Nexterm supports several authentication methods that you can enable and combine to match your organisation’s security requirements. Local username/password accounts are built in and work out of the box. For centralized identity management, you can integrate an OIDC SSO provider or your LDAP/Active Directory server. Any account — whether local or federated — can be further protected with TOTP-based two-factor authentication or passkeys.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/gnmyt/Nexterm/llms.txt
Use this file to discover all available pages before exploring further.
Authentication methods
Local accounts
Built-in username and password login. Always available and used for your initial admin account. Managed entirely within Nexterm.
OIDC SSO
Delegate login to an external identity provider using OpenID Connect. Supports Microsoft Entra ID, Google, Keycloak, Authentik, Authelia, and any standards-compliant IdP.
LDAP / Active Directory
Authenticate users against your LDAP server or Active Directory domain. Nexterm searches the directory, validates credentials, and keeps display names in sync.
Two-factor authentication
Add a second factor to any account with a TOTP authenticator app or a hardware/platform passkey using the WebAuthn standard.
Local accounts
When you first launch Nexterm you create a local admin account. Nexterm stores a bcrypt-hashed password for each local user. You can create additional local accounts from Settings → Users. Local accounts are always available — even when OIDC or LDAP is enabled — so you can always fall back to a direct login if your identity provider is unreachable.Nexterm enforces that at least one authentication provider remains enabled at all times. You cannot disable the internal (local) provider unless another enabled provider exists.
OIDC single sign-on
With OIDC enabled, a Sign in with [provider name] button appears on the login screen. Clicking it redirects users to your identity provider. After a successful login, Nexterm reads the user’s claims (username, first name, last name) and either creates a new local account or updates the existing one. The user’s password is never set — Nexterm issues a random placeholder that is never exposed. You can add multiple OIDC providers simultaneously and have them all active on the login page. See OIDC setup for full instructions.LDAP / Active Directory
LDAP authentication uses a service account to search your directory for the user, then attempts to bind with the user’s own credentials to verify the password. On success, Nexterm creates or updates the user’s local account with attributes from the directory entry. Enabling an LDAP provider disables the internal (local) provider automatically, so users go through your directory. See LDAP setup for configuration details.Two-factor authentication
Two-factor authentication adds a second verification step after password entry:- TOTP — a time-based one-time password generated by an authenticator app such as Google Authenticator, Authy, or 1Password.
- Passkeys (WebAuthn) — a cryptographic credential stored on your device or a hardware security key, verified without a password.
Combining methods
Nexterm’s authentication methods are designed to layer:| Scenario | Configuration |
|---|---|
| Team using Google Workspace | Enable OIDC with Google as the provider |
| Corporate network with AD | Enable LDAP with sAMAccountName filter |
| High-security accounts | Enable TOTP or passkeys on top of any primary method |
| Multiple identity providers | Add several OIDC providers; each appears as its own login button |
| Fallback for IdP outages | Keep the internal provider enabled alongside OIDC |