Manage authentication servers and SSO

Relevant for: Administrators

This section describes how manage all abilities related to authentication servers, such as LDAP or RADIUS, and Single Sign on (SSO).

Note: Since data is imported only upon user login, the data stored for users who log in infrequently may be outdated.

Import LDAP user data (LDAP or RADIUS server)

This section describes how to import LDAP user data, such as phone numbers, when authenticating with an LDAP or RADIUS server.

In addition to importing the data, FireFlow can also automatically assign user roles based on the LDAP group membership. To import data that doesn't exist in FireFlow, create a custom field in FireFlow for this data.

Note: If both automatic creation of requestors upon authentication and importing user data from an LDAP server are enabled, then upon LDAP authentication, a requestor may be automatically created in FireFlow and assigned an AFA role.

In this case, the user will remain a requestor and not a privileged user, regardless of the AFA role assigned. For more details, see Enable or disable automatic user creation.

Note: A requestor cannot be converted to a privileged user and vice versa, by changing the user's roles via LDAP import. A user's system role is permanent.

Do the following:

  1. In AFA, configure LDAP or RADIUS user authentication. For details, see Configure user authentication.

    You must select the Fetch user data from LDAP check box and complete the fields in the Mapping to LDAP Fields area.

  2. To enable automatically assigning FireFlow roles to all members of an LDAP group, do the following:

    1. Log in to FireFlow for configuration purposes. For details, see Log in for configuration purposes.
    2. In the main menu, click Configuration.

      The FireFlow Configuration page appears.

    3. Click Roles.

      The Select a role page appears.

    4. (Optional) To search for the desired role, type your search in the Type to filter your results field.

      The roles which match your search appear in the Functional roles area.

    5. In the row of the relevant role, click .

      The Users Assignment window for the role you chose appears.

    6. In the Auto-assign from LDAP area, in the Group DN field, type the name of the LDAP group.

    7. Click Save.

    All members of the specified LDAP group will automatically be assigned the role.

  3. To import fields from the server to fields in FireFlow, do the following:

    1. For each field that exists on the server but not in FireFlow, add a custom field in FireFlow. For more details, see Manage custom fields.

      Note: Do not add custom fields that have the same name as an existing field in FireFlow. Doing so will cause import  from the server to fail.

    2. Map the fields on the server to fields in FireFlow by doing the following:

  4. Switch to the AFAAdministration area > Advanced Configuration tab.

    The Advanced Configuration page appears.

  5. Click Add.

    The Add New Configuration Parameter dialog is displayed.

  6. In the Name field, type LDAP_AttrCustom.

  7. In the Value field, type a list of custom FireFlow fields and the parallel LDAP fields in the following format:

    FF_Field1,LDAP_Attr1;FF_Field2,LDAP_Attr2;...

    Where:

    • FF_FieldX is the name of a user field in FireFlow to which you want to import data. This can be a fireflow field or a user-defined custom field.
    • LDAP_AttrX is the name of a user field on the LDAP server from which you want to export data.

    For example, in order to map a user-defined custom field called "Department" to an LDAP attribute called "department", include the following in the semi-colon delimited list:

    Department,department

  8. Click OK.

  9. Click OK.

Import LDAP or IDP user data (SSO)

When Authenticating with SSO, you can configure FireFlow to fetch user data from either the SSO response itself (from the IdP server), or from a separate call to an LDAP server. When fetching data from the IdP or LDAP server, you can retrieve data such as email or a phone number. When fetching data from an LDAP server, you can additionally retrieve group membership.

When fetching data from either an LDAP or IdP, you can map the imported data to the relevant field in FireFlow.

In AFA, configure SSO user authentication. For more details, see Configure user authentication.

Select the Fetch User Data checkbox, choose the source of user data: LDAP or IDP, and complete the relevant fields.

Enable or disable automatic user creation

If RADIUS and/or LDAP authentication is configured, and a requestor who does not exist in FireFlow attempts to log in to FireFlow, FireFlow will check the inputted user credentials against the RADIUS or LDAP server. If the username and password pair exists in either database, then by default the requestor will be automatically added to the FireFlow local user database and logged in.

Note: If both automatic creation of requestors upon authentication and importing user data from an LDAP server are enabled, then upon LDAP authentication, a requestor may be automatically created in FireFlow and assigned a role in AFA or FireFlow. In this case, the user will remain a requestor and not a privileged user, regardless of the role assigned.

If desired, you can disable the automatic creation of requestors. Authenticated requestors will be logged in, without being added to the local user database.

Use the generic procedure for overriding system defaults, and define the following parameter:

Configuration Parameter Name Value
AutoCreateRequestors

0. To disable automatic creation of requestors.

1. To enable automatic creation of requestors. (Default)

For more details, see Override FireFlow system defaults.