Enabling Single Sign On with Active DirectoryLast Updated: 02/21/2019 Introduced in Version: 2.0
Warning: This will require appropriate technical resources on the clients side to be able to implement. We recommend making sure you have someone from your organization with experience available to streamline the process. Our support team is available to help, but may not be not be able to answer questions or solve problems that are unique to your company.
Active Directory Requirements
The Decisions Portal supports Mixed Mode authentication; therefore, the complete site has Anonymous Authentication Enabled, except a single page called “WindowsLogin.aspx.” The installer takes care of setting up the authentication.
Single Sign-On Requirements
- The machine the user is logging in to is a part of the domain.
- Windows Authentication has been enabled in IIS.
- User is accessing the Portal using Internet Explorer.
- The pre-Windows domain name is configured correctly in the Active Directory Settings in the Portal, found under System > Settings > Active Directory. The domain name must match exactly to the domain name in Active Directory. If users do not sync, check the Decisions log file and look to see the syntax of the user names attempting to sync to confirm the domain name is correct.
- The Windows User user name matches the User Identifier in the Decisions database. This is found under System > Security > Accounts, in the User Identifier field. Active Directory synced users will have a user identifier in the format of [domain name]\[user name].
- The IP address of the server on which Decisions is hosted must be in the Intranet zone list on the client. (In Internet Explorer, open Tools > Options. From the Security tab, click on Local Intranet and select the Sites button. Click on Advanced and add the IP to the web sites list.) Also, ensure the Automatic Logon Only in Intranet Zone setting is enabled.
Summary of Active Directory Synchronization
- Active Directory Sync only fetches users & groups from Active Directory. This is a one way sync where account/user/group information from Active Directory is stored in Decisions.
- If you select Sync Only Users, groups from Active Directory will not be synced.
- The Synchronization options allow you to specify what do you want to Sync from AD. For example, Entire Domain will get all the users and groups on the AD server. Selected Groups will get only users and groups from the selection. Select Org Units will get only users and groups from the selected organization units.
- Information about organization units is not synced into Decisions.
- AD sync replicates what is presently there on the AD Server. For example, if user John Smith is moved from group Managers to group Supervisors, the AD sync will replicate the change in Decisions by removing John Smith from group Managers and include him the group Supervisors.
- For users, Decisions retrieves all the personal information (First Name, Last Name, etc) and also all the contact information (Address, Phone Numbers, Emails, etc) from Active Directory to Decisions.
- When permissions are set up in Decisions for a synced user, those permissions are Decisions-specific and are retained across syncs.
- When a user is deactivated in AD, he/she will be deactivated in Decisions.
- When a user is deleted from AD, he/she will never be able to log in to Decisions. Users are never deleted from Decisions for data integrity purposes, such as having history of who completed a task, audited an entity, etc.
- The domain name entered under System > Settings > Active Directory must match exactly to the domain name in Active Directory. If users do not sync, check the Decisions log file and look to see the syntax of the user names attempting to sync to confirm the domain name is correct.
Need more help with:
About Active Directory Authentication and Synchronization?