There are three available authentication modules available in Ubersmith: Active Directory, LDAP, and SAML.
Access the Add Authentication Module Page
- Access the User Authentication page.
- From the Authentication Modules section, click Add New Authentication Module.
The Add Authentication Module page appears.
Complete the Details Tab
- In the Enabled field, select Yes to enable a specific authentication module.
- In the Module field, select the authentication module.
- In the Priority field, enter the order of priority in which server to use to authenticate users.
- Select the Create User on Login field to create a new user upon their first login attempt.
Complete the Config Tab
Click the Config tab.
Complete the Module Configuration section.Click here for Active Directory and LDAP
Click here for SAML
- In the Server field, enter the IP address or hostname of the Active Directory or LDAP directory.
- In the Port field, enter the port the directory service is listening to. The default is 389.
- In the Use SSL field (for Active Directory) or the SSL/TLS field (for LDAP), select Yes if you want to use SSL with LDAP authentication select StartTLS Note: SSL On is a deprecated feature per OpenLDAP Foundation.
- In the Base DN field, enter the distinguished name to run queries against.
- In the Group DN field, enter the distinguished name in which groups are loaded and searched. This is prepended to the Base DN to form the complete DN for group queries In the Group Class field.
In the Group Class field, enter the distinguished name for the objectClass of the group. The default name is groups.
- In the Group Filter field, enter the filter to use when searching group objects, for example (&(objectClass=groups)(cn=*)).
- In the Group Member Attribute field, enter the group object attribute field when loading the group’s members. The default is member.
- In the User DN field, enter the distinguished name the users are loaded and searched from. This is prepended to the Base DN to form the complete DN for user queries.
- In the User Class field, enter the name of the objectClass used for the LDAP user. The default is person.
- In the User Identifier field, enter the attribute of the user object that holds the username, which should be the Ubersmith login. The default is Active Directory is sAMAccountName and LDAP is uid.
- In the User Membership field, enter the attribute field to use when loading the user’s group. If this field is populated, the Group Member Attribute field is ignored.
- In the User field, enter a username that allows Ubersmith to bind to the directory service to load the groups for editing roles to group permission. This is required if the directory service does not allow anonymous binding.
- In the Password field, enter a password for the LDAP user, if the LDAP service does not allow for anonymous bind.
- In the Network Timeout field, enter the number of seconds before the system times out on binding to the Active Directory server.
- In the LDAP Version field (for Active Directory) or the Version field (for LDAP), enter the LDAP version being used. The default is 3.
In the Allow password caching field, select Yes if you want to cache users hashed passwords upon successful logins, to be used when the LDAP server is unreachable.
In order to use SAML as an authentication method for Ubersmith, you must already have a relationship with a SAML identify provider. Ubersmith, the SAML service provider, will use your identity providers certificate to authenticate users.
- In the ID Provider (IdP) field, enter the URL of your SAML identity provider.
- In the IdP Name field, enter the name of your SAML identity provider.
- In the IdP Icon field, enter the URL address of your SAML identity provider’s logo.
- In the IdP Signon URL field, enter the URL address of your unique IdP ID login page.
- In the IdP Logout URL field, enter the URL address of your SAML identity provider’s sign off confirmation page.
- In the IdP x509 Certificate field, paste the IdP certificate provided by your SAML identity provider.
- In the Ubersmith “Login Name” Attribute Name field, enter user.
- In the First Name Attribute Name field, enter first.
- In the Last Name Attribute Name field, enter last.
- In the Email Address Attribute Name field, enter email.
- In the Permission Group Attribute Name field, enter access.
- In the Service Provider (SP) Entity ID field, enter your Ubersmith domain address.
- In the SP x509 Certificate field, paste your saml_sp.crt.
- In the SP x509 Private Key field, paste your saml_sp.pem.
Complete the Password Reset Configuration section.Click here for Password Reset Configuration
- In the From Name field, enter the name the request reset password email will be from.
- In the From Email field, enter the email address the request reset password email will be from, or leave the default email address configured in the Company Identity page.
- In the Subject field, enter the subject of the request reset password email.
- In the Body field, enter the body of the request reset password email.
Complete the Brand Access Tab
- Click the Brand Access tab.
- In the Full Brand Access field, select Yes to give the users using the selected authentication module access to all brands.
- In the Brand Access section, select each brand you want to give the users using the selected authentication module access to. If you selected full brand access, all brands are automatically selected.
- Click Save or Save & New.
After adding an authentication module, you will need to configure your user accounts to start logging in using the new authentication module.
Configuring Existing Users
If the user has the same user name in both Ubersmith and the authentication server:
- Access the Users page.
- From the user’s row, click their name or details.
The Preferences page appears.
- In the User Info section, click edit.
The User Info & Brand Access page appears.
- From the Authentication field, select the authentication server to use.
- Click Save.
Configuring New Users
- If the user does not have an Ubersmith account, the user logs in with the user name and password from the authentication server, and an Ubersmith account is automatically created.