Active Directory and Lightweight Directory Access Protocol (LDAP) is common place in large scale companies and is critical in ensuring that information is secure and users and computers are properly managed. This article describes how Heed interacts with your Active Directory for user authentication and management.
OnPremise Deployments
User Synchronisation
When Heed is installed OnPremise users are not managed within Heed but instead synchronised from Active Directory. When users are created, modified or disabled in Active Directory, these changes are automatically synced with Heed by the Heed AD Sync Service.
The AD Sync Service will scan for users with modifications since the last sync and it will save the following information about each user:
Username (sAMAccountName)
Name (displayName)
Email Address (mail)
By default the directory is scanned every hour for changes, but this interval can be changed by modifying the sync interval within the system settings.
Installation
Installation is a straightforward process, you simply need to install the Sync Service installer on the Heed application servers running within your environment. Once installed the system setting automatically be made available where you can select the domains and/or organisational units that you would like to sync and the frequency.
As the service runs under the context of a Service Account, the installer will ask for the Service Account credentials. The service will then authenticate with the LDAP Server using integrated authentication.
User Authentication
The desktop client utilises Microsoft’s Integrated Windows Authentication to authenticate users with Heed when they logged in to their office computer. When using the Web Portal, the users can log in with their Windows credentials. The Web server security connects to your LDAP server to authenticate the user.
Cloud Deployments
Customers with Heed deployments in our AWS Cloud can still utilise their Active Directory for user authentication and synchronisation with a hybrid cloud/OnPremise install.
User Synchronisation
To sync your Active Directory users to the AWS Cloud the Heed AD Sync Service will need to be installed on a Windows server within your environment. The service communicates with the AWS Cloud servers via a secure WebSocket, which is initiated by the AD Sync Service.
Configuration is controlled from the Heed servers in the AWS cloud. Once configured the AD Sync Service will periodically synchronise the users.
User Authentication
The authentication of the users against Active Directory requires the installation of the Heed AD Authentication web service on a Windows Server within your environment which will need to be publicly accessible. Your AWS Cloud deployment will then be configured to direct all authentication requests to this web service. The diagram below illustrates the authentication process flow, with the Authentication Service and the Domain Controller residing inside your corporate network.
Both the Authentication Service and the Web Service have a copy of a Shared Secret, which they use to decrypt/encrypt the data which is passed between them.
Installation
The web service is hosted within Internet Information Services (IIS) so communication can be secured using your companies trusted SSL/TLS certificates.