Contents x
Enabling Single Sign On with Active Directory
  • 12 Aug 2024
  • 3 Minutes to read
  • Print
  • Dark
    Light
Contents

Enabling Single Sign On with Active Directory

  • Updated on 12 Aug 2024
  • 3 Minutes to read
  • Print
  • Dark
    Light
Article summary

Please Read!

The success of Active Directory (AD) Server Authentication setup and implementation with SSO rests heavily on experienced client-side technical resources.  Decisions' Support Team can help, but may not be able to answer questions or solve AD/SSO issues specific to the organization.

Active Directory Requirements

AD authentication, in general, requires that the IIS server have the IIS Authentication modules for Basic, Digest, and Integrated Windows authentication installed. (This is only an AD authentication requirement; it is not required for the Decisions Portal to function.) This is found under Control Panel > Programs and Features, by selecting Turn Windows Features on or off. Expand IIS > World Wide Web Services > Security, and select the following checkboxes:

2017-12-21_121356.png

about-active-directory-authentication-IISWindowsSettings.png

The Decisions Portal supports Mixed Mode authentication; therefore, the complete site has Anonymous Authentication Enabled, except a single page called "WindowsLogin.aspx." The installer takes care of setting up the authentication.

about-active-directory-authentication-IISAuth.png

Single Sign-On Requirements

If using AD as a source for users, when an AD user logs in to his/her client machine and launches the Decisions portal, Decisions will not prompt for login as long as the following conditions are met in the environment:


    • The machine the user is logging in to is a part of the domain.

    • Windows Authentication has been enabled in IIS.

    • User is accessing the Portal using Internet Explorer.

    • The pre-Windows domain name is configured correctly in the Active Directory Settings in the Portal, found under System > Settings > Active Directory. The domain name must match exactly to the domain name in Active Directory. If users do not sync, check the Decisions log file and look to see the syntax of the user names attempting to sync to confirm the domain name is correct.

    • The Windows User user name matches the User Identifier in the Decisions database. This is found under System > Security > Accounts, in the User Identifier field. Active Directory synced users will have a user identifier in the format of [domain name][user name].

    • The IP address of the server on which Decisions is hosted must be in the Intranet zone list on the client. (In Internet Explorer, open Tools > Options . From the Security tab, click on Local Intranet and select the Sites button. Click on Advanced and add the IP to the web sites list.) Also, ensure the Automatic Logon Only in Intranet Zone setting is enabled.

Summary of Active Directory Synchronization

  • Active Directory Sync only fetches users & groups from Active Directory. This is a one-way sync where account/user/group information from Active Directory is stored in Decisions.

  • If you select Sync Only Users, groups from Active Directory will not be synced.

  • The Synchronization options allow you to specify what do you want to Sync from AD. For example, the Entire Domain will get all the users and groups on the AD server. Selected Groups will get only users and groups from the selection. Select Org Units will get only users and groups from the selected organization units.

  • Information about organization units is not synced into Decisions.

  • AD sync replicates what is presently there on the AD Server. For example, if user John Smith is moved from group Managers to group Supervisors, the AD sync will replicate the change in Decisions by removing John Smith from group Managers and include him the group Supervisors.

  • For users, Decisions retrieves all the personal information (First Name, Last Name, etc) and also all the contact information (Address, Phone Numbers, Emails, etc) from Active Directory to Decisions.

  • When permissions are set up in Decisions for a synced user, those permissions are Decisions-specific and are retained across syncs.

  • When a user is deactivated in AD, he/she will be deactivated in Decisions.

  • When a user is deleted from AD, he/she will never be able to log in to Decisions. Users are never deleted from Decisions for data integrity purposes, such as having a history of who completed a task, audited an entity, etc.

  • The domain name entered under System > Settings > Active Directory must match exactly to the domain name in Active Directory. If users do not sync, check the Decisions log file and look to see the syntax of the user names attempting to sync to confirm the domain name is correct.

Active Directory Settings

Decisions offers additional configurations for Active Directory. These can be found under System > Settings > Active DirectoryUsers may enable the following setting by marking either of the following checkboxes:

  • Auto Sign In: Automatically signs in accounts based on the AD credentials used to login to the machine

  • Use Chrome SSO: Enable users of Chromium based browsers to use SSO; enables the ability to use Windows Authentication with Chromium Browsers


Was this article helpful?
What's Next
Decisions
Resources
Organization
Connect