User Authentication : Active Directory / Azure AD / SAML 2.0 / OAUTH 2.0

Modified on Mon, 9 Dec at 11:02 AM

AGIR supports multiple authentication methods. Together, these resources ensure a range of options so that you can manage your users safely and efficiently. This integration is essentially used to manage the login in the application (username and password).

Permissions are managed internally by AGIR through individual customization or the creation of profiles and user groups.


The available authentication methods are:

  1. LDAP Active Directory
  2. Azure active directory
  3. SAML 2.0
  4. OAUTH 2.0
  5. Local Authentication: Local Username and Password


If you do not activate any of the methods defined above, AGIR will assume local authentication as the default option (Method 1).


Additionally, AGIR supports multiple authentication methods in the same organization. For example, you can activate LDAP and Local authentication (methods 1 and 5) and define each user's authentication method.



1. LDAP Active Directory


AGIR enables you to set up an integration with LDAP using Active Directory. Once you're done setting up, you can authenticate users by means of a secure LDAP server.

You can configure the Active Directory integration through the AGIR Config Console.

To configure this integration, proceed as follows:


1. Select your user name and click on AGIR Config.



2. On the Advanced Settings tab, click on Active Directory



3. Complete the following fields according to your organization's Active Directory settings:




LDAP Connection

Required to connect to Active Directory. 

For example, If your LDAP server is 192.139.1.100 and your domain is yourdomain.org

  • Secure (recommended): LDAP://192.139.1.100:636/dc=yourdomain,dc=org
  • Unsecure: LDAP://192.139.1.100/dc=yourdomain,dc=org


 ATTENTION  A key requirement for a successful an AD integration is to ensure that the username registered in AGIR exactly matches the AD username.






Other examples:


Example 1


Example 2





Filter

LDAP syntax filters can be used in many situations for Active Directory queries To learn more about filters please visit this tutorial. Active Directory: LDAP Syntax Filters.

You can leave this field blank if you don't need to apply any filters.



Authentication

Select one Authentication method from the list below:

If you don't need one of these methods, or if don't have information regarding this property, use the default option Secure.

The "Secure" authentication method in Active Directory refers to the use of secure protocols, such as Kerberos, for authentication. It ensures that the communication between clients and domain controllers is secure and protected from interference or any sort of tampering.




Anonymous Authentication:

Anonymous authentication is a method in Active Directory that allows users to access certain resources without providing any credentials. When anonymous authentication is enabled, users can access the specified resources without authenticating themselves. This can be useful for publicly accessible information that does not require user authentication.

 

Delegation:

Delegation is an authentication method in Active Directory that allows a service or process to impersonate a user and access network resources on behalf of that user. With delegation, a user can delegate their credentials to a service, and the service can use those credentials to access resources on other systems within the network. Delegation requires proper configuration and security settings to ensure that only authorized services can use the delegated credentials.

 

Encryption:

Encryption is not an authentication method itself but a security mechanism used to protect data during transmission. Active Directory supports encryption using various protocols, such as Kerberos and Secure Sockets Layer (SSL). Encryption ensures that data is securely transmitted over the network and cannot be intercepted or tampered with by unauthorized parties.

 

Fast Bind:

Fast Bind is an optimization feature in Active Directory that allows for quicker authentication and binding to the directory service. It enables clients to cache their authentication credentials, reducing the time required for subsequent authentication requests. This can improve the overall performance of Active Directory authentication processes.

 

None:

"None" typically refers to the absence of any authentication method. In Active Directory, it means that no authentication is required to access the specified resource or to perform a particular action. This is often used for publicly accessible information or when no authentication is necessary.

 

Read-only Server:

A read-only server is a server in Active Directory that is configured to only allow read operations, such as querying and retrieving information from the directory. It does not allow write or modify operations. Read-only servers can improve performance by offloading read operations from other domain controllers.

 

Sealing:

Sealing is a security feature in Active Directory that ensures the integrity and confidentiality of data transmitted between domain controllers. It encrypts the data to prevent unauthorized access or tampering during transit.

 

Secure:

The "Secure" authentication method in Active Directory refers to the use of secure protocols, such as Kerberos, for authentication. It ensures that the communication between clients and domain controllers is secure and protected from any  sort of tampering.

 

Secure Sockets Layer (SSL):

Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communication over the internet. In the context of Active Directory, SSL can be used to encrypt the communication between clients and domain controllers, ensuring the confidentiality and integrity of the data transmitted.

 

Server Bind:

Server Bind is an authentication method used in Lightweight Directory Access Protocol (LDAP) to establish a connection and authenticate with a directory server. It involves sending authentication credentials to the server and receiving a response to determine the success or failure of the authentication attempt.

 

Signing:

Signing is a security feature in Active Directory that ensures the integrity and authenticity of data transmitted between domain controllers. It adds a digital signature to the data, allowing the recipient to verify that the data has not been tampered with and originated from a trusted source.





AD Domain


Default domain under which users who want to be authenticated against Active Directory reside. When a user logs in with a username, the default domain is added to the username before sending it to the LDAP server. 

You can leave this field blank if you don't need or don't have information about this property.






Self-registration / sign-in

Users are usually created manually or imported via an Excel file. There is also the possibility of self-registration of an AD user.

By activating this property, a user who has access to the AGIR URL can log in for the first time using AD credentials. If successful authentication is achieved, that user will be automatically created in AGIR, and will automatically gain permissions corresponding to a user group created for that purpose.


To activate this option, click on "Allow registered AD users to automatically sign in to AGIR using AD credentials at login" and select in which group these users should be included as default.










Normally these users should have basic permissions, such as the document reader permission.

AGIR administrator or Staff Manager can then complete the user's profile with more details and fine-tune the permissions to their liking.













2. Azure AD


Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML is an XML-based markup language for security assertions, which are statements that service providers use to make access-control decisions. 


In the case of Azure AD, we leave the following link that exemplifies the configuration with SAML:  Quickstart: Add an enterprise application


If the application you are looking for is not in the gallery then you can select the link, create your own application and then under "What are you looking to do with your application?", choose Integrate any other application you don't find in the gallery.


Identifier (Entity ID) - https://yourcompanyname.myagir.pt/
Reply URL - https://yourcompanyname.myagir.pt/SAML/SAMLAuth.aspx

After following the steps above, we will need the following information:

SAMLProviderEndpointURL - Login URL
SAMLProviderLogoutURL - Logout URL
Certificate



Once you're done picking which technology you wish to activate, contact our team with the necessary information and, if possible, create an AD test account for us to test on our side.

We are also available for a meeting to clarify this matter further, if necessary :).






 ATTENTION  If you are using Azure AD integration via SAML, you don't need to configure any LDAP integration. Under the user file, the AD integration must be turned off, as the integration is carried out by SAML





How to log in as a user with no Azure AD integration?

If you have Azure AD integration but not all users are AD users, you may still apply a local authentication.


These users will have to use a special URL https://yourcompanyname/login.aspx?SAML=0 and use a normal local authentication method (username and password).










3. SAML2.0 and OAUTH2.0


Special authentication methods based on SAML2.0 or OAUTH 2.0 are available as advanced settings.

These methods are not part of our standard offer so please contact our support team if you need to implement these authentication methods.





Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article