Single Sign-on with Active Directory

 Show all Hide all

When using Active Directory the web server hosting the Softadmin® system must be hosted inside the customer's domain.

As long as users are using workstations that are also inside the customer's domain and their computer trusts the web server their credentials are automatically forwarded to the Softadmin® system. Otherwise users will be prompted for their domain username and password to log in.

Modes

Simple Single-Sign on

How it behaves

When a user navigates to the login page they are automatically logged onto the Softadmin® system as the Softadmin®-user matching their user name (see username modes). If no Softadmin®-user exists matching their name but the system is configured with a guest account then the guest account is used. Otherwise they are shown the built-in Softadmin® login screen where they may attempt to log in using a username and Softadmin®-password instead.

When to use

Simple single sign-on requires users to have been created in the system beforehand and requires all administration of permissions to be done by the system rather than in the Active Directory. These restrictions mean that it is most useful for systems with few users and systems where a custom integration creates users and administers the permissions.

Configuration

Enable with the SingleSignOn setting and set SingleSignOnDomainName to the correct domain. If a guest account should be used, configure it with the SingleSignOnDefaultUsername setting.

Se the IIS configuration page.

Username Modes

Username mode controls which property is used to map accounts to Softadmin® users. You control username mode with the system setting SingleSignOnUsernameMode.

The userPrincipalName mode is recommended if you intend to integrate with Microsoft Graph as calling the Graph APIs for a user requires knowing their userPrincipalName.

sAMAccountName

The sAMAccountName is a traditional username, restricted to 20 characters in length. For example, the user MyCompany\Sam has the sAMAccountName Sam and would be logged in as the Softadmin® user Sam.

See also https://docs.microsoft.com/windows/desktop/AD/naming-properties#samaccountname.

userPrincipalName

The userPrincipalName looks like an email address though it can differ from a user's actual email address.

Softadmin® requires users to have an explicit principal name and for their principal name to be more than 120 characters long. It is technically possible, though rare, for an Active Directory user to violate either of these requirements.

See also https://docs.microsoft.com/windows/desktop/AD/naming-properties#userprincipalname.