Introduction
You can set up access to PhixFlow either through PhixFlow Users, by integrating with your Active Directory infrastructure, or both. If you integrate with Active Directory, Access Control is maintained by mapping Active Directory Groups to PhixFlow User Groups, as described below. By using the Active Directory integration users will login to PhixFlow using the same username and password as their Microsoft Windows domain login.This page describes how to integrate PhixFlow with Active Directory:
Configuring PhixFlow with Active Directory has a number of steps
- Configure an authentication provider - this defines how to connect to an Active Directory domain
- Add the authentication provider to the authentication manager
- Define the external login group - this defines the external group needed to login
- Map external groups to PhixFlow's User Groups - on login PhixFlow maps the user's external groups to PhixFlow's user groups to determine what the user is allowed to do in the particular PhixFlow instance
Contents
| Table of Contents | ||
|---|---|---|
|
Configure
phixflow-login.xmlAuthentication Provider
Connection details to the domain servers are configured in the file phixflow-login.xml, under [tomcat root]/webapps/phixflow/WEB-INF/classes. When you first install PhixFlow, you probably created a copy of this file by simply copying the example file phixflow-login.xml.example (see Install PhixFlow Webapp).
First you must define one or more authentication providers, then add them to the authentication manager.
Create
domain referenceTo create a reference to a domain, update the section in the examplean AuthProvider
Find this part of the file:
| Code Block | ||
|---|---|---|
| ||
<!-- TemplateActive of a authentication-provider Directory AuthProvider--> <!-- You must provided one AuthProvider bean for each domain <security:authentication-provider ref="exampleActiveDirectoryAuthProvider" /> --> |
For example, if this domain will be referred to as corporate, update this to (remembering to remove the surrounding comment):
| Code Block | ||
|---|---|---|
| ||
<!-- Template of a authentication-provider -->
<security:authentication-provider ref="corporate" /> |
Add connection details
Simple connection
The simplest type of connection is illustrated below, referencing a single AD server.
Update the section in the example file:
| Code Block | ||
|---|---|---|
| ||
<!-- Template of ato which you want to connect, each based on one of the examples below, and add it to the authenticationManager above --> <!-- Example bean providing domain and url to authentication-provider --> <!-- <bean id="exampleActiveDirectoryAuthProvider" parent="activeDirectoryAuthProvider"> <constructor-arg index="0" value="narnia.local" /> <constructor-arg index="1" value="ldap://192.168.150.81" /> </bean> --> |
to include connection details to the domain. For example, if the domain is called corporate.local and this is manged by the domain controller at 10.23.109.45, update this to (remembering to remove the surrounding comment)Then uncomment and edit one of the example activeDirectoryAuthProvider beans to reflect your active directory configuration.
Simple connection
The simplest configuration, for the domain mydomain.com and the domain controller at a specific IP address, is illustrated below:
| Code Block | ||
|---|---|---|
| ||
<!-- Template of a bean providing domain and url to authentication-provider for mydomain.com --> <bean id="corporatemydomainAuthProvider" parent="activeDirectoryAuthProvider"> <constructor-arg index="0" value="corporatemydomain.localcom" /> <constructor-arg index="1" value="ldapldaps://10192.23168.1091.451" /> </bean> |
Advanced options
For the connection you can also specify:
| Option | Purpose | Example |
|---|---|---|
| Multiple serversDomain servers (Constructor-arg 1) | Some domains are served by multiple servers, to provide resilience and load balancing. These can be are specified in a space-separated list. PhixFlow will try each of these in turn. | <constructor-arg index="1" value="ldapldaps://ad1.example.com ldap://ad2.example.com" /> |
| You can also specify connecting to the domain itself. This is equivalent to connecting to the list of domain controllers specified in the DNS entry for the domain. | <constructor-arg index="1" value="ldaps://example.com" /> | |
Root DN (Constructor-arg 2) | If you have a large AD tree, searches may take some time, and this could lead to slow authentication for users. Therefore it is possible to specify a root DN (Distinguished name) at which PhixFlow will begin searching for the user. The Distinguished Name format is standard and further details can be found on the web. | <constructor-arg index="2" value="ou=User Accounts,ou=Operations,dc=emea,dc=example,dc=com" /> |
| Timeout | You can specify a timeout. For each server specified, if the server does not respond within the limit specified by the timeout, it will try the next server. If the last server in the list times out, then the authentication will fail. The timeout is specified in milliseconds. | <property name="timeout" value="5000"/> |
The following example, in phixflow-login.xml.example, illustrates the application of all advanced options:
| Code Block |
|---|
<!-- Template of a bean providing domain, multiple servers, connection timeout and separate rootDn -->
<!--
<bean id="exampleActiveDirectoryAuthProvider" parent="activeDirectoryAuthProvider">
<constructor-arg index="0" value="example.com" />
<constructor-arg index="1" value="ldap://ad1.example.com ldap://ad2.example.com" />
<constructor-arg index="2" value="ou=User Accounts,ou=Operations,dc=emea,dc=example,dc=com" />
<property name="timeout" value="5000"/>
</bean>
--> |
Configure the authentication manager
Now add the auth provider you have just defined to the authenticationProvider.
The authenticationProvider should look something like this (omitting comments):
| Code Block | ||
|---|---|---|
| ||
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="localAuthProvider" />
<security:authentication-provider ref="exampleActiveDirectoryAuthProvider" />
</security:authentication-manager> |
We recommend that you do not remove the localAuthProvider, and that you retain a local administrator user so that you can still login in the event of a problem with the active directory integration.
Configure Group mappings
PhixFlow Active Directory Setup
...