This section provides an overview of Active Directory services as implemented in the Metasys system. For more details, refer to the Security Administrator System Technical Bulletin (LIT-1201528).
The Active Directory service feature used by the Metasys system provides an IT standard integration of the Metasys system into a customer’s existing Active Directory service infrastructure for authentication purposes. This optional component provides the convenience of Single Sign-On (SSO) access, a capability that permits users to log in to multiple, secured application User Interfaces without reentering their user name and password.
The Metasys architecture uses Active Directory service for authentication. The user provides Active Directory service credentials in one of two forms:
-
Active Directory service credentials that are cached by Windows when the user logs in to the computer, and then automatically retrieved by the Metasys system during the Windows Integrated Authentication with IIS process on the Metasys server, or SCT.
-
Active Directory service credentials (user name, password, and domain) that are specified directly on the Site Management Portal UI login screen.
An Active Directory service user name includes the specification of a domain name with the user name. For example, instead of a user name called John, the user name in Active Directory service and the Metasys system could be John@my.corp.com, which includes the domain specifier required by Active Directory service.
For releases prior to Metasys Release 8.1 and System Configuration Tool Release 11.1, Active Directory implementation with the Metasys system allows a hybrid User Principal Name (UPN) format for usernames and the Security Account Manager (SAM) format, which uses the username, password, and domain selection. The hybrid UPN format uses the username in which the full domain name is provided. The Metasys system does not support an exact or alternate match of the UPN name and instead validates the prefix portion and the suffix portion of the Active Directory username. The prefix is the username (myUser) and the suffix is the domain name (my.corp.com). The prefix and suffix are separated by the @ symbol. For example, myUser@my.corp.com is specified instead of myUser@corp.com, where myUser@corp.com is the email UPN name.
Metasys Release 8.1 or later, and SCT Release 11.1 or later allow exact or alternate UPN authentication support for the Metasys system in compliance with Microsoft Office 365® authentication. For example, myUser@corp.com is specified, where myUser@corp.com is the exact or alternate UPN name. To enable exact or alternate UPN format user login to the Metasys system, see Enabling exact or alternate UPN authentication for a Metasys Server and Enabling exact or alternate UPN authentication for SCT.
SSO allows users to access the Metasys system without having to type in their credentials by using Windows Active Directory authentication in conjunction with the Metasys software. This feature relies on the following:
- The user has an active Windows Active Directory account.
- The user is logged into a domain computer using their Active Directory credentials.
- The user is added to the Active Directory users list in the Security Administrator System menu option.
- The SSO feature is enabled in the Security Administrator System menu option.