Skip to main content

Configure authentication


For hosted users, Contrast Security configures authentication. However, an Organization Administrator may be granted the ability to override these settings, including SSO setup.

To request this change contact Contrast Support.

By default, Contrast stores a user directory that includes user's login name, credentials and other details about application authentication. Database credentials are stored (using a one-way hash) in the internal Contrast database. You can set a password policy and two-step authentication for users in Contrast.

Alternatively, you can use an external directory for authentication, in which case, only the username is stored in the Contrast database. Contrast supports:

Any changes to the authentication settings require that you restart Contrast. To change authentication, select Authentication under system settings.


When you switch between authentication modes, be aware:

  • Any users that were created under the previous authentication mode will no longer work, unless the user's email address is the same between the new and old authentication provider.

  • After you setup your new authentication mode and restart your server, users can't login to Contrast until their accounts are added to a new or existing organization. For on-premises customers, the SuperAdmin can take care of the Organization Administrator accounts, and then each Organization Administrator is responsible for the users within that organization.


When you use an external authentication provider mode (LDAP or AD), the username field when adding a user functions as a live search that shows users in the proper group.


Since roles and permissions are managed by access groups (and not the user directory), it is best practice to create access groups before configuring authentication. You will need at least two unique access groups, one for administrators and one for users.