The SSO (Single Sign On) profile for Active Directory allows you to set permissions for RecTrac access by Windows user and/or group.
Active Directory is Microsoft's trademarked directory service. It is a centralized and standardized system that automates network management of user data, security and distributed resources, and it enables inter-operation with other directories designed especially for distributed networking environments. Active Directory's main purpose is to provide central authentication and authorization services for Windows-based computers. Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization.
See Also: Topic Doc - Single Sign On.
Making changes to a profile is an Audited Event. Additionally, Linking, Removing, Purging, and Cloning profiles are also Audited Events.
See Also: Topic Doc - RecTrac Profile Assignments Screen, Hierarchy Guide, and Profile Listing.
See Also: Video - Profile Review
SAProfile_SSO_ActiveDirectory_Tab1
Allow only SSO Logins (SAProfileDetails_OnlySsoLogins)
Select this option to to limit password use to SSO passwords only. When this option is enabled, users that have a Network Logon in User Management will only be able to login using their SSO password. Their normal RecTrac password will no longer work for logins, and the Change Password link displayed in the User Details sidebar won't be shown.
Leave this option deselected to allow use of RecTrac passwords when logging in.
DeleteBypass RecTrac Login (SAProfileDetails_BypassLogin)
Select this option to use Bypass Logic and allow RecTrac users to skip the RecTrac login dialog and go straight into RecTrac from a shortcut or bookmark upon logging into Windows with their Windows ID.
The Bypass RecTrac Login and Authentication Method fields work independently of each other and dictate how your SSO Active Directory profile works.
- Select the Bypass RecTrac Login option to use Bypass Logic and allow RecTrac users to skip the RecTrac login dialog and go straight into RecTrac from a shortcut or bookmark upon logging into Windows with their Windows ID. When Bypass RecTrac Login is selected, the Authentication Method field is not used.
OR
Use Authentication Method instead. Authentication Method allows users to log into RecTrac using their Windows login credentials at the RecTrac login dialog. To use Authentication Method, leave the Bypass option de-selected and make a selection from the Drop-down list.
How Bypass Logic Works
For Bypass RecTrac Login logic to work, the system must find a match between the Windows User ID and the RecTrac User ID. This setting is maintained by the Network Logon field on the User's RecTrac User ID in User Management as illustrated in the image below.
In the example below the RecTrac User ID is "DIR" and the Network Logon is "Davidh and the Bypass RecTrac Login option is enabled.
- When Davidh" logs into Windows he will log directly into RecTrac upon clicking the RecTrac desktop icon or selecting the RecTrac bookmark in his browser. A second login will not be required. He will log into RecTrac as the "DIR" user because the system will find the match.
- IF the Network Logon field for RecTrac User ID "DIR" was blank then the DIR user would NOT bypass the RecTrac login screen when Davidh logs into Windows because no match would be found.
If opting NOT to use Bypass Logic then Authentication Method is used. Upon login to Windows DavidH could click his RecTrac shortcut and log in to the "DIR" RecTrac User ID with his Windows credentials. This is a good option if your intention is to limit the number of User IDs and passwords a user must memorize.
See Also: Topic Doc - Active Directory for further information if needed.
Note: Vermont Integration Client (VIC) is required on the workstation (Service or .EXE) when using Bypass Logic (when the Bypass RecTrac Login option is enabled). VIC is the only way for RecTrac to obtain the Windows User ID that is logged into the workstation.
Authentication Method (SAProfileDetails_DirectoryAuthenticationMethod)
This field is applicable only if the Bypass RecTrac Login option is DISABLED/DE-SELECTED
Select your Authentication Method.
- Authenticate User on Backend Server - The system will look to your RecTrac Server and its Domain to authenticate the match between a Windows ID and a RecTrac ID.
- Authenticate User on Local VIC - The system will use VIC (Service or EXE) to authenticate the match between the a Windows ID and a RecTrac ID.
The Bypass RecTrac Login and Authentication Method fields work independently of each other and dictate how your SSO Active Directory profile works.
- Select the Bypass RecTrac Login option to use Bypass Logic and allow RecTrac users to skip the RecTrac login dialog and go straight into RecTrac from a shortcut or bookmark upon logging into Windows with their Windows ID. When Bypass RecTrac Login is selected the Authentication Method field is not used.
OR
Use Authentication Method instead. Authentication Method allows users to log into RecTrac using their Windows login credentials at the RecTrac login dialog. To use Authentication Method leave the Bypass option de-selected and make a selection from the Drop-down list.
Refer to "How Bypass Logic Works" in the field Help for Bypass RecTrac Login and/or refer to Topic Doc - Single Sign On for further information if needed.
Notes:
- Vermont Systems Hosted customers cannot use the "Backend Server" Authentication Method because the Hosted Domain is its own domain unrelated to your (the Customer's) domain.
- The Local VIC Authentication Method assumes Vermont Integration Client (VIC) is installed on the Windows workstation being used to access RecTrac.
Distinguished AD Location for Groups (SAProfileDetails_DistinguishedADLocationforGroups)
Enter the domain for which you are granting login rights.
For example, PARKSDEPARTMENT.net
OR
DC=PARKSDEPARTMENT,dc=net
Note: As described above you can search the entire Domain (i.e. PARKSDEPARTMENT.net) OR you can start the search for Active Directory Groups used by RecTrac at a selected branch in the Active Directory structure. To do this enter a starting point in the format DC=PARKSDEPARTMENT dc=net. Users that want to use this feature need to know their Active Directory structure and Active Directory acronyms as well. Vermont Systems advises you to use one option or the other. Do not mix and match between fields.
Distinguished AD Location for Users (SAProfileDetails_DistinguishedADLocationforUsers)
Enter the starting point within your Active Directory that you would like to begin looking for users.
Note: As described above you can search the entire Domain (i.e. PARKSDEPARTMENT.net) OR you can start the search for Active Directory Groups used by RecTrac at a selected branch in the Active Directory structure. To do this enter a starting point in the format DC=PARKSDEPARTMENT dc=net. Users that want to use this feature need to know their Active Directory structure and Active Directory acronyms as well. Vermont Systems advises you to use one option or the other. Do not mix and match between fields.
If you leave this field blank all users will be searched.
DeleteDistinguished AD Location for Computers (SAProfileDetails_DistinguishedADLocationforComputers)
Enter the starting point within your Active Directory that you would like to begin looking for workstations.
Note: As described above you can search the entire Domain (i.e. PARKSDEPARTMENT.net) OR you can start the search for Active Directory Groups used by RecTrac at a selected branch in the Active Directory structure. To do this enter a starting point in the format DC=PARKSDEPARTMENT dc=net. Users that want to use this feature need to know their Active Directory structure and Active Directory acronyms as well. Vermont Systems advises you to use one option or the other. Do not mix and match between fields.
If you leave this field blank all workstations will be searched.
DeleteGroups Allowed (SAProfileDetails_GroupsAllowed)
Enter the name of the group(s) that will be allowed to log into this workstation. To enter multiple groups, separate entries by a comma and no space. For example, quatics,frontdesk.
Leave this field blank to allow access from users in any/all groups.
DeleteUsers Allowed (SAProfileDetails_UsersAllowed)
Enter the name of the user(s) that will be allowed to log into this workstation. To enter multiple users, separate entries by a comma and no space. For example: marks,michaelp
Leave this field blank to allow access by any/all user IDs.
Delete