LDAP and SSO Behavior Settings

This section of behavior settings deals with LDAP and SSO settings. The available settings are:

Behavior Setting Value Description
ALLOW_SSO_AT_SIGN NO If set to YES, SSO user id's will be generated from the SSO primary key in its entirety. If set to NO, the User ID within the header is treated as a potential email address, and the characters preceding @ are assumed to be the User ID within ExtraView. For example, if the User ID within the header is john_smith@mycompany.com, then the resultant User ID is assumed to be john_smith
CUSTOM_AUTHENTICATION NO, YES, HYBRID, LDAP or LDAP-HYBRID This setting can have one of five values, NO, YES, HYBRID, LDAP or LDAP-HYBRID. When the value is NO, ExtraView uses its standard inbuilt authentication. If it set to YES, custom authentication (with user custom code) will be used rather than using the inbuilt user authentication scheme. If the value of HYBRID is selected, then ExtraView attempts to perform the custom authentication first. If this is unsuccessful, then the standard inbuilt authentication method is called. If it set to LDAP, LDAP authentication will be used rather than the inbuilt user authentication scheme. If the value of LDAP-HYBRID is selected, then ExtraView attempts to perform the LDAP authentication first. If this is unsuccessful, then the standard inbuilt authentication method is called.

When the CUSTOM_AUTHENTICATION behavior setting is set to YES and a user's account is updated with the Expire password checkbox being checked, then if the custom authentication routine returns true indicating that the authentication was successful,
the Change Password form is presented to the user during the login process.

When the CUSTOM_AUTHENTICATION behavior setting is set to HYBRID and the user's account is set to expired (same as above), then it does not matter what the custom authentication routine returns as long as the credentials are valid, and the Change Password form is also presented for the user to change their password.

LDAP_ALLOWED_STALE_INTERVAL 240 The minimum number of minutes between LDAP upsert operations on a single user. This stops ExtraView accessing the LDAP server with every operation that requires user information in order to optimize performance. After this interval, a fresh check of the LDAP server is made
LDAP_DEFAULT_AREA <AREA_ID> The default area_id to be set when adding a new user by retrieving their details from the LDAP server
LDAP_DEFAULT_PROJECT <PROJECT_ID> The default project_id to be set when adding a new user by retrieving their details from the LDAP server
LDAP_HOST ldaps://<hostname>:<port> The URL to the LDAP server, e.g. ldap://blah.com:389
LDAP_MANAGER <DN_FOR_USER_LOOKUP> The “Security Principal” or user accessing LDAP
LDAP_PSWRD <LDAP_MGR_PASSWORD> The password to the LDAP server
LDAP_ROOT <SEARCH_BASE_DN> The root directory of the LDAP server or search base, e.g. ou=blahWorker, o=blah.com
LDAP_SEARCH_FITLER LDAP filters may be defined in the behavior setting or may be defined in the Configuration.properties file. The behavior setting takes precedence over the Configuration.properties entry.

LDAP filters are defined in RFC 2254. As an example, if you wanted to add a filter to only retrieve records with mycompany within the email address, you could set this as the filter:

(mail=*mycompany*)

The parentheses are essential.

LDAP_UPSERT YES This setting controls upserting LDAP information to ExtraView. THe possible values are YES or NO. When this value is NO, LDAP will not be used to add or update ExtraView user information. A valid LDAP user that is not already an ExtraView user will not be able to log in to ExtraView. When this setting is set to YES, the LDAP Background Task must be configured and must be running. The timer in LDAP_ALLOWED_STALE_INTERVAL is used to refresh the LDAP cached information within ExtraView. The information within ExtraView for a user is also refreshed when the user signs on.
LDAP_UPSERT_DEFAULT_USER_ROLE <EXTRAVIEW_ROLE> If this setting contains a valid role, then this is the role a user is given when the LDAP upsert takes place. If this setting does not contain a value, then the role defined in the behavior setting named LIMITED_USER_ROLE is used instead.
LDAP_USER_LOOKUP YES or NO When this behavior setting is set to YES, whenever a user performs an operation to lookup the details of another user, ExtraView will ask the LDAP server for the information. At the same time this is done, the information for the user within ExtraView, will be synchronized with the information within the LDAP record
SSO_DEFAULT_AREA 0 This setting is used to identify the Business Area ID for a new user being created within ExtraView, when SSO headers authenticate the new user, and it is the first time the user has signed on. In this case, the user is created automatically and this Business Area ID is associated with the user.
SSO_DEFAULT_PROJECT 0 This setting is used to identify the Project ID within the Business Area specified in SSO_DEFAULT_AREA, for a new user being created within ExtraView, when SSO headers authenticate the new user, and it is the first time the user has signed on. In this case, the user is created automatically, and this Project ID is associated with the user. Set this to zero if you do not want to associate the user with a specific Project, but you have set SSO_DEFAULT_AREA to a value
SSO_SIGNOFF_REDIRECT_URL This is a URL to which the user is directed, after signing off from ExtraView
SSO_STATE NO Enable Single Sign On in this instance (YES/NO)