SSO LDAP/LDAPS Behaviors and Troubleshooting
The fields referenced here are found below in the Manage User Information and LDAP Properties Settings windows in the Classic UI.
SSO Logging
Logs for SSO are found in
<drive>:\Enterworks\logs\enable2020\enable-web-server-services\<date-time>-log-enable-web-server-service.log
.
Just In Time (JIT) Provisioning (Automatic Provisioning)
When Just In Time (JIT) provisioning (also know as Automatic provisioning) is enabled, EnterWorks will request that the IDP authenticates users and manages their user group assignments.
The process of authorization is as follows:
- The IDP sends a SAML response to EnterWorks.
-
EnterWorks checks to see if the user exists in the EnterWorks system.
-
If the username exists in EnterWorks, the login will be authorized and EnterWorks will update the list of the user's user groups to match the list of user groups in the IDP response.
-
If the username doesn't exist, EnterWorks will check the IDP's response to see if it contains one or more groups that exist in EnterWorks.
-
If the IDP's response does not contain one or more groups that exist in EnterWorks, the login will be unauthorized.
-
If one or more groups do exist, the login will be authorized and EnterWorks will update the list of the user's user groups to match the list of user groups in the IDP response.
-
-
When an existing EnterWorks user logs into EnterWorks, EnterWorks will verify with the IDP that the user exists in the IDP's directory and it will request a list of the groups the user belongs to. For each group on the returned list that exists in EnterWorks, if the user is not in the group, EnterWorks will add them. EnterWorks will then remove the user from any EnterWorks groups that are not on the list returned from the IDP.
For a user to be authenticated, the user must belong to at least one group in the IDP and that group has to exist in EnterWorks. If the group does not exist in EnterWorks, the user will not be authenticated.
username
When a bind operation is performed:
- If the first character in User Default Domain is
@
, the username used will be<userLogin>@<domain>
. - Else if the domain is not empty, the username used will be
<domain>\<userLogin>
. - Else (there is no domain), the username used will be
<userLogin>
.
Search Filter
- If
<login>
includes the character@
, (for example:jane.austen@enterworks.com
), then the filter used in a search will beuserPrincipalName = <login>
. - Else, if
<login>
does not have an@
in login, the filter used will beAMAccountName=<login>
.
Search Request Attributes
EnterWorks uses the following search request attributes:
-
givenName
-
sn
-
mail
-
uid
-
memberof
Primary Group and Group Sync
When you search for the groups a user belongs to, LDAP/LDAPS servers do not return the primary group.
Sub-groups
EnterWorks does not support sub-groups.
Open the Manage User Information Window
To open the Manage User Information window:
- Log into the Classic UI.
- Open the Feature bar, open the Users and Groups tab, and click Users to open the Users tab.
- Double-click a user's Login to open the user's record for editing. The Manage User Information window will open.
Open the LDAP Properties Settings Window
To open the LDAP Properties Settings configuration window:
- Log into the Classic UI.
- Open the Feature bar, open the Users and Groups tab, and click Users to open the Users tab.
- Open the Utilities dropdown list and select LDAP Configuration. The LDAP Properties Settings window will open.