Single Sign-on (SSO) and Active Directory (AD)

In this Blog, we cover the advantages of using Single Sign-on and Active Directory for a web application such as Web Central or the Helpdesk Portal.

 

  

  1. 1.    Overview

 

  •  Single Sign-on allows a user to log in with a single ID and password and then to gain access to any of several related systems.

 

  • Active Directory (AD) is a directory service that Microsoft developed for the Windows domain networks in 1999.

 

  •  A server running Active Directory Domain Services (AD DS) is called a domain controller.

 

  •  It authenticates and authorises all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software.

 

  •  For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.
 
  •   LDAP, the Lightweight Directory Access Protocol, is a flexible mechanism for interacting with directory servers. It does, however, have a 1000 record limit – requiring an iteration process by restricting the filter for large data sets e.g. username= a%, aa%, ab%…, b%, ba%...

 

 

  1. 2.    Advantages

 

Using Single Sign On (SSO) and LDAP connected to the AD allows users to login to an any supported application.

 

The advantages of this are:

 

  • Security – authenticated and validated user

 

  • No duplication of data

 

  • No additional passwords required

 

  • Quicker access to applications

 

 

 

  1. 3.    Application Process Examples

Various processes can be used to set up an SSO application.

 

The database can store the user’s login credentials and validate them directly from the application.

 

An interface can be set up to transfer the data from Active Directory to the relevant ARCHIBUS database tables.

 

The application can automatically authenticate users by a direct LDAP link to Active Directory.

 

An application could check to see if a user is locked out and when last logged on (e.g. prevent users from access who have not logged in for over 15 months)

 

The application could automatically insert attribute data from AD (e.g. user name, email address, telephone etc.) to relevant tables in ARCHIBUS (afm_users, em, cf).

 

 

 


 

  1. 4.    Active Directory Attributes and mapping

 

Active Directory fields are called attributes and can be mapped directly to ARCHIBUS fields:

 

Active Directory Attribute

 

Field

Heading

 

ARCHIBUS

Fieldname

 

Type & Size

 

Example

Data

 

sAMAccountName

(25 Characters)

Employee ID

em_id

Primary Key

Char(35)

jsmith

givenName

(40 Characters)

First Name

name_first

Char(32)

John

sn

(40 Characters)

Last Name

name_last

Char(32)

Smith

mail

(80 Characters)

Email Address

email

Varchar(50)

john.smith@domain.com

telephoneNumber (20 Characters)

Telephone

phone

Char(20)

01234 567890

physicalDeliveryOfficeName

(20 Characters)

Site

site_id

Varchar(12)

 MARKET

LastLogon

Last Logon

Date

New Field

Date

131929029327298470

 

 

  1. 5.    Date format in Active Directory

 

Active Directory holds date and time values as an 18-digit number. This is also known as 'Windows NT time format','Win32 FILETIME or SYSTEMTIME' or NTFS file time.

 

These are used in Microsoft Active Directory for pwdLastSet, accountExpires, LastLogon, LastLogonTimestamp, and LastPwdSet.

 

The timestamp is a 64-bit integer showing the number of 100-nanoseconds intervals (1 nanosecond = one billionth (10-9) of a second) since Jan 1st, 1601 UTC (Universal Time Coordinated - formally known as GMT).

 

The reason for this date is that the Gregorian calendar operates on a 400-year cycle, and 1601 is the first year of the cycle that was active at the time Windows NT was being designed.

 

lastLogon attribute example: 131929029327298470

 

To convert to a human-readable format:

 

¨     Divide by 10,000,000 to get to seconds

¨     Divide above by 60 to get to minutes

¨     Divide above by 60 to get to hours

¨     Divide above by 24 to get to days

¨     Add a number of days to the date of 1st Jan 1601 to get to actual date!

 

 

That concludes our brief and hopefully very useful summary of the many advantages of using Single Sign-on and Active Directory for a web application such as Web Central or the Helpdesk Portal. Our next blog will be appearing on the MASS website next Wednesday as part of our weekly blog series, so keep your eyes peeled!

 

If you would like any more information regarding this blogs topic, please don't hesitate in contacting either myself or the MASS Technical Services Team. We are available on 0118 977 8560 or email us at news@mass-plc.com.

 

 

 Andrew Taylor 



BACK TO BLOG


Web Central 24.1 Self-Service Workplace 09/10/2019

In this Blog we cover the new self-service ARCHIBUS Workplace interface. This is a Web application that makes it easy for anyone to request maintenance and services, reserve spaces and fi...
read more view all blog posts

GET IN TOUCH