11 Replies Latest reply: Dec 27, 2011 4:55 AM by dodiy RSS

    Single Sign On and LDAP Integration

    dodiy Apprentice

      I'm using Service Desk 7.4. Would like to ask is anyone have done the integration that use both Single Sign On and LDAP Integration.

       

      What I want to achieve is when user/analyst login to their Windows through domain and click the LANDesk Service Desk either client console or web access, it will use Integrated Login (Single Sign On) without them key in the username and password.

       

      But if the user/analyst want to work at home/outside from company network they can access the web access using LDAP integration that need the user/analyst to key in the username and password.

       

      Can anyone give feedback whether this is possible or not?

       

      Regards,

      Dodi

        • 1. Re: Single Sign On and LDAP Integration
          Expert

          Hi Dodi

           

          We have three separate web access virtual directories, so that I can choose to logon using single sign-on (so that users go straight in without typing their username and password in), another that they do get prompted to type in the AD username and password, and a third which logs on using their LANDesk credentials.

           

          The only site advertised is the main single sign-on one.  The second could be used (as you say), when wanting people to connect from outside your organisation.  The third we only use from a support side of things, so that we can login as other users simply for trouble-shooting purposes.

           

          This doc (http://community.landesk.com/support/docs/DOC-11425) talks you through setting up single sign-on with integrated logon, and then you can simply create another virtual directory with explicit logon.

           

          Hopefully that helps.


          Cheers

           

          Paul

          • 2. Re: Single Sign On and LDAP Integration
            dodiy Apprentice

            Paul,

             

            Did you create new instance for Touchpaper.Framework.Web to achieve like you mention above or only create new virtual directories of web access but in one instance?

             

            Dodi

            • 3. Re: Single Sign On and LDAP Integration
              Expert

              My file structure on the app server looks like:

              • 4. Re: Single Sign On and LDAP Integration
                dodiy Apprentice

                Hi Paul,

                 

                I see in screenshot there are 2 instances you created. One use for integration and another use for normal access. Can I know how you point it to different url if for example User A is not from Active Directory so use LANDesk credential whereas User B from Active Directory so use Integrated login?

                 

                Dodi

                • 5. Re: Single Sign On and LDAP Integration
                  Expert

                  Hi Dodi

                   

                  This directory structure is replicated in the inetpub\wwwroot folder.  In my instance, WebAccess is my automatic logon, WebAccessLDAP is manual AD logon, and WebAccessLogin is the LANDesk username.

                   

                  Sorry, my previous post mentioned it was app server.  I meant to say Web Server.

                   

                  Cheers

                   

                  Paul

                  • 6. Re: Single Sign On and LDAP Integration
                    dodiy Apprentice

                    Hi Paul,

                     

                    I have a problem where is the user only type the url like this "helpdesk.company.com", so I had set it in "default.htm" file to directly go to full url "helpdesk.company.com/webaccess/ss/logon/logon.rails". So I try to find out script/command line to check whether the user is access from inside company network which is join domain or access from outside network.

                    The scenarios can be like these:

                    1. Employee access service desk within company network which is join domain. (this will use Single Sign On)

                    2. Employee access service desk at home/outside (this will use LDAP integration)

                    3. Normal user access service desk from outside (use LANDesk credential)

                    4. Normal user access service desk within company network (use LANDesk credential)

                     

                    Hope you understand and thanks in advance.

                    Dodi

                    • 7. Re: Single Sign On and LDAP Integration
                      karenpeacock Employee

                      Hi

                       

                      This document may be of interest:

                       

                      http://community.landesk.com/support/docs/DOC-23342

                       

                      Best wishes

                      Karen

                      • 8. Re: Single Sign On and LDAP Integration
                        dodiy Apprentice

                        Hi Karen,

                         

                        What about the normal users use LANDesk credential to access the web access, I try to login use normal user but it state "Login Failed" and this is using LDAP integration. But when I try with "SA" login by using LDAP integration and it can.

                         

                        Dodi

                        • 9. Re: Single Sign On and LDAP Integration
                          Stu McNeill Employee

                          Hi Dodi,

                           

                          The SA account will always bypass the LDAP authentication and use regular explicit login.  You can enable more descriptive error messages for the LDAP authenticaion if the <ShowExceptions> setting in your LDAP auth configuration file is set to true so you can see what the actual issue is.

                          • 10. Re: Single Sign On and LDAP Integration
                            Expert

                            Hi Dodi,

                             

                            Looking at your scenarios-

                            dodiy wrote:

                             

                            The scenarios can be like these:

                            1. Employee access service desk within company network which is join domain. (this will use Single Sign On)

                            2. Employee access service desk at home/outside (this will use LDAP integration)

                            3. Normal user access service desk from outside (use LANDesk credential)

                            4. Normal user access service desk within company network (use LANDesk credential)

                             

                             

                            We had a customer with an almost identical request, they wanted integrated (single sign-on) access internally and externally they wanted LDAP authentication AND they only wanted one webaddress for WebAccess. Initially we thought this wouldn't be do-able, however their server team came up with a great solution- If you enable Basic Authentication and Windows Authentication for the WebAccess application in IIS then internally it performs integrated login but externally it will prompt them to login using their LDAP credentials. You set a default Domain in the Basic Auth configuration in IIS and it works like a charm.

                             

                            If you combine this with Karen's article on setting up a failover to go to explicit if integrated fails then you should be able to meet all of your scenario requirements without needing to configure LDAP.

                             

                            Note: You should use HTTPS browsing for WebAccess when running this configuration otherwise Basic Auth sends usernames and passwords unencrypted, but HTTPS will cover this.

                             

                            Cheers,

                            Hadyn

                            • 11. Re: Single Sign On and LDAP Integration
                              dodiy Apprentice

                              Sorry for my late response.

                              Been in 'jungle' for a week, with no internet connection at all.

                               

                              Hadyn,

                              Just check your feedback, but wow, it is possible at all? And only use 1 web address? Will try with your suggestion, add some configuration, with some luck... I think the magic can be completed.

                               

                              Anyway, thank you for you guys feedback. Really really appreciate it!!

                               

                              Dodi