Access Control

Overview

Configuring Access Control

Multi-domain Environment configuration

Accessing the web management console

Security requirements

Overview

Administrators can integrate Login Enterprise with Active Directory to provide more access to their organization. Rather than using the Virtual Appliance local administrator credentials, administrators can specify users who require access to only the results and users who require access to the full platform. 

There are two permission levels within Login Enterprise:

  • Login Enterprise Administrator: full, unrestricted access to Login Enterprise
  • Login Enterprise Read-Only: restricts access to only results, reporting, and data exports

Users who are members of both groups will inherit the higher-level access. That is, a User who is a member of the Administrator and Read-Only groups will receive Administrator access authorization.

As of Login Enterprise 5.6, Administrators can specify an Active Directory LDAP Authentication timeout. In larger, more complex domains, the current timeout of 55 seconds is insufficient to authenticate successfully. This timeout can now be increased in such scenarios.  

Configuring Access Control

In the Login Enterprise sidebar menu > Access Control, you can specify parameters to authenticate with the domain controller. 

Frame 204.png

Authenticating with Active Directory requires the following input parameters to be specified:

  • AD Domain FQDN: FQDN of the domain we will use to authenticate against (e.g., contoso.com)
  • Domain controller: The DC that is responsible for handling the requests
  • Port: Port used for LDAP Authentication
  • SSL/TLS Settings: Enable SSL communications or Ignore SSL errors during Authentication
  • AD Timeout: Configurable LDAP authentication timeout (default is 60 sec) 
  • Login Enterprise Admin Group: Group name whose members will receive administrator access
  • Login Enterprise Read-Only Group: Group name whose members will have read-only access 
  • Username: Username for the account used to make the connection. (will not be saved)
  • Password: Password used for the account used to make the connection. (will not be saved)

Multi-domain Environment configuration

As of Login Enterprise 4.4, multi-domain configurations are also supported. This setup requires a different configuration of the above AD Authentication parameters.

Because the Group name is not guaranteed to be unique across multiple domains, the Group's distinguished name is required. Thus, the configuration will look more like the below example:

Frame 202.png

Login VSI has tested and supports using a single parent domain with two direct subdomains. Resources from any domain can be used in this configuration. Users can reside in a subdomain while the domain controller and groups are used from the top-level domain. 

Accessing the web management console

Once this information is configured, you can log out of the management console, and authenticate with your Active Directory credentials.

In a multi-domain configuration, ensure that UPN names are used to sign in, e.g. username@subdomain.contoso.com

Frame 203.png

Security requirements

Minimum requirements for secure Active Directory Authentication / LDAPS (port 636) are:

  • Protocol TLS 1.2
  • 2048 Bit Certificate