Configuring Authentication
Loftware Enterprise SP has the concept of local and domain users. Local users are assigned a password by the administrator within the Loftware Enterprise SP system. Domain users are configured in Loftware Enterprise SP, but their passwords are stored in an LDAP, Azure, or Federated Single Sign-On system.
If you use an LDAP, Azure, or Single Sign-On system, Loftware Enterprise SP can use that system to authenticate the user.
LDAP or Azure
By integrating Lightweight Directory Access Protocol (LDAP) or Azure Active Directory (AZ) authentication into Loftware Enterprise SP, you can enable users to sign in to Loftware Enterprise SP by using their domain credentials so that they do not have to maintain a separate password for use with Loftware Enterprise SP. To sign in to Loftware Enterprise SP, a user must also have an account configured in Loftware Enterprise SP, or you can enable auto-provisioning to automatically create and maintain users and group assignments in Loftware Enterprise SP using your LDAP or Azure service.
Auto-Provisioning
You can configure auto-provisioning in Loftware Enterprise SP to automatically create and update users and group assignments in Loftware Enterprise SP using data from your existing LDAP or Azure service. This allows a Directory Service Administrator to manage users and their groups via LDAP or Azure and not have to duplicate efforts to add those users into Loftware Enterprise SP.
Best Practice
Loftware recommends configuring only one LDAP or Azure service per Loftware Enterprise SP instance
A Loftware Application Server and a Loftware Database Server that are associated with each other by a Loftware Enterprise - SP License..
When auto-provisioning is enabled, users in your LDAP/Azure service who belong to an LDAP/Azure group that is mapped to a Loftware group are automatically created in Loftware Enterprise SP when the user signs in to Loftware Enterprise SP, and the Loftware group memberships are automatically assigned based on the Loftware-to-LDAP or Loftware-to-Azure group mappings. You must still configure permissions for groups within Loftware Enterprise SP for users to have the appropriate access (for more information, see Create or Modify a Group).
If an auto-provisioned user already exists in Loftware Enterprise SP, the user's information and group assignments are automatically updated using the group mappings every time the user signs in to Loftware Enterprise SP.
Tip: If you manually add or remove a mapped group to or from an auto-provisioned user in Access Control
Auto-provisioned users are indicated in with an Auto-Provisioned tag in the Properties pane for the user in Access Control
Single Sign-On
Single Sign-On (SSO) enables users to sign in to Loftware Enterprise SP through a third-party authentication system, thereby bypassing the Loftware Enterprise SP sign in page when connecting to a Loftware Enterprise SP environment.
Loftware Enterprise SP supports the following SSO protocols:
- Kerberos version 5
- Security Assertion Markup Language (SAML) V2.0
Kerberos can be used to provide Integrated Windows authentication.
SAML is an XML-based framework, and it can be used in both Windows and Linux environments. It is designed for online applications like Loftware Enterprise SP to share authentication information.
Users must be configured in Loftware Enterprise SP, and the user name must be the same as their idP user name.
To configure Loftware Enterprise SP authentication, see the following topics: