Difference between revisions of "AD links"
Line 22: | Line 22: | ||
If all Students are to have identical Roles in Insight, enter the name. The alternative is to use * (asterix) to tell Insight to use the first matching Security Group name from the list that the user belongs to is to be used as the Insight Role | If all Students are to have identical Roles in Insight, enter the name. The alternative is to use * (asterix) to tell Insight to use the first matching Security Group name from the list that the user belongs to is to be used as the Insight Role | ||
− | |||
− | |||
− | |||
− | |||
Line 33: | Line 29: | ||
For student users, you will have to tell Insight if the EmployeeID field represents something different than the SIMS database id, either Admission Number or UPN. | For student users, you will have to tell Insight if the EmployeeID field represents something different than the SIMS database id, either Admission Number or UPN. | ||
− | If you intend or need to use a different AD Field than EmployeeID, for example the 'Pager' field or 'extensionAttribute4' in place of the, turn the ''' | + | If you intend or need to use a different AD Field than EmployeeID, for example the 'Pager' field or 'extensionAttribute4' in place of the, turn the '''Use alternative AD field in place of EmployeeID' switch, and enter the name of the alternate field. |
Insight can also check the given name and last name AD fields against the associated SIMS record to check that the AD record correctly links to the SIMS record - turn on the '''Check AD names against student names when logging in''' to perform this check. | Insight can also check the given name and last name AD fields against the associated SIMS record to check that the AD record correctly links to the SIMS record - turn on the '''Check AD names against student names when logging in''' to perform this check. |
Revision as of 08:50, 28 March 2012
Configuration
The AD links page is provided to allow the configuration of Insight to work with your Active Directory.
For student accounts, you can use existing Active Directory principals and create Insight accounts for them on first use. The uniquely identifying field by default is the EmployeeID field, but as an alternative you can user the Pager field, if for example the EmployeeID is already used, or it is not practical to make it visible.
For students the contents of this field can be either the SIMS database id, their Admission Number or their UPN. For parents and staff, Insight accounts must be created beforehand, and the uniquely identifying field must be populated with the SIMS database id.
Additionally, Active Directory Security groups should be created for the purpose of allowing and denying access to Insight.
You will need to have licensed the AD Links option to access the page. You can check for this in Reports –Licences, and re-license from here if necessary.
The AD Links menu allows you to configure the link to your Active Directory database, by providing details of your domain and an account which can read it. The most difficult part of configuring this is in getting the format of the options correct. Firstly, make sure the Check in AD when logging in is turned ON! The domain field should be in the form
mydomain.local
The User Container should be in the form
CN=Users,DC=mydomain,DC=local
The Domain reading user should be in the form
mydomain\user
The ...require membership of this Security Group should be the name of the Security Group alone and is sensitive to capitals. If you want to allow a selection of different Security Groups (year based perhaps) separate them with ; (semi-colon) characters.
If all Students are to have identical Roles in Insight, enter the name. The alternative is to use * (asterix) to tell Insight to use the first matching Security Group name from the list that the user belongs to is to be used as the Insight Role
If you want to allow staff to use Active Directory based login you will need to turn the Allow staff role users to use delegated login on.
For student users, you will have to tell Insight if the EmployeeID field represents something different than the SIMS database id, either Admission Number or UPN.
If you intend or need to use a different AD Field than EmployeeID, for example the 'Pager' field or 'extensionAttribute4' in place of the, turn the Use alternative AD field in place of EmployeeID' switch, and enter the name of the alternate field.
Insight can also check the given name and last name AD fields against the associated SIMS record to check that the AD record correctly links to the SIMS record - turn on the Check AD names against student names when logging in to perform this check.
Important
After updating the AD links details you will also need to set
Manage – Preferences – Login – Trust this host as an authentication provider
to the short name of your domain.
TroubleshootingIf you have problems implementing single sign on using Active Directory, use the Activity report to filter to the date and user, and activity "Login", then switch on the Detailed view. The whole process undertaked for that login will be displayed. |
Seamless login
An additional benefit of using this method to log in is that it supports Integrated Windows Authentication in supported browsers. This means that if the user is logged onto a computer within the domain, their account information can be used to log seamlessly into Insight, without requesting them to enter their account details by hand. To enable this, all of the previous settings must be working correctly.
To implement seamless login, direct those users who you expect to be able to login to the ADSSO.aspx page initially. If the user is not already logged into the domain, they will be redirected the the normal login page, where they can still enter their Active Directory username and password. Otherwise, depending on their Security Group membership, they will be passed straight through to Insight.
If you do not expect a user to be able to log in this way, they should be directed to the normal login URL.