LDAP Authentication

There are several ways to authenticate users of the service management application. By default the system uses its internal authentication mechanism but there is also the option to authenticate against one or more Directory Servers or use OpenID Providers.

 

Internal Authentication

Using internal authentication requires the Administrator or Supervisor to create accounts for all User types by entering the contact information, access levels and password. This information is then saved to the system database. The typical case for using Internal Authentication is where there are few Users, or in an environment that has no pre-existing directory server. Usually, the Administrator would configure the User accounts prior to announcing the system is operational, and from that point on, maintain the accounts as necessary.  (See: Create Customers or Create Users.)

 

OpenID Providers

OpenID is a decentralized process to verify a Customer's or User's online identity. It addresses the single sign-on issue by not relying on a centralized website to confirm a User's identity. The system can be enabled to be an OpenID consumer, which provides seamless authentication between third party authentication utilities and the service management system. OpenID Providers are configured within the Social tab, and Customers or Users that have accounts with the configured OpenID Providers can log into the system by selecting the relevant icon on the Login page.

 

Directory Server Authentication

The system allows the Administrator to connect to one or more Directory Servers for User authentication purposes. This removes the need to create User accounts as it allows the application to synchronize User accounts and access levels with the existing Directory Server. It has the added benefit of allowing the Administrator to work with existing infrastructure. (See: AD Authentication or LDAP Authentication.)

 

Directory Server Groups (External Authentication)

Roles are used to grant access within the application. Users must be assigned to Groups on the directory server that correspond to the Roles within the support system. Group members are assigned Roles and access levels within the service management tool.

 

The default group names the system expects to find on the directory server are:

 

The Group names can be customized in the LDAP/Active Directory Advanced tab. Users can belong to more than one group, for example if a User holds the Roles of Technician and Manager, they would belong to the Technicians and Managers groups.

 

The following fields may or may not be mapped, depending on the options set by the system Administrator:

 

Email Address

All User accounts must include an email address to be successfully imported into the system. If additional fields have been mapped from the authentication server to corresponding fields in the application, a drop-down menu containing all the optional values for the field will be available beside the mapped field. Choose the correct value from each list.

 

Mixed Mode Authentication

The application can use a combination of internal and external authentication. This means, the service management tool can be synchronized with a Directory Server to import User and Customer details as well as allowing Customer Accounts to be created directly within the system. Such a feature is useful, if the service and support solution is being used for internal and external customer support.

 

To enable Mixed Mode authentication, after the system has connected to the Directory Server, move to the Setup>Privileges>Customer tab and enable the Include Customers option to display the Mixed Mode field. Set the Mixed Mode option to Yes.