Introduction
PhixFlow can be configured to allow external logins, where users are authenticated by external servers i.e. the user's credentials (username/password) are maintained on external servers and PhixFlow delegates to those external servers to check whether the user's credentials are valid. Currently we support Active Directory and SAML / Single sign-on.
In order to login to a PhixFlow instance, an External User must have an external group matching the PhixFlow instance's external login group which is set in System Configuration.
Once logged in, External Users have access rights based on membership of a number of User Groups, but rather than assigning users directly whereas local users are manually added to User Groups in PhixFlow, the User Groups for an External User are determined by mapping their groups in the external system (e.g. their Active Directory groups) to PhixFlow User Groups.
This document describes how to configure the external login group groups in System Configuration and how to map external user groups to PhixFlow's User Groups.
See Active Directory or SAML / Single Sign-on for how to configure external login.
Multiple PhixFlow Instances
Where you have multiple PhixFlow instances (e.g. test v. prod) we recommend the use of group names that contain the instance name e.g. phixflow_test_designer and phixflow_prod_designer. This will allow you to have users who have different access rights in different instances.
Contents
| Table of Contents |
|---|
Configure the Login
GroupGroups
Go to the Active Directory External Login tab in the System Configuration windowdetails.
There are two fields to configure:
...
| Code Block |
|---|
local |
| Code Block |
|---|
narnia.local |
...
The list of names of Active Directory groups authorized to use this instance of PhixFlow, separated by semicolons. There must be no spaces between the groups listed, just semicolons.
...
Set the External Login Groups field to a semi-colon-separated list of external group names. An external user having any one of the external groups listed will be allowed to login.
You can use {instance} to include
...
the PhixFlow instance name
...
Note that these groups do not have to be mapped to any of the PhixFlow User Groups (see below), although they can be if you wish.
| Code Block |
|---|
PHIXFLOW_ADMINS; PHIXFLOW_USERS_{instance} |
With the given configuration, assuming the instance name is ‘LIVE’, members of the following Active Directory groups will be authorized to log in into this PhixFlow instance:
- PHIXFLOW_ADMINS
- PHIXFLOW_USERS_LIVE
.
Examples
Assume the PhixFlow Instance is set to 'TEST'.
| External Login Groups | Description |
|---|---|
| phixflow_login | Any user with the external group phixflow_login will be allowed to login. |
| phixflow_admin;phixflow_{instance}_login | Any user with the external group phixflow_admin or the group phixflow_test_login will be allowed to login. |
Configure the User Groups
When Active Directory users log into PhixFlow, their Active Directory groups are mapped to PhixFlow User Groups. You can set up this mapping by specifying an Active Directory Group in a PhixFlow User Group. When an AD user in that Active Directory group logs into PhixFlow, they will be put into that PhixFlow User Group. You do not need
It is not necessary to map all of a user's Active Directory External Groups to PhixFlow User Groups. For each user, any Active Directory groups External Groups that are not mapped are simply ignored.
The mapping is configured in the field Active Directory Group in the user group configuration formUser Group's External Login Group field.
You can use {instance} to include the the PhixFlow instance name.
Examples
With the given configuration, assuming the instance name is ‘LIVE’, members of the Active Directory ‘PHIXFLOW_USERS_LIVE’ will be members of the ‘Designers’ PhixFlow User Group.
Active Directory users appear on the Group Members list. There is a new column which indicates if the user is a local user or a Active Directory user. Only local users can be added or removed from the list.
User Details
While editing an Active Directory user some fields are invisible. Login name cannot be changed. The domain of the User is shown in the header of the editor.
Assume the PhixFlow Instance is set to 'TEST'.
| External Login Groups | Description |
|---|---|
| phixflow_designer | Any user with the external group phixflow_designer will have the access rights conferred by this User Group |
| phixflow_admin;phixflow_{instance}_admin | Any user with the external group phixflow_admin or the group phixflow_test_login will have the access rights conferred by this User Group |