[comment]: # translation:outdated
[comment]: # ({new-3a0ed9f2})
# 5 Authentication
[comment]: # ({/new-3a0ed9f2})
[comment]: # ({new-9217fb1a})
### Overview
The *Users → Authentication* section allows to specify the
global user authentication method to Zabbix and internal password
requirements. The available methods are internal, HTTP, LDAP, and SAML
authentication.
[comment]: # ({/new-9217fb1a})
[comment]: # ({new-0e754ffa})
### Default authentication
By default, Zabbix uses internal Zabbix authentication for all users. It
is possible to change the default method to [LDAP](#ldap_authentication)
system-wide or enable LDAP authentication only for specific user groups.
To set LDAP as default authentication method for all users, navigate to
the *LDAP* tab and configure authentication parameters, then return to
the *Authentication* tab and switch *Default authentication* selector to
LDAP.
Note that the authentication method can be fine-tuned on the [user
group](/manual/config/users_and_usergroups/usergroup) level. Even if
LDAP authentication is set globally, some user groups can still be
authenticated by Zabbix. These groups must have [frontend
access](/manual/config/users_and_usergroups/usergroup#configuration) set
to Internal. Vice versa, if internal authentication is used globally,
LDAP authentication details can be specified and used for specific user
groups whose [frontend
access](/manual/config/users_and_usergroups/usergroup#configuration) is
set to LDAP. If a user is included into at least one user group with
LDAP authentication, this user will not be able to use internal
authentication method.
[HTTP](#http_authentication) and [SAML 2.0](#saml_authentication)
authentication methods can be used in addition to the default
authentication method.
[comment]: # ({/new-0e754ffa})
[comment]: # ({new-e0540532})
#### Configuration
The *Authentication* tab allows to set the default authentication method, specify a group for
deprovisioned users and set password complexity requirements for Zabbix users.
Configuration parameters:
|Parameter|Description|
|--|--------|
|*Default authentication*|Select the default authentication method for Zabbix - *Internal* or *LDAP*.|
|*Deprovisioned users group*|Specify a user group for deprovisioned users. This setting is required only for JIT provisioning, regarding users that were created in Zabbix from LDAP or SAML systems, but no longer need to be provisioned.
A disabled user group must be specified.|
|*Minimum password length*|By default, the minimum password length is set to 8. Supported range: 1-70. Note that passwords longer than 72 characters will be truncated.|
|*Password must contain*|Mark one or several checkboxes to require usage of specified characters in a password:
- an uppercase and a lowercase Latin letter
- a digit
- a special character
Hover over the question mark to see a hint with the list of characters for each option.|
|*Avoid easy-to-guess passwords*|If marked, a password will be checked against the following requirements:
- must not contain user's name, surname, or username
- must not be one of the common or context-specific passwords.
The list of common and context-specific passwords is generated automatically from the list of NCSC "Top 100k passwords", the list of SecLists "Top 1M passwords" and the list of Zabbix context-specific passwords. Internal users will not be allowed to set passwords included in this list as such passwords are considered weak due to their common use.|
Changes in password complexity requirements will not affect existing
user passwords, but if an existing user chooses to change a password,
the new password will have to meet current requirements. A hint with the
list of requirements will be displayed next to the *Password* field in
the [user profile](/manual/web_interface/user_profile) and in the [user
configuration form](/manual/config/users_and_usergroups/user) accessible
from the *Users → Users* menu.
[comment]: # ({/new-e0540532})