Local Users Domain | Keyfactor Docs

A Local Users Domain stores user credentials (username and password) directly in Signum, with no external Identity Provider required. It supports all Agent types and the Admin Web Console, making it a practical choice for build servers, service accounts, and environments where IDP integration is not available.

The Local Users Domain supports only one user group. See Domains | User Groups.

Configure the Domain

In the Admin Web Console, navigate to Access > Domains and click New.
Set Domain Type to Local Users and complete the common domain options (Alias, Concurrency, User Limit). See Domains for descriptions of these fields.
Configure the password and lockout policies:

Password Policy Configuration

Setting	Description
Minimum Password Length	The minimum number of characters required for user passwords.
Require Uppercase Characters	When enabled, passwords must contain at least one uppercase letter.
Require Numeric Characters	When enabled, passwords must contain at least one number.
Require Special Characters	When enabled, passwords must contain at least one special character or symbol.
Enforce Password Expiry	When enabled, set the number of months before passwords expire and users are prompted to create a new one.

Account Lockout Policy

Setting	Description
Lockout Mode	Controls what happens after repeated failed login attempts. No lockout: Places no limit on attempts. Temporary lockout: Blocks the account for a configurable duration after a set number of failed attempts. Permanent lockout: Blocks the account indefinitely after a set number of failed attempts. Accounts that have been locked out must be reset by an Admin.
Login Attempt Limit	The number of consecutive failed login attempts before the lockout takes effect.
Temporary Lockout Duration	How long (in seconds) an account remains locked before the user can try again. Applies to Temporary lockout mode only.

Setting

Description

Lockout Mode

Controls what happens after repeated failed login attempts.

No lockout: Places no limit on attempts.
Temporary lockout: Blocks the account for a configurable duration after a set number of failed attempts.
Permanent lockout: Blocks the account indefinitely after a set number of failed attempts.

Accounts that have been locked out must be reset by an Admin.

The number of consecutive failed login attempts before the lockout takes effect.

Temporary Lockout Duration

How long (in seconds) an account remains locked before the user can try again. Applies to Temporary lockout mode only.

Click Submit to create the domain.

Manage Users

After creating the domain:

Navigate to Access > Domains and click on the Local Users domain to open it.
Go to the Users tab and click New to create a user.

Field	Description	Required
Username	The login name for this user. 1–32 characters: letters, numbers, hyphens, periods, and underscores only. Users log in as `username@domain-alias`.
Status	Defaults to Active. Set to Inactive to prevent the user from logging in without deleting the account.
Name	The user's display name.
Email	The user's email address.
Password	The initial password. Enable User is prompted to change password on next login for new accounts.

Click Submit. The user appears in the Users tab and can authenticate immediately.

User Properties

Clicking an existing user in the Users tab shows additional information:

Property	Description
Last certificate usage	The date and time of the user's most recent signing operation.
Locked out	Indicates whether the account is locked. The Signum Administrator can toggle this to unlock an account that was locked by the account lockout policy.