|Table of Contents|
What is External Authentication?
External Authentication allows your server's users to log in to WHM, cPanel, or Webmail through OpenID Connect-compliant identity providers.
cPanelID and WHMCS External Authentication identity provider modules are available by default in cPanel & WHM version 54 and later. Additional modules for Facebook, Google, and Amazon are available as sample modules to allow service providers to develop their own.
What is OpenID Connect?
OpenID Connect is a identity standard that overlays the OAuth 2.0 standard that Google, Microsoft, PayPal, and other major online companies and organizations back. cPanelID is based on this standard.
To learn more about OpenID Connect, read OpenID Connect's website.
What can I use External Authentication for?
You can use External Authentication for the following needs:
- Users need to remember fewer username and password combinations. If you link your cPanelID to your server's cPanel, WHM, or Webmail account, you only need to remember your cPanelID username and password to access your server and services.
- External Authentication allows better integration between cPanel & WHM and other systems, such as third-party applications and Customer Relationship Management systems (CRM). For example, as we integrate the systems, purchases and installation of products and licenses through the cPanel Store will be much smoother with a cPanelID.
- Hosting and service providers can create an External Authentication identity provider module that connects their identity provider system to their customers' cPanel & WHM servers. This would allow customers and system administrators to log in to their server through the provider's portal. This also allows service providers to manage their own access credentials to their customer servers. Theoretically, service providers do not need to worry about the security of access hashes, API tokens, or passwords on servers. The provider could reset the credentials in the event of a security incident.
What is cPanelID?
cPanelID uses the same username and password that the cPanel Tickets System, the Manage2 billing system, and the cPanel Store use. It uses OpenID standards to allow cross-platform authentication and logins.
How do I get a cPanelID?
All owners of cPanel & WHM licenses already have a cPanelID. Resellers, cPanel accounts, and cPanel account users who have not used any of those three systems will need to register to obtain a cPanelID.
Use either of the following methods to obtain a cPanelID:
- In the cPanel, WHM, or Webmail login interface, click Log in Via cPanelID and then click the Register link.
- Navigate to the cPanel Tickets System Registration page and enter your email address. The system will email a confirmation link to that address.
How do I link my cPanelID to my cPanel, WHM, or Webmail account?
Use either of the following methods to link your cPanelID to your cPanel, WHM, or Webmail account:
- On the cPanel, WHM, or Webmail login interface, click Log In Via cPanelID and follow the instructions.
- Use cPanel's Password & Security interface (Home >> Preferences >> Password & Security).
How much does a cPanelID cost?
Nothing. In fact, in future versions of cPanel & WHM, cPanelID may to reduce your overall costs because customers will be able to use it to buy discounted SSL certificates, and resellers may earn sales commission credit for those certificate purchases. Also, you can reduce support costs because our goal is to integrate the purchase and installation process to reduce opportunity for error.
Do I need to use SSL to log in to cPanel, WHM, or Webmail with a cPanel ID?
To use an external authentication method, you must access your WHM, cPanel, and Webmail accounts via an SSL connection. If you do not access your accounts via an SSL connection, the Log in via cPanelID option will not display on your accounts' Login interfaces.
For more information, read our How to Configure Your Firewall for cPanel Services documentation.
Is it a security risk to link your root account to a third-party authentication service?
We realize that every time you add an authentication method to your server, you enlarge the surface attack for logins and increase security risks. We strongly encourage you to look through all of your server's services and plan out your security needs and authentication scheme, and that you do not enable and allow authentication methods or features that are not absolutely necessary for you or your customers.
You can enable and disable external authentication identity providers with WHM's Manage External Authentications interface (Home >> Security Center >> Manage External Authentications).
We also encourage you to create wheel users for SSH, reseller accounts, and other necessary accounts to reduce the amount of direct intervention necessary by the root
user to perform routine maintenance, administration, and reseller tasks on your server.
I don't want to link my root account to cPanelID, but I still want to earn revenue from certificates through cPanel Store.
A customer's reseller earns the referral fee for certificates that a customer buys through the cPanel Store. If you do not wish to connect your root user to cPanelID, then you must transfer those customers to a reseller (or root-enabled reseller).
- Use WHM's Create a New Account interface (Home >> Account Functions >> Create a New Account) to create the account (and select the Make the account a reseller option).
- Use WHM's Edit Reseller Nameservers and Privileges interface (Home >> Resellers >> Edit Reseller Nameservers and Privileges) to set the appropriate permissions for the new reseller.
- Use WHM's Reseller Center interface (Home >> Resellers >> Reseller Center) to transfer customers to the reseller account.
- Be aware of reseller resources when you transfer accounts between resellers, such as shared IP addresses, nameservers, packages unique to resellers, etc.
Is cPanelID required to use cPanel & WHM?
Technically, no. In fact, you can disable the cPanelID External Authentication identity provider in WHM's Manage External Authentications interface (Home >> Security Center >> Manage External Authentications).
You can continue to log in to your server, purchase and install SSL certificates, and perform all existing administrative and user tasks through the existing functions. Also, you can purchase SSL certificates through cPanel's SSL TLS Wizard interface (Home >> SSL/TLS >> SSL/TLS Wizard) with the cPanelID's username and password without the need to link it to your server's cPanel account.
We realize that all of our customers do not universally desire this feature. However, it is extremely useful for those customers who have requested it. Server owners who do not need or want this feature can disable it easily, just as you can disable most features in cPanel & WHM that you do not wish to use (for example, you can disable your FTP server and require that your customers use SFTP or the secure Web Disk feature).
We strongly encourage you to consider your security needs before you enable and use any feature in cPanel & WHM.
What if I lose my cPanelID password?
Navigate to the cPanel Tickets System Registration page and enter your email address. The system will email a password reset link to that address.
Does Two-Factor Authentication (2FA) work with External Authentication?
Yes. If your cPanel, WHM, or Webmail account requires 2FA to log in, your server will ask you for your one-time code after you authenticate your External Authentication account.
If you link to an external account through an identity provider that has 2FA enabled, you must also authenticate through that provider in addition to any 2FA that you configure on your server.
For security reasons, we strongly encourage you to consider the use of 2FA with any and all accounts that offer it.
Will cPanel, Inc. protect my privacy when I use cPanelID?
Yes, cPanel, Inc. follows the security guidelines that the webhosting industry generally accepts.
Like the owner of every responsible third-party identity provider, cPanel, Inc. uses a very strong encryption hash and monitors activity on its externally-facing systems.
In the rare event of a security breach, we have processes to investigate the nature of the breach and help re-establish the security of the affected systems.