Difference between revisions of "AD links"

From InsightWiki
Jump to navigation Jump to search
Line 1: Line 1:
=NEW AD INFORMATION (Version 6.776+)=
+
{{Additional_module|£175}}
  
Please see link : [[NEW AD LINK INFOSHEET]]
+
==Introduction==
<br><br>
 
=Introduction=
 
  
AD links allows you to create accounts for your pupils using your Active Directory. Once accounts are created, pupils can log in to Insight and have all the same [[Role Options]] as a standard parental account - which can be configured to suit your needs.
+
The AD links page is used to link Insight with your Active Directory. This allows students, staff and parents to log in to Insight using the Active Directory login details. This is the only method that allows students to log in. Once accounts are created, pupils can log in to Insight and have all the same [[role options]] as a standard parental account - which can be configured to suit your needs. <br> <br>
  
AD Links is an optional add-on for Insight.
+
AD Links is an optional add-on for Insight and costs £175 p.a. You can check whether or not your school has purchased the AD links module by going to the [[licence details]] page. <br> <br>
  
=The AD Links Page=
+
==Configuring AD links==
  
The AD links page is provided to allow the configuration of Insight to work with your Active Directory.
+
You will first need to enter the details of your Active Directory into the fields on this page. Once this has been done, existing student, staff or parent accounts can be linked to the AD by [[accounts#synch|performing a synchronisation]]. <br> <br>
  
For student accounts, you can use existing Active Directory principals and Insight accounts will automatically be created for them on first use. The account principals in Active Directory will need to have a field set within them uniquely identifying the student in SIMS. The uniquely identifying field used by default is the EmployeeID field, but you can specify an alternate field if, for example, the EmployeeID is already used, or it is not practical to make it visible. 
+
[[Image:adlinks.jpg]] <br> <br>
The contents of this field will need to be either the SIMS database id (MISID), their Admission Number (ADNO) or their UPN. 
 
  
For parents and staff, Insight accounts must be created beforehand using the Synchronisation process, and the uniquely identifying field in the Active Directory principal must be populated with the SIMS database id. 
+
'''Check in AD when logging in''' <br>
 +
If this is switched off, all AD logins will be disabled <br> <br>
  
Additionally, Active Directory Security groups should be created for the purpose of allowing and denying access to Insight.
+
'''Domain''' <br>
 +
Enter the domain to use when checking for AD accounts. The domain should be in the form: mydomain.local <br> <br>
  
You will need to have licensed the AD Links option to access the page. You can check for this in Reports – Licenses, and re-license from here if necessary. 
+
'''User Container''' <br>
 +
Enter the containers of the users that you wish to grant access to. You should enter this in the following form: CN=Users,DC=mydomain,DC=local <br> <br>
  
The AD Links menu allows you to configure the link to your Active Directory database, by providing details of your domain and an account which can read it.  The most difficult part of configuring this is in getting the format of the options correct.
+
'''Domain reading user and domain reading password''' <br>
Firstly, make sure the '''Check in AD when logging in''' is turned ON!
+
Enter the username and password of an account to use to check the Active Directory for logins <br> <br>
The domain field should be in the form
 
    mydomain.local
 
The User Container should be in the form
 
    CN=Users,DC=mydomain,DC=local
 
The Domain reading user should be in the form
 
    mydomain\user
 
  
The '''...require membership of this Security Group''' should be the name of the Security Group alone and is sensitive to capitals.  If you want to allow a selection of different Security Groups (year based perhaps) separate them with ; (semi-colon) characters.
+
'''Parents require membership of this security group and Staff require membership of this security group''' <br>
 +
Parents and staff respectively must belong to the specified group in AD in order for their Insight user to be linked with their AD record <br> <br>
  
If all Students are to have identical Roles in Insight, enter the name.  The alternative is to use * (asterix) to tell Insight to use the first matching Security Group name from the list that the user belongs to is to be used as the Insight Role
+
'''Allow staff role users to use delegated login''' <br>
 +
This must be switched on if you want to allow staff to login using their Active Directory details <br> <br>
  
 +
'''Use alternative AD field in place of EmployeeID''' <br>
 +
By default Insight will check the EmployeeID field for the SIMS database ID number to identify parents. This will also be required for staff if you want them to log in using the Active Directory details, but they do not have trusted login accounts in SIMS. <br> <br>
  
If you want to allow staff to use Active Directory based login you will need to turn the '''Allow staff role users to use delegated login''' on.
+
Switch this option on if you want to use a different field <br> <br>
  
 +
'''Name of alternative field to use''' <br>
 +
When the above option is switched on, you will need to specify the name of the alternative field in AD that contains the SIMS database ID number <br> <br>
  
For student users, you will have to tell Insight if the EmployeeID field represents something different than the SIMS database id, either Admission Number or UPN.
+
'''Use student email addresses from AD''' <br>
 +
The alternative is to use the email addresses in SIMS <br> <br>
  
If you intend or need to use a different AD Field than EmployeeID, for example the 'Pager' field or 'extensionAttribute4' in place of the, turn the '''Use alternative AD field in place of EmployeeID' switch, and enter the name of the alternate field.
+
==Seamless login==
 +
 
 +
An additional benefit of using this method to log in is that it supports Integrated Windows Authentication in supported browsers.  This means that if the user is logged onto a computer within the domain, their account information can be used to log seamlessly into Insight, without requesting them to enter their account details by hand. <br> <br>
 +
 
 +
To enable this, all of the previous settings must be working correctly. <br> <br>
 +
 
 +
To implement seamless login, direct those users who you expect to be able to login to the ADSSO.aspx page initially. If the user is not already logged into the domain, they will be redirected to the normal login page, where they can still enter their Active Directory username and password.  Otherwise, depending on their Security Group membership, they will be passed straight through to Insight.
 +
If you do not expect a user to be able to log in this way, they should be directed to the normal login URL. <br> <br>
 +
 
 +
==Troubleshooting==
  
Insight can also check the given name and last name AD fields against the associated SIMS record to check that the AD record correctly links to the SIMS record - turn on the '''Check AD names against student names when logging in''' to perform this check.
+
If users are not able to log in using their AD details then click on the Activity Report link. This will open a window showing the most recent login attempts from AD linked users. This will provide more information as to why the login failed. <br> <br>
  
===Important===
+
If you want to allow staff to login using their Active Directory details, but have not given them trusted login accounts in SIMS, then the staff records in AD will need a field that hosts the staff members' SIMS database ID number. You can click the Staff Report link to download an XML file that contains all of the SIMS database ID numbers for staff with some other identifying fields (such as name and staff code). <br> <br>
After updating the AD links details you will also need to set
 
  '''Manage – Preferences – Login – Trust this host as an authentication provider'''
 
to the short name of your domain.
 
  
===Troubleshooting===
+
If you have problems implementing single sign on using Active Directory, use the Reports - Activity to filter as follows.
If you have problems implementing single sign on using Active Directory, use the Reports - Activity to filter as follows.
 
  
 
:the Date filtered to the date of the failed login
 
:the Date filtered to the date of the failed login
Line 65: Line 71:
 
It will make for easier viewing to highlight and copy the contents of the detail field into notepad or similar.
 
It will make for easier viewing to highlight and copy the contents of the detail field into notepad or similar.
  
On the AD Links page, the "Test as" link can be used to test AD Logins. Log into Windows as an AD student and then into Insight as Admin and click this button to test.
+
[[Category:configuration]]
 
 
==Seamless login==
 
An additional benefit of using this method to log in is that it supports Integrated Windows Authentication in supported browsers.  This means that if the user is logged onto a computer within the domain, their account information can be used to log seamlessly into Insight, without requesting them to enter their account details by hand. 
 
To enable this, all of the previous settings must be working correctly. 
 
 
 
 
 
To implement seamless login, direct those users who you expect to be able to login to the ADSSO.aspx page initially. If the user is not already logged into the domain, they will be redirected to the normal login page, where they can still enter their Active Directory username and password.  Otherwise, depending on their Security Group membership, they will be passed straight through to Insight.
 
If you do not expect a user to be able to log in this way, they should be directed to the normal login URL.
 
 
 
[[Category:Admin]]
 
 
[[Category:technical]]
 
[[Category:technical]]

Revision as of 15:27, 29 July 2015

Addmod2.png Additional Module

Introduction

The AD links page is used to link Insight with your Active Directory. This allows students, staff and parents to log in to Insight using the Active Directory login details. This is the only method that allows students to log in. Once accounts are created, pupils can log in to Insight and have all the same role options as a standard parental account - which can be configured to suit your needs.

AD Links is an optional add-on for Insight and costs £175 p.a. You can check whether or not your school has purchased the AD links module by going to the licence details page.

Configuring AD links

You will first need to enter the details of your Active Directory into the fields on this page. Once this has been done, existing student, staff or parent accounts can be linked to the AD by performing a synchronisation.

Adlinks.jpg

Check in AD when logging in
If this is switched off, all AD logins will be disabled

Domain
Enter the domain to use when checking for AD accounts. The domain should be in the form: mydomain.local

User Container
Enter the containers of the users that you wish to grant access to. You should enter this in the following form: CN=Users,DC=mydomain,DC=local

Domain reading user and domain reading password
Enter the username and password of an account to use to check the Active Directory for logins

Parents require membership of this security group and Staff require membership of this security group
Parents and staff respectively must belong to the specified group in AD in order for their Insight user to be linked with their AD record

Allow staff role users to use delegated login
This must be switched on if you want to allow staff to login using their Active Directory details

Use alternative AD field in place of EmployeeID
By default Insight will check the EmployeeID field for the SIMS database ID number to identify parents. This will also be required for staff if you want them to log in using the Active Directory details, but they do not have trusted login accounts in SIMS.

Switch this option on if you want to use a different field

Name of alternative field to use
When the above option is switched on, you will need to specify the name of the alternative field in AD that contains the SIMS database ID number

Use student email addresses from AD
The alternative is to use the email addresses in SIMS

Seamless login

An additional benefit of using this method to log in is that it supports Integrated Windows Authentication in supported browsers. This means that if the user is logged onto a computer within the domain, their account information can be used to log seamlessly into Insight, without requesting them to enter their account details by hand.

To enable this, all of the previous settings must be working correctly.

To implement seamless login, direct those users who you expect to be able to login to the ADSSO.aspx page initially. If the user is not already logged into the domain, they will be redirected to the normal login page, where they can still enter their Active Directory username and password. Otherwise, depending on their Security Group membership, they will be passed straight through to Insight. If you do not expect a user to be able to log in this way, they should be directed to the normal login URL.

Troubleshooting

If users are not able to log in using their AD details then click on the Activity Report link. This will open a window showing the most recent login attempts from AD linked users. This will provide more information as to why the login failed.

If you want to allow staff to login using their Active Directory details, but have not given them trusted login accounts in SIMS, then the staff records in AD will need a field that hosts the staff members' SIMS database ID number. You can click the Staff Report link to download an XML file that contains all of the SIMS database ID numbers for staff with some other identifying fields (such as name and staff code).

If you have problems implementing single sign on using Active Directory, use the Reports - Activity to filter as follows.

the Date filtered to the date of the failed login
the Activity filtered to "Login"
the Type set to an exclamation mark (!)

Now switch on the Detailed view using the toggle button on the tool bar; it looks like a cylinder with a cog.

Failed AD logins will have an *empty* username field.

The whole process undertaken for that login will be displayed in the Detail column.

It will make for easier viewing to highlight and copy the contents of the detail field into notepad or similar.

Retrieved from "https://www.tascsoftware.co.uk/wiki/INSIGHT/index.php?title=AD_links&oldid=3362"