!!!LDAP/AD Authentication

Table of Contents
OVERVIEW	4
LDAP/AD AUTHENTICATION	5
FEATURES	5
SETUP	5
LOGIN FLOW	5
FORGOTTEN PASSWORDS	6
 Overview
Intent
The purpose of this white paper is to inform Users how the LDAP compliant security servers such as Microsoft Active Directory will be used as the password control for Self-Service users.  
Audience
This white paper is intended for those users with knowledge of the ePersonality & Self-Service systems.   
Prerequisites
Users of this white paper should be familiar with the Windows Operating System user interfaces and able to successfully navigate through the standard windows objects.  The ability to use a mouse effectively is also a requirement.


















LDAP/AD Authentication 
This feature was created to allow LDAP compliant security services such as Microsoft Active Directory to be the password control for the Self-Service users when logging in.
Features
The clients desire to have integration with LDAP servers such as Microsoft Active Directory for login authentication for Self-Service interfaces, to allow user to use their network login user ID and password to login to the application, yet also wants to protect user’s personal data from being viewed by others when user is away from their PC, or in situations where multiple employees may be sharing one PC. 
While the majority of users are on the client’s network utilizing Active Directory, there are several departments on their own networks as well as other groups of users, such as retirees, who do not have Active Directory accounts on the client’s network.  For users with Active Directory accounts, password management (issuing/resetting) needs to be performed through the client’s Help Desk.  For users without Active Directory accounts, password management will be handled through the application’s existing password management functionalities.
Users with Active Directory accounts will use their network login user ID and password for authenticating whether accessing the applications from their work PC (already logged into the client’s network) or when accessing the applications from off-site locations (from PC’s not already logged into the client’s network).
The Candidate Self Service will not use Active Directory validation.

Setup
There are Preferences on the IMST that must be setup in order for this to be activated in the Self-Service system. 
IMST- Preferences: 
•	SS LOGIN TYPE	– must be set to “ACCESSOR”
•	LDAP AUTH ON	– ‘Y’ or ‘N’ to enable or disable, respectively, LDAP authentication. Defaulted to ‘N’.
•	LDAP HOST 	– hostname for the external LDAP server.  As an example, at HLC, our Active Directory hostname is ‘valasca.highlinecorp.com’. Defaulted to ‘’.
•	LDAP ENCRYPTION – Hash algorithm used to encrypt passwords on LDAP server. Defaulted to ‘DIGEST-MD5’.
The Accessor information (Access Key & Password) must be established for each Identity table (IEID).  The password can be cleared out ONLY if the LDAP AUTH ON site preference is set to Y.  
 
LOGIN Flow
	When the user selects the Self-Service interface, the application will display the appropriate login page:
o	The user must enter the ‘Access Key’ 
o	The “PIN” field will be displayed empty and the PIN will be entered by the user.
o	When the user clicks “Continue” the application will verify the Access Key against the Accessor records for the Identities table (IEID) and if it exists then it will authenticate both the user name and password against Active Directory.
-	If Active Directory authentication passes, continue with logging in of user into application.
-	If Active Directory authentication fails, before displaying a failed login message, authenticate using standard ePersonality methods.  IF the password is NULL in ePersonality the User is ONLY allowed to log in via the Active Directory authentication.
Forgotten Passwords
For the Employee/Manager Self-Service interface, clients have the ability to add header/footer pages to the Forgotten Password page so as to be able to indicate the steps the user should take when the user is a member of the client’s Active Directory.  This is done in the IMMS for Message “SS_CHG_PW_EN_10”.  

If the Access Key is entered and found to currently have a NULL password a new password should not be generated and the user should be given a message back to indicate they are “externally authenticated” and need to contact their system administration.
Ex: Server is set to authenticate user against external LDAP server. User sees this screen after clicking on ‘Forgot Password?’ link.