OpenCTI-Platform · aHenryJard · Apr 8, 2026 · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026
diff --git a/opencti-platform/opencti-front/lang/front/de.json b/opencti-platform/opencti-front/lang/front/de.json
@@ -2509,6 +2509,7 @@
   "Live trigger": "Live-Trigger",
   "Loading current message count...": "Laden der aktuellen Nachrichtenanzahl...",
   "Local": "Lokal",
+  "Local authentication cannot be changed when authentication is managed by environment configuration": "Die lokale Authentifizierung kann nicht geändert werden, wenn die Authentifizierung über die Umgebungskonfiguration verwaltet wird",
   "Local authentication cannot be disabled when no other authentication provider is enabled": "Die lokale Authentifizierung kann nicht deaktiviert werden, wenn kein anderer Authentifizierungsanbieter aktiviert ist",
   "Local password policies": "Lokale Kennwortrichtlinien",
   "Local settings": "Lokale Einstellungen",

diff --git a/opencti-platform/opencti-front/lang/front/en.json b/opencti-platform/opencti-front/lang/front/en.json
@@ -2509,6 +2509,7 @@
   "Live trigger": "Live trigger",
   "Loading current message count...": "Loading current message count...",
   "Local": "Local",
+  "Local authentication cannot be changed when authentication is managed by environment configuration": "Local authentication cannot be changed when authentication is managed by environment configuration",
   "Local authentication cannot be disabled when no other authentication provider is enabled": "Local authentication cannot be disabled when no other authentication provider is enabled",
   "Local password policies": "Local password policies",
   "Local settings": "Local settings",

diff --git a/opencti-platform/opencti-front/lang/front/es.json b/opencti-platform/opencti-front/lang/front/es.json
@@ -1928,9 +1928,9 @@
   "Force reauthentication": "Forzar reautenticación",
   "Forecast": "Previsión",
   "Form": "Formulario",
+  "FORM": "FORMULARIO",
   "Form intakes": "Formularios de ingesta",
   "Form intakes | Ingestion | Data": "Formularios de ingesta | Ingestión | Datos",
-  "FORM": "FORMULARIO",
   "Form not found": "Formulario no encontrado",
   "Form schema in JSON format": "Esquema del formulario en formato JSON",
   "Form schema is required": "Se requiere esquema de formulario",
@@ -2509,6 +2509,7 @@
   "Live trigger": "Disparador en vivo",
   "Loading current message count...": "Cargando recuento de mensajes actual...",
   "Local": "Local",
+  "Local authentication cannot be changed when authentication is managed by environment configuration": "La autenticación local no puede modificarse cuando la autenticación se gestiona mediante la configuración del entorno",
   "Local authentication cannot be disabled when no other authentication provider is enabled": "La autenticación local no se puede deshabilitar cuando no hay otro proveedor de autenticación habilitado",
   "Local password policies": "Políticas locales de contraseñas",
   "Local settings": "Configuración local",
@@ -4841,8 +4842,8 @@
   "You see only marking definitions that can be shared (defined by the admin)": "Sólo se ven las definiciones de marcado que se pueden compartir (definidas por el administrador)",
   "You should activate EE to use this feature": "Debe activar EE para utilizar esta función",
   "You should provide a variable name": "Debe proporcionar un nombre de variable",
-  "You will be able to revert this change if needed. ": "Podrá revertir este cambio si es necesario.",
   "You were automatically logged out due to session expiration.": "Se ha cerrado automáticamente la sesión debido a la expiración de la misma.",
+  "You will be able to revert this change if needed. ": "Podrá revertir este cambio si es necesario.",
   "You will be automatically logged out at end of the timer.": "Se cerrará la sesión automáticamente al final del temporizador.",
   "You will find here the computed state.": "Aquí encontrará el estado calculado.",
   "You will find here the result in JSON format.": "Aquí encontrará el resultado en formato JSON.",
@@ -4870,4 +4871,4 @@
   "Zoom": "Zoom",
   "Zoom in": "Ampliar",
   "Zoom out": "Alejar"
-}
+}
diff --git a/opencti-platform/opencti-front/lang/front/fr.json b/opencti-platform/opencti-front/lang/front/fr.json
@@ -2509,6 +2509,7 @@
   "Live trigger": "Déclencheur live",
   "Loading current message count...": "Chargement du nombre de messages en cours...",
   "Local": "Local",
+  "Local authentication cannot be changed when authentication is managed by environment configuration": "L'authentification locale ne peut pas être modifiée lorsque l'authentification est gérée par la configuration de l'environnement",
   "Local authentication cannot be disabled when no other authentication provider is enabled": "L'authentification locale ne peut pas être désactivée lorsqu'aucun autre fournisseur d'authentification n'est activé",
   "Local password policies": "Politiques locales en matière de mots de passe",
   "Local settings": "Paramètres locaux",

diff --git a/opencti-platform/opencti-front/lang/front/it.json b/opencti-platform/opencti-front/lang/front/it.json
@@ -2509,6 +2509,7 @@
   "Live trigger": "Trigger live",
   "Loading current message count...": "Caricamento del numero di messaggi attuali...",
   "Local": "Locale",
+  "Local authentication cannot be changed when authentication is managed by environment configuration": "L'autenticazione locale non può essere modificata quando l'autenticazione è gestita dalla configurazione dell'ambiente",
   "Local authentication cannot be disabled when no other authentication provider is enabled": "L'autenticazione locale non può essere disabilitata se nessun altro provider di autenticazione è abilitato",
   "Local password policies": "Politiche locali sulla password",
   "Local settings": "Impostazioni locali",

diff --git a/opencti-platform/opencti-front/lang/front/ja.json b/opencti-platform/opencti-front/lang/front/ja.json
@@ -2144,6 +2144,7 @@
   "If you want to keep the associated information, we recommend deactivating the user instead.": "関連情報を保持したい場合は、代わりにユーザーを非アクティブ化することをお勧めします。",
   "If your email address is found, an email will be sent to you.": "あなたのメールアドレスが見つかった場合、Eメールが送信されます。",
   "if your service account has been created originally as a service account (not transformed), please also change the email of your service account before/after transforming it to a user to ensure that the future user will be able to receive an email in the forgot password workflow.": "サービスアカウントが元々サービスアカウントとして作成されている（変換されていない）場合、パスワード忘れワークフローで将来のユーザーが確実にメールを受信できるように、ユーザーへの変換前/後のサービスアカウントのメールも変更してください。",
+  "Image URL": "画像URL",
   "IMEI values can only include digits, must be 15 to 16 characters": "IMEI値は数字のみで、15文字から16文字でなければなりません。",
   "Impact": "衝撃",
   "Impacted": "影響",
@@ -2508,6 +2509,7 @@
   "Live trigger": "ライブトリガー",
   "Loading current message count...": "現在のメッセージ数をロード中...",
   "Local": "ローカル",
+  "Local authentication cannot be changed when authentication is managed by environment configuration": "認証が環境設定で管理されている場合、ローカル認証は変更できない",
   "Local authentication cannot be disabled when no other authentication provider is enabled": "他の認証プロバイダーが有効になっていない場合、ローカル認証を無効にすることはできません",
   "Local password policies": "ローカルパスワードポリシー",
   "Local settings": "ローカル設定",

diff --git a/opencti-platform/opencti-front/lang/front/ko.json b/opencti-platform/opencti-front/lang/front/ko.json
@@ -2509,6 +2509,7 @@
   "Live trigger": "실시간 트리거",
   "Loading current message count...": "현재 메시지 수 로드 중...",
   "Local": "로컬",
+  "Local authentication cannot be changed when authentication is managed by environment configuration": "환경 구성으로 인증이 관리되는 경우 로컬 인증을 변경할 수 없습니다",
   "Local authentication cannot be disabled when no other authentication provider is enabled": "다른 인증 공급자가 활성화되어 있지 않으면 로컬 인증을 비활성화할 수 없습니다",
   "Local password policies": "로컬 비밀번호 정책",
   "Local settings": "로컬 설정",

diff --git a/opencti-platform/opencti-front/lang/front/ru.json b/opencti-platform/opencti-front/lang/front/ru.json
@@ -2509,6 +2509,7 @@
   "Live trigger": "Живой триггер",
   "Loading current message count...": "Загрузка текущего количества сообщений...",
   "Local": "Локальный",
+  "Local authentication cannot be changed when authentication is managed by environment configuration": "Локальная аутентификация не может быть изменена, если аутентификация управляется конфигурацией среды",
   "Local authentication cannot be disabled when no other authentication provider is enabled": "Локальная аутентификация не может быть отключена, если не включен другой провайдер аутентификации",
   "Local password policies": "Локальные политики паролей",
   "Local settings": "Локальные настройки",

diff --git a/opencti-platform/opencti-front/lang/front/zh.json b/opencti-platform/opencti-front/lang/front/zh.json
@@ -2509,6 +2509,7 @@
   "Live trigger": "实时触发器",
   "Loading current message count...": "正在加载当前信息数...",
   "Local": "本地",
+  "Local authentication cannot be changed when authentication is managed by environment configuration": "当身份验证由环境配置管理时，无法更改本地身份验证",
   "Local authentication cannot be disabled when no other authentication provider is enabled": "当未启用其他身份验证提供程序时，无法禁用本地身份验证",
   "Local password policies": "本地密码策略",
   "Local settings": "本地设置",

diff --git a/...tform/opencti-front/src/private/components/settings/sso_definitions/LocalStrategyForm.tsx b/...tform/opencti-front/src/private/components/settings/sso_definitions/LocalStrategyForm.tsx
@@ -42,6 +42,7 @@ const localStrategyFormQuery = graphql`
         enabled
       }
       platform_https_enabled
+      is_authentication_by_env
     }
   }
 `;
@@ -86,6 +87,7 @@ const LocalStrategyForm = ({ onCancel }: LocalStrategyFormProps) => {
   const theme = useTheme<Theme>();
   const data = useLazyLoadQuery<LocalStrategyFormQuery>(localStrategyFormQuery, {});
   const settings = data.settings;
+  const isConfigurationFromEnv = settings.is_authentication_by_env ?? false;
 
   const [commitMutation] = useApiMutation<LocalStrategyFormMutation>(
     localStrategyFormMutation,
@@ -159,8 +161,13 @@ const LocalStrategyForm = ({ onCancel }: LocalStrategyFormProps) => {
               type="checkbox"
               name="enabled"
               label={t_i18n('Enable local authentication')}
-              disabled={!canDisableLocal && initialValues.enabled}
+              disabled={isConfigurationFromEnv || (!canDisableLocal && initialValues.enabled)}
             />
+            {isConfigurationFromEnv && (
+              <Tooltip title={t_i18n('Local authentication cannot be changed when authentication is managed by environment configuration')}>
+                <InfoOutlined fontSize="small" color="primary" sx={{ ml: 1, cursor: 'default' }} />
+              </Tooltip>
+            )}
             {!canDisableLocal && initialValues.enabled && (
               <Tooltip title={t_i18n('Local authentication cannot be disabled when no other authentication provider is enabled')}>
                 <InfoOutlined fontSize="small" color="primary" sx={{ ml: 1, cursor: 'default' }} />

diff --git a/...platform/opencti-front/src/private/components/settings/sso_definitions/SSODefinitions.tsx b/...platform/opencti-front/src/private/components/settings/sso_definitions/SSODefinitions.tsx
@@ -326,24 +326,28 @@ const SSODefinitions = () => {
         { label: t_i18n('Authentications'), current: true }]}
       />
       {settings.is_authentication_by_env && (
-        <Alert severity="error" variant="outlined" sx={{ mt: 2 }}>
-          <AlertTitle>{t_i18n('Deprecated — Authentication management is disabled by environment configuration')}</AlertTitle>
-          <Typography variant="body1" sx={{ mb: 2 }}>
-            {t_i18n('Your platform is running with the legacy authentication configuration defined through environment variables. This safeguard was enabled in your configuration because the authentication migration to the new v7 model encountered issues that needed to be resolved first.')}
-          </Typography>
-          <Typography variant="body1" sx={{ mb: 2 }}>
-            <strong>{t_i18n('This compatibility mode is deprecated and will be permanently removed in the next major version of OpenCTI.')}</strong>{' '}
-            {t_i18n('Once removed, the platform will no longer be able to start with this configuration, and authentication providers will have to be properly migrated.')}
-          </Typography>
-          <Typography variant="body1" sx={{ mb: 2 }}>
-            {t_i18n('While this safeguard is active, authentication providers cannot be managed from this interface. The platform continues to operate with the previous environment-based implementation.')}
-          </Typography>
-          <Typography variant="body1">
-            {t_i18n('To resolve this situation before the next version, please')}{' '}
-            <a href="https://filigran.io/contact/" target="_blank" rel="noreferrer">{t_i18n('contact the Filigran team')}</a>{' '}
-            {t_i18n('so they can assist you with the migration process.')}
-          </Typography>
-        </Alert>
+        <>
+          <AuthenticationGlobalSettings />
+          <SSOSingletonStrategies />
+          <Alert severity="error" variant="outlined" sx={{ mt: 2 }}>
+            <AlertTitle>{t_i18n('Deprecated — Authentication management is disabled by environment configuration')}</AlertTitle>
+            <Typography variant="body1" sx={{ mb: 2 }}>
+              {t_i18n('Your platform is running with the legacy authentication configuration defined through environment variables. This safeguard was enabled in your configuration because the authentication migration to the new v7 model encountered issues that needed to be resolved first.')}
+            </Typography>
+            <Typography variant="body1" sx={{ mb: 2 }}>
+              <strong>{t_i18n('This compatibility mode is deprecated and will be permanently removed in the next major version of OpenCTI.')}</strong>{' '}
+              {t_i18n('Once removed, the platform will no longer be able to start with this configuration, and authentication providers will have to be properly migrated.')}
+            </Typography>
+            <Typography variant="body1" sx={{ mb: 2 }}>
+              {t_i18n('While this safeguard is active, authentication providers cannot be managed from this interface. The platform continues to operate with the previous environment-based implementation.')}
+            </Typography>
+            <Typography variant="body1">
+              {t_i18n('To resolve this situation before the next version, please')}{' '}
+              <a href="https://filigran.io/contact/" target="_blank" rel="noreferrer">{t_i18n('contact the Filigran team')}</a>{' '}
+              {t_i18n('so they can assist you with the migration process.')}
+            </Typography>
+          </Alert>
+        </>
       )}
       {!settings.is_authentication_by_env && (
         <>

diff --git a/opencti-platform/opencti-graphql/src/domain/setting-auth.ts b/opencti-platform/opencti-graphql/src/domain/setting-auth.ts
@@ -0,0 +1,104 @@
+// -- Built-in authentication strategy settings --
+// These mutations update the Settings entity AND trigger live re-registration
+// of the corresponding authentication provider.
+
+import { patchAttribute } from '../database/middleware';
+import { publishUserAction } from '../listener/UserActionListener';
+import { CERT_PROVIDER } from '../modules/authenticationProvider/provider-cert';
+import { HEADERS_PROVIDER } from '../modules/authenticationProvider/provider-headers';
+import { LOCAL_PROVIDER } from '../modules/authenticationProvider/provider-local';
+import {
+  AuthType,
+  CERT_STRATEGY_IDENTIFIER,
+  EnvStrategyType,
+  HEADERS_STRATEGY_IDENTIFIER,
+  isLocalAuthForcedEnabledFromEnv,
+  LOCAL_STRATEGY_IDENTIFIER,
+  PROVIDERS,
+} from '../modules/authenticationProvider/providers-configuration';
+import { ENTITY_TYPE_SETTINGS } from '../schema/internalObject';
+import type { BasicStoreSettings } from '../types/settings';
+import type { AuthContext, AuthUser } from '../types/user';
+import { notify } from '../database/redis';
+import { BUS_TOPICS } from '../config/conf';
+import type { CertAuthConfigInput, HeadersAuthConfigInput, LocalAuthConfigInput } from '../generated/graphql';
+
+export const buildAvailableProviders = async (platformSettings: BasicStoreSettings) => {
+  const availableProviders = [...PROVIDERS];
+  if (platformSettings.local_auth?.enabled || isLocalAuthForcedEnabledFromEnv()) {
+    availableProviders.push({
+      name: platformSettings.local_auth?.button_label_override || 'local',
+      type: AuthType.AUTH_FORM,
+      strategy: EnvStrategyType.STRATEGY_LOCAL,
+      provider: LOCAL_PROVIDER?.provider ?? LOCAL_STRATEGY_IDENTIFIER,
+    });
+  }
+  if (platformSettings.cert_auth?.enabled) {
+    availableProviders.push({
+      name: platformSettings.cert_auth?.button_label_override || 'cert',
+      type: AuthType.AUTH_SSO,
+      strategy: EnvStrategyType.STRATEGY_CERT,
+      provider: CERT_PROVIDER?.provider ?? CERT_STRATEGY_IDENTIFIER,
+    });
+  }
+  if (platformSettings.headers_auth?.enabled) {
+    availableProviders.push({
+      name: platformSettings.headers_auth?.button_label_override || 'headers',
+      type: AuthType.AUTH_SSO,
+      strategy: EnvStrategyType.STRATEGY_HEADER,
+      provider: HEADERS_PROVIDER?.provider ?? HEADERS_STRATEGY_IDENTIFIER,
+    });
+  }
+  return availableProviders;
+};
+
+export const updateLocalAuth = async (context: AuthContext, user: AuthUser, settingsId: string, input: LocalAuthConfigInput) => {
+  const patch = {
+    local_auth: { enabled: input.enabled },
+    ...(input.password_policy_min_length !== undefined && { password_policy_min_length: input.password_policy_min_length }),
+    ...(input.password_policy_max_length !== undefined && { password_policy_max_length: input.password_policy_max_length }),
+    ...(input.password_policy_min_symbols !== undefined && { password_policy_min_symbols: input.password_policy_min_symbols }),
+    ...(input.password_policy_min_numbers !== undefined && { password_policy_min_numbers: input.password_policy_min_numbers }),
+    ...(input.password_policy_min_words !== undefined && { password_policy_min_words: input.password_policy_min_words }),
+    ...(input.password_policy_min_lowercase !== undefined && { password_policy_min_lowercase: input.password_policy_min_lowercase }),
+    ...(input.password_policy_min_uppercase !== undefined && { password_policy_min_uppercase: input.password_policy_min_uppercase }),
+  };
+  const { element } = await patchAttribute(context, user, settingsId, ENTITY_TYPE_SETTINGS, patch);
+  await publishUserAction({
+    user,
+    event_type: 'mutation',
+    event_scope: 'update',
+    event_access: 'administration',
+    message: 'updates `local authentication settings` for `platform settings`',
+    context_data: { id: settingsId, entity_type: ENTITY_TYPE_SETTINGS, input: patch },
+  });
+  return notify(BUS_TOPICS[ENTITY_TYPE_SETTINGS].EDIT_TOPIC, element, user);
+};
+
+export const updateCertAuth = async (context: AuthContext, user: AuthUser, settingsId: string, input: CertAuthConfigInput) => {
+  const patch = { cert_auth: input };
+  const { element } = await patchAttribute(context, user, settingsId, ENTITY_TYPE_SETTINGS, patch);
+  await publishUserAction({
+    user,
+    event_type: 'mutation',
+    event_scope: 'update',
+    event_access: 'administration',
+    message: 'updates `cert authentication settings` for `platform settings`',
+    context_data: { id: settingsId, entity_type: ENTITY_TYPE_SETTINGS, input: patch },
+  });
+  return notify(BUS_TOPICS[ENTITY_TYPE_SETTINGS].EDIT_TOPIC, element, user);
+};
+
+export const updateHeaderAuth = async (context: AuthContext, user: AuthUser, settingsId: string, input: HeadersAuthConfigInput) => {
+  const patch = { headers_auth: input };
+  const { element } = await patchAttribute(context, user, settingsId, ENTITY_TYPE_SETTINGS, patch);
+  await publishUserAction({
+    user,
+    event_type: 'mutation',
+    event_scope: 'update',
+    event_access: 'administration',
+    message: 'updates `header authentication settings` for `platform settings`',
+    context_data: { id: settingsId, entity_type: ENTITY_TYPE_SETTINGS, input: patch },
+  });
+  return notify(BUS_TOPICS[ENTITY_TYPE_SETTINGS].EDIT_TOPIC, element, user);
+};