Domain authentication and SSO

Da itm wiki.

Domain connection(s) can be managed in General\System\LM Settings with superadmin role.

In tab LDAP Properties is possible to manage a list of domain connection(s). Is possile to define connection(s) related to different domain(s) or to same domain but with different BaseDN.

Field Description Comment
Configuration Name The name of current Domain connection
Host Domain server address or host name
BaseDN The domain Distinguished Name It shall contain the domain name parts separated by ",".

Example: itmSUITE.local shall be inserted as DC=itmSUITE,DC=local

Shall be possible define a precise OU of domain to be considered in connection

Example: connection to Organizational Unit "TechUser" belongs to domain itmSUITE.local shall be inserted as OU=TechUsers,DC=itmSUITE,DC=local

Server Type Type of domain controller AD (active Directory) and OpenLDAP are supported
Active If checked: the connection is active

By click on button Add New is possible to add a domain connection by filling the following properties

Field Description Comment
Configuration Name Mandatory. The name of current Domain connection
Host Mandatory. Domain server address or host name
Server Type Mandatory. Type of domain controller AD (active Directory) and OpenLDAP are supported
BaseDN Mandatory. The domain Distinguished Name It shall contain the domain name parts separated by ",".

Example: itmSUITE.local shall be inserted as DC=itmSUITE,DC=local

Shall be possible define a precise OU of domain to be considered in connection

Example: connection to Organizational Unit "TechUser" belongs to domain itmSUITE.local shall be inserted as OU=TechUsers,DC=itmSUITE,DC=local

Bind User Domain user login it will be used for current connection
Bind Password Domain user password it will be used for current connection
Active If checked: the connection is active Current connection can't be active until it is not checked
Sample user's login Domain user login used for check inserted parameters
Sample user's password Domain user password used for check inserted parameters
Checked If checked: the connection has been verified

A domain connection shall be activable only after it was checked: use button Check to verify it.

At click on button Check: itmSUITE will send a request to domain with inserted credentials.

If at least 1 connection is active the user with same login on domain could use domain credentials instead of user credentials.

In this case the authentication follows these steps:

  • 1. itmSUITE checks if login inserted is existing in its DB, otherwise access is not allowed.
  • 2. itmSUITE sends a request with pair login, password to domain controller.
  • 3. The domain controller checks if the login inserted is existing in domain and if password is correct.
  • 4. If domain controller response is positive: itmSUITE allows access.
  • 5. If domain controller response is negative: itmSUITE checks password on its DB and grants access if check is positive, otherwise access is not allowed.

More than one connection to domain(s) can be active at the same time: in this case the above step 2 is executed on each active connection.

Import domain user

Domain user import can be managed in General\System\Import from LDAP with superadmin role.

The connection parameters can be selected by drop list Use authentication configuration or directly inserted.

Field Description Comment
Use authentication configuration Allows to select an existing domain connection
Host Domain server address or host name
BaseDN The domain Distinguished Name It shall contain the domain name parts separated by ",".

Example: itmSUITE.local shall be inserted as DC=itmSUITE,DC=local

Shall be possible define a precise OU of domain to be considered in connection

Example: connection to Organizational Unit "TechUser" belongs to domain itmSUITE.local shall be inserted as OU=TechUsers,DC=itmSUITE,DC=local

Server Type Type of domain controller AD (active Directory) and OpenLDAP are supported
Username Attribute TBC
Bind User Domain user login it will be used for current connection
Bind Password Domain user password it will be used for current connection
Mail Option This section allows to define how to synchronize the existing domain user mail on itmSUITE user Add LDAP Mail to user (if not present):

Overwrite itmSUITE mail with LDAP mail:

Add LDAP Mail to Notification Mail The mail will be activated on synchronized user notification addresses
Add LDAP Mail to Outbound Mail The mail will be activated on synchronized user message addresses

At click on button Next will be executed a search in domain matching user by login. As result will be visualized a table with:

  • 1. itmSUITE user not matched
  • 2. itmSUITE user matched
  • 3. Domain user not matched

The column Login(LDAP) allows to match manually the itmSUITE uesrs not matched automatically on domain user (this operation will overwrite current itmSUITE login with domain login).

By click on left checkbox is possible to select which users shall be imported / updated with data from domain.

At click on button Next a summary table will be visualized.

At click on button Next will be visualized a filter to select company and role for all the selected users.

At click on button Next the synchronization process will start:

  • Domain user selected but not matched will be created as new itmSUITE user
  • itmSUITE user selected and matched will be updated with data from domain

Schedule Import

Import of domain user scheduling can be managed in MB (Message Bus) module and configured in Action Engine.

In MB is possible to schedule a message with type LDAP Synchronization: check in MB dedicated section for details.

In SM Action Engine is possible to create and action dedicated to call the LDAP synchronization process explained above: check in Action Engine dedicated section for details.

Use of SSO (Single Sign On)

SSO (Single Sign On) can be managed in General\System\LM Settings with superadmin role.

SSO can be activated by use or protocols NTLM or NTLM2 and Microsoft AD ( Active Directory ). NTLM and NTLM2 activation is mutually exclusive.

Protocol NTLM can be activated in tab NTLM properties

Field Description Comment
Active Directory Controller Domain server address or host name
Default Domain TBC
Checked If checked: the connection has been verified
Sample user's login Domain user login used for check inserted parameters
Sample user's password Domain user password used for check inserted parameters

Protocol NTLM2 can be activated in tab NTLM2 properties

Field Description Comment
Active Directory Controller Domain server address or host name
SPN user's login TBC
SPN user's password TBC
Checked If checked: the connection has been verified

Enabling NTLM authorization in Internet Explorer (IE)

  • 1. Go to menu Internet Options, tab Security and click on "Local Intranet" option.
  • 2. Click on Sites button. In opened window make sure that the last three boxes are checked and click on the Advanced button.

Add you domain name into the list of Websites (example: "itmSUITE.local"):

  • 3. Back to "Local Intranet" option: click on Custom Level. In opened window activate the next option:

User authentication\Logon\Automatic logon only in Intranet zone

  • 5. Go to menu Settings, tab Advanced and enable option Enable Integrated Windows Authentication.


Enabling NTLM authorization in Mozilla Firefox