User authentication and authorization can be managed using an LDAP or Active Directory. Directory Services makes it easier to manage large numbers of Signiant users. Upon initial login by an unregistered user, the manager presents logon credentials to the selected directory service; users are authenticated using a trusted corporate service rather than the Signiant Manager itself.
Directory authentication uniquely identifies a Signiant user using their corporate User Name and Password. Users do not have to manage a separate User Name and Password for Signiant and corporate standard for password management can be enforced.
Signiant user authorization rights are determined by Access Control Lists or Permissions on Signiant managed objects (e.g. users, groups, jobs, packages). Although access can be configured for each user, managing access through user group membership is the recommended best practice. Signiant synchronizes user group membership in the directory with user group membership in Signiant. As such, access to objects in Signiant can be managed through the directory. This feature can be used, for example, to control who users can send Media Exchange packages to.
Signiant supports multiple directories. When a user logs in to the Manager or the Media Exchange is searched in order for a matching User Name. When a match is found, a login is attempted using the supplied Password. Maintaining unique User Names across directory services is the recommended best practice, but when this is not possible, the enforce domain credentials option can be used. When this option is enabled users must specify domain qualified User Names when logging in to Signiant.
The Native Signiant User Directory is always enabled and provides user management without a corporate directory service. It is a best practice to have a minimum of one administrative user defined in the Native Directory for managing basic configuration including directory services.
When a user logs in for the first time using a directory account their group membership and user attributes (e.g. First Name, Last Name, Phone Number) are copied to a directory account stub created in the Signiant Database. This account can be updated or deleted like a native account with the exception that the password cannot be set and group membership is synchronized with the directory each time the user logs in. A directory account stub is also created when a Media Exchange package is sent to a directory user that has not previously logged in to Signiant.
Whether or not directory users are allowed to log into the Signiant Manager interface or the Media Exchange interface is determined by global and directory specific settings. For example, a directory service can be setup such that users are only allowed to log into the Media Exchange interface by disabling the Manager login setting.
When an unregistered user first logs in, and more than one directory service is listed, authentication searches the services in the order in which they appear in the list. It is possible to change the order in which the directory services appear, so that the authentication scans the most common one first. The default method for user authentication is called Native Product Authentication; this is set up during installation.
When you add a directory service, you need to specify information such as a name for the service, the server name/IP address, and port number. You can also edit this information after you have specified a directory service. The Native Product Authentication service does not have any configuration settings, but users can edit the name, test user and test password fields. Blank passwords are not supported for Enterprise LDAP/LDAPS Authentication. If a user has a blank password and tries to authenticate, the user will be denied access.
When an Active Directory or LDAP user belongs to a group that also exists in the Signiant group list (that is, with the same name), a synchronization occurs between the Signiant group and the Active Directory group. All existing group membership that does not match a directory group is removed. This happens with all groups except the default user group defined using the directory management service.
After users login and are identified in the Manager database, you may want to edit their user information (such as telephone number, email address, access control list and so on). Signiant maps and synchronizes the following LDAP and Active Directory fields to these corresponding Signiant fields:
|LDAP and Active Directory field||Signiant field|
Within the Directory Services dashboard, you can do the following:
Delete directory services
When you delete a network directory service, user names and passwords associated with that type are no longer able to login to the Manager UI. Any users currently logged on using the selected configuration type are not affected. Once they log out they are not able to log back in to the deleted directory service. You will also lose all of the information associated with the directory service. If you want to stop using that directory service temporarily and do not want to delete it, you can Disable the type. When disabled, the directory service is still available and can be turned back on easily by clicking Enable, but user names associated with the type cannot login.
To delete a directory service, select the directory service, click Delete and when prompted, click Yes.
Disable or Enable directory services
Disabling a directory service does not remove it from the authentication configuration, disabling turns it off so that the directory service is no longer used for user authentication. Any users currently logged on using the selected authentication service are not affected. Once they log out they are not able to log back in with the disabled directory service. You cannot disable Signiant Native Product Authentication.
To disable a directory service, click Disable.
To reactivate the directory service, click Enable.
Move Up or Move Down directory services
When the Manager Authentication Service authenticates a user, it runs through the list of directory services in the order in which they appear in this list. To change the order in which the directory services appear, so that the Manager scans the most common directory service in your network first select the directory service name you want to move and click either Move Up or Move Down.
Configure system-wide Settings
System-wide user settings are default user information that becomes automatically associated with a user the first time the user logs in to the Manager UI. Each time a user who is not already in the Manager database logs in, the default actions specified in the system-wide user settings will occur. Click Settings and configure the following settings in the Directory Services Settings dialog:
Default User Group: from the drop-down list, select the user group to which you want users to be assigned to by default when they first login. When Auto Register New Users is enabled, users are automatically assigned to any groups in the Signiant Manager that match the groups with which the user is associated in their directory service. If no matching groups exist, users are assigned to the default group selected here. To specify that no default user group be assigned, select Do not use a default User Group.
Auto Register New Users: enable this option to automatically register new users. This requires the selected directory service to accept the user's authentication credentials. To ensure that not everyone in your organization has access to the Signiant Manager, we suggest you disable this option once all users have logged in once.
Allow Administrative Login: enable this option to allow users to access the Signiant Manager. If most of your users are Media Exchange users, you may want to disable this option.
Organization for Auto Registered Users: from the drop-down list, select the organization to which users are automatically registered with when they first login. When No Organization is selected, user accounts are created in the Signiant Manager's System organization and are not displayed unless this organization has been granted to the administrator.
Organization for Auto Registered Manager UI Users Based On Group Membership: enable this option to allow all auto-registered Signiant Manager users to be assigned to the organization associated with the Signiant group that matches the group with which the user is associated in their directory service. This option does not apply to auto-registered Media Exchange users. If a user belongs to a group in their directory service that matches a group name in the Signiant Manager, the organization associated with that group is assigned to the user. For example, if you have a Signiant group called "Accountants" whose associated organization is "Accounting", all auto-registered users who belong to the "Accountants" group in their directory service are automatically assigned to the "Accounting" organization upon first login to the Signiant Manager.
Note: Enabling this option overrides Default User Group and Organization for Auto Registered Users. Users who match are NOT assigned to the default user group or organization specified above.
Cache Passwords For Logged In Users: enable this option to ensure that when a user's password changes, any jobs associated with the user still run. The Signiant Manager will update the cached password.
Enable Active Directory Users Synchronization: this applies only to Active Directory users. Once enabled, you must configure the Synchronization period in days.
The following section describes how to add a directory service.
To add a network directory service:
From the Manager, select Administration>Users>Directory Services and click Add.
On the Settings tab, complete the following fields:
cn=Users, dc=company, dc=somewhere, dc=com.
If you selected Enterprise LDAP/LDAPS Authentication, select the Advanced LDAP Options tab and complete the following fields:
Group Object Class: type the object class of the group class in the directory schema.
Group Member Attribute: type the attribute of the group that contains the members.
Group Naming Attribute: type the naming attribute associated with the group.
User Object Class: type the user object class used in your schema.
User Username Attribute: type the attribute associated with the username in your schema.
On the Media Exchange tab, configure the following options:
Ignore Group Access When Searching: this is displayed only if you selected Enterprise Active Directory Authentication. Enable this option to allow users to find any directory regardless of group access. New users are added to the default group specified in the Directory Services Setting page. If a default group is not defined and this option is enabled, the default group is automatically set to the system-created Media Exchange User group. When this option is not enabled, the search results are based on the group access set for the user performing the search.
Enable Agent Mapping: enable this option to allow new users added to the Signiant Manager to use Media Exchange. This functionality is required to ensure directory services searching functionality for Media Exchange users. After enabling this option, click Add and configure the following:
On the Test Settings tab, complete the following fields and then click Test:
Users of the Media Exchange application can benefit from a manager setup with directory services in two major ways:
Assuming you have Media Exchange enabled on at least one agent, and have enabled agent mapping as detailed in step #4 above, Media Exchange users will see an additional search option when they select the 'Recipients' icon
The presence of the 'drop-down' list as shown below indicates that a user can search the global directory.
The users that are returned are ones which contain email accounts in the directory.
If your directory does not contain email addresses (e.g. your organization uses an externally hosted email service) users are not displayed in the search list. Regular users can only find users within the user groups they belong to (i.e., unless the ignore group membership option is selected when configuring the directory service). Guest users are restricted from searching the directory. Additional, Media Exchange options - for example, the ability to assign new users to specific agents are described later in this section.
If authentication other than native authentication is used, you can lock yourself out of the Active Directory or LDAP/LDAPS account, under the following conditions:
For example, if the lockout parameter is set at three incorrect logins, and you change your password and do not login to the Manager UI to cache the new password, and then the job runs three times using the old password, you are locked out of both the Manager UI and the Active Directory or LDAP/LDAPS account.
In addition, you can also lock yourself out of the network account if you login incorrectly to the Manager UI the number of times specified in the authentication profile. For example, if the lockout parameter is set to three incorrect logins and you log in to the Manager UI incorrectly three times, you will be locked out of the Active Directory or LDAP/LDAPS account.