login methods:

Standard
Single Sign-On
Standard/Authenticator App (TOTP)

You can select multiple Login Methods; however, you can select only one of Standard or Standard/Authenticator App (TOTP).

The default login method for a user depends on the user account type.

Account Type	Login Method
Local User Account	Local user accounts, by default, are designated with the Standard login method. Any user account created prior to Universal Controller 6.4.6.0 is, by default, designated with the Standard login method; for example, after applying maintenance, or after importing users from an earlier release. Any attempt by a user to use the Standard login for an account that is not designated to use Standard login method will receive the following error: Username and/or password invalid.
LDAP-Provisioned User Account	Any user provisioned through LDAP synchronization will be designated, by default, with the login method(s) configured in the LDAP Settings. The designation of the login method only applies at user creation time.
Single Sign-On-Provisioned User Account	Any user provisioned through SAML Single Sign-On will be designated, by default, with the Single Sign-On login method only. The designation of the login method only applies at user creation time.

Note

The local administrator account, ops.admin, is configured to allow only the Standard login method. Modification of the ops.admin account Login Method is not permitted.

For additional details on login method enforcement, see Single Sign-On Troubleshooting.

Standard Login

The Universal Automation Center Login page displays automatically when you bring up the Universal Controller system and browse to its URL.

The Standard login URL is:

http(s)://<server:port>/uc/login.jsp (or simply, http(s)://<server:port>/uc/).

All Local account and AD/LDAP-authenticated accounts authenticate through this standard login URL.

User Name	The default login User name is ops.admin.
Password	For your initial login to the Controller, no password is required; the Controller prompts you to create a password.

Changing Your Password

Note

Changing your password is not applicable to users that log in using LDAP authentication.

To change your password at any time after you have logged in:

Step 1	On the User task bar, click the User Actions drop-down list arrow to display a menu of user actions.
Step 2	Click Change Password. The Change Password dialog pops up.
Step 3	Enter your Current Password and a New Password, and reenter your new password in Confirm New Password.
Step 4	Click the Change Password button.

Note

If any Password Settings have been defined for user passwords, the hint for the New Password and Confirm New Password fields, as well as the information icon pop-up for either field, will display those settings.

For example:

Password Expiration

Note

Password expiration is not applicable to users that log in using LDAP authentication.

If the Password Expiration Enabled field in Password Settings has been enabled, and you reach the maximum number of days that a user password can remain unchanged, as specified by the Password Expiration in Days field in Password Settings, the following dialog displays when you enter your password on the Standard Login page:

Note

Below the Change Password button, the Change Password dialog will displays any characteristics and restrictions defined in Password Settings.

For example:

You must enter a new password, one that is different than your currently expired password. (To maintain a high level of security, you should never use a password that you have used before.)

In Current Password, enter your password that has just expired.
In New Password and Confirm New Password, enter a new, previously unused password.
Click Change Password.

If you try to enter your currently expired password as your new password, the following error message displays on the Password Expired dialog:

Your new password cannot be the same as your current password.

Single Sign-On Login

For information on Single Sign-On Login method and the Single Sign-On Login URL, see Single Sign-On Login on the Single Sign-On Settings page.

Standard/Authenticator App (TOTP)

Universal Controller supports the use of an Authenticator App for standard login accounts.

A user configured for Standard / Authenticator App (TOTP) as a Login Method must setup their Universal Controller account in their authenticator app during their initial login.

During the initial login, an enrollment page will be presented to the user assuming they authenticated successfully using their username and password:

You can switch to setup manually by clicking the Click to setup manually button:

Next, the user will be prompted to enter their Time-based one-time password (TOTP) to login to the controller:

After the initial enrollment, you will only have to enter the Time-based one-time password (TOTP) after authenticated successfully using your username and password.

The Issuer, which the authenticator app uses for identifying the account in the app, will appear as [System Identifier@]uc.stonebranch.com.

Once a user has successfully logged into the application using their Authenticator App two-factor authentication, a TOTP code will not be required to restore an expired session from the Session Expired login prompt.

User Lockout

If the Lock Account After Maximum Login Attempts field in Password Settings has been enabled, and you reach the maximum number of successive login attempts that is allowed, as specified by the Maximum Failed Login Attempts field in Password Settings, your user account in Universal Controller will be locked.

(Whenever Lock Account After Maximum Login Attempts is reset from enabled to disabled, the current number of login attempts for all users is reset to 0.)

If you attempt to log in to a locked account, the following message displays:

User account <Username> is locked. Please check with your administrator."

To unlock a locked account, your Controller system administrator must uncheck the Locked out field ion the User Details for that user account.

User Restriction

You can be restricted from logging in to the Universal Controller user interface either of two ways:

The system level default for web browser access, specified by the System Default Web Browser Access Universal Controller system property, has been set to No, and the Web Browser access field in the User Details for your user account is set to -- System Default --."
The Web Browser access field is set to No, which overrides the System Default Web Browser Access value (Yes or No).

If either restriction is in place, the following error message will display when you enter your user name at the User name prompt:

User <Username> not permitted to login through the web browser. Please check with your administrator.

To remove the restriction, the system administrator must either:

Set the System Default Web Browser Access property to Yes and set the Web Browser access field in the User Details for your user account to -- System Default --.
Set the Web Browser access field in the User Details for your user account to Yes.

License Expiration

If you log in to the Controller and your Controller license is about to expire within one week, the following informational message displays in the Console:

Universal Controller license for node <node_id> will expire in N days. 
 
Please contact Stonebranch customer support to avoid service interruption.

If you log in to the Controller and your Controller license already has expired, the following error message displays in the Console:

Universal Controller license for node <node_id> has expired and the Controller has been suspended.
 
Licensed Number of Days: N
Actual Number of Days: N 
 
Please contact Stonebranch customer support to restore services.

In each case, the Console will remain open until you manually close it.

Additionally, if you have configured the Controller for System Notifications, system notifications are sent when the Controller license will expire in seven days and if the license already has expired.

Note

If your license expires, you will not be able to run any tasks.

Login Disclaimer

The Login Disclaimer Universal Controller system property lets you define multi-lines of free-form text that will display at the bottom of the Universal Automation Center Login page when you attempt to login.

Note

HTML is not permitted and will be escaped accordingly.

For example:

Login Notification

The Login Notification Universal Controller system property lets you define a message that displays in the Console when you login to the Controller.

Show Last Login

If the Show Last Login Universal Controller system property = true, the last login time is shown in the console when logging into the user interface. The format of the message is as follows.

Last login for <user-name> at <login-time> from <login-source> @ <login-ipaddr>.

For example,

Last login for john.doe at 2022-11-23 12:24:18 -0500 from User Interface @ 127.0.0.1.

Last login for john.doe at 2022-11-23 12:24:18 -0500 from Web Service @ 127.0.0.1.

Last login for john.doe at 2022-11-23 12:24:18 -0500 from Command Line.

Logging Out

To log out of your Universal Controller session:

Step 1	On the User Task Bar, click the User Actions drop-down list arrow to display a menu of user actions.
Step 2	Click Logout. You are logged out of this session, and the Universal Automation Center Login page displays.

Exiting without Logging Out

As a best practice, we recommend that you always end your Universal Controller session by logging out before closing the browser or navigating away from the user interface.

If you attempt to close the browser or navigate away from the user interface before logging out, and the Confirm Exit Universal Controller system property is set to true, the following pop-up dialog displays:

Note

This dialog may differ from browser to browser.

SAML Single Logout

For information on SAML Single Logout, see Single Logout in Single Sign-On Settings.

Log File and Audits

All user login and logout activity, whether via the user interface or a Universal Controller remote interface, is logged and audited (as a single audit type: User Login).

Log File Messages

Log file messages for login activity are in the following format:

timestamp (internal) login activity <user=user name, ipaddr=IP address>

For example:

2015-04-16-11:16:26:391 -0400   INFO [http-bio-8080-exec-5] Login OK <user=ops.admin, ipaddr=192.55.44.123>
2015-04-16-11:17:20:208 -0400   INFO [http-bio-8080-exec-10] Login Failed <user=ops.admin, ipaddr=192.55.44.123>
2015-04-16-11:16:57:442 -0400   INFO [http-bio-8080-exec-11] Logout OK <user=ops.admin, ipaddr=192.55.44.123>

Audit Messages

Audit messages for login activity are in the following format:

login activity <user=user name, ipaddr=IP address>

For example:

LOGIN <user=stonebranch-user-01, ipaddr=192.55.44.123>

Note

The IP Address of the user is not logged or audited for login activity via the Command Line Interface (CLI).

User Sessions

Note

This action requires the ops_admin role or the ops_user_admin role.

To display a list of currently authenticated user sessions (logged in users):

Step 1	On the User task bar, click the User Actions drop-down list arrow to display a menu of user actions.
Step 2	Click User Sessions to display the User Sessions list of currently authenticated user sessions.

For each logged in the user, the User Sessions list provides the following columns of information:

Column	Description
User	User Id of the user. (You can click a User Id to display the User Details for that user.)
Remote Address	Address of the machine from where the user logged in.
Creation Time	Date and time that the user initially logged in; in other words, when the user session was created.
Last Accessed Time	Last date and time that the client (browser) sent a request associated with this user session..

Note

If you have configured Tomcat for never timing out sessions or for an exceptionally long session timeout - neither of which is recommended - this can result in a large number of lingering sessions if users are not logging out of the web application prior to closing their browser. As a precaution, if the Universal Controller detects more than 1,000 authenticated sessions, only those sessions with a Last Accessed Time of less than 24 hours ago will be displayed.

To view an up-to-date list of the currently logged in users, click the Refresh button; to close the list, click the Close button.

From the Users Sessions list, you also can:

Send an Email to one or more (or all) logged in users.
Expire the user session of one or more users.

Note

If the following error appears in the Console while you are using the User Sessions feature, you may need to manually configure the opswise.mbean.catalina.manager.name Universal Controller start-up property:

Universal Controller not configured for user session operations.

Send an Email to Logged In Users

From the User Sessions list, you can send an Email to:

All users on the list.
One or more users on the list.

The Controller will auto-generate the email Subject in the following format:

Message from system_identifier Universal Controller Administrator (user_id@cluster_node_id)

The Reply-To address for the email will be the email address of the sender.

An administrator must ensure that an Email Connection exists with the Use for System Notifications option enabled. The Email Address specified in the Email Connection Details will appear as the From email address.

Note

For local user accounts, each user must have assigned a valid email address.

For AD/LDAP synchronized user accounts, each synchronized user must have a valid email address mapped to their user record. (By default, this should be true.)

Send an Email to All Logged In Users

Step 1	Click the Email All button on the User Sessions list. An Email pop-up dialog displays.
Step 2	Enter a Message and click the Send button.

Send an Email to One or More Logged In Users

Step 1	Select one or more users on the User Sessions list and right-click any of the selected users. The User Sessions actions menu displays:
Step 2	Click Email to display an Email pop-up dialog.
Step 3	Enter a Message and click the Send button.

Expire User Sessions

Note

This action requires the ops_admin role or the ops_user_admin role.

To expire (log out) one or more currently authenticated user sessions (logged in users):

Step 1	Click User Sessions in the User Actions drop-down list on the User Task Bar. The User Sessions list then displays a list of currently authenticated user sessions.
Step 2	Select one or more users on the list and right-click any of the selected users. The User Sessions actions menu displays:
Step 3	Click Expire Session to expire the user sessions of the selected users. A confirmation pop-up then displays.
Step 4	Click OK to confirm that you want to expire the selected user sessions.

Browser not supported