Configuring ADSI, LDAP and ADLDS authentication templates to support SSO
This section describes how to configure the Datacap ADSI, LDAP, and ADLDS authentication templates to support SSO. Specifically, how each of the authentication templates must be configured to use with Datacap Navigator SSO mode.
ADSI authentication template
The ADSI authentication template must be configured for group authentication, and have the password enabled flag set.
WinNT://<%domain%>/<%user%>?password:enabled| Property Name | Description |
|---|---|
| <%domain%>/<%user%> |
Domain and User parameters. %domain% is the Windows domain name. %user% is the Windows user name. Both these values are substituted when a user logs on. For example, if the user logs on with MYDOMAIN\tom, the ADSI authentication template uses MYDOMAIN\tom as the authentication path. |
| password:enabled |
Enables password validation. The password enabled flags tells the ADSI authentication template that the user credentials must be validated. Normally, the default behavior for the ADSI authentication template is to just retrieve the groups. |
- ADSI and SSO (Datacap Navigator SSO)
- The Datacap Application must be configured to handle Datacap group authentication, which means
that the ADSI authentication template takes the user information and retrieves the groups for that
user. So those user groups must be entered into the Datacap application’s admin database. Since the
Datacap Navigator plug-in does not understand Windows domains, the ADSI authentication template must
have the
password:enabled
option set. When the Datacap Navigator plug-in is configured for SSO, the authentication template passes the validated user information that was extracted when the information was redirected from an SSO page and retrieve the users groups.
LDAP authentication template
The LDAP authentication template must be configured for group authentication, and have the password enabled flag set.
For example,
LDAP://<%domain%>?password:enabledDomain hard coded value (most common).
LDAP://MYDOMAIN?password:enabled| Property Name | Description |
|---|---|
| <%domain%> |
Domain %domain% is the Windows domain name. This normally would be a hard coded value, for example, This configures the LDAP authentication template to use the MYDOMAIN to lookup the groups for the user. Since the authentication template is using the LDAP path to find the users groups versus the ADSI authentication template, which uses the WINNT path, it is recommended that the domain name or domain controller server name is listed in the template. |
| password:enabled |
Enables password validation. The password enabled flags tells the ADSI authentication template that the user credentials must be validated. Normally, the default behavior for the ADSI authentication template is to just retrieve the groups. |
- LDAP and SSO (Datacap Navigator SSO)
- The Datacap Application must be configured to handle Datacap group authentication, which means
that the LDAP authentication template takes the user information and retrieve the groups for that
user. So those user groups must be entered into the Datacap application’s admin database. Since the
Datacap Navigator plug-in does not understand Windows domains, the ADSI authentication template must
have the
password:enabled
option set. When the Datacap Navigator plug-in is configured for SSO, it passes the validated user information that was extracted when it was redirected from an SSO page and retrieve the users groups.
ADLDS authentication template
The Datacap application must be configured for Datacap user authentication, the ADLDS authentication template does not support Datacap group authentication. The Datacap ADLDS authentication template must be used when authenticating against a Global Catalog. The Windows machine that is hosting TM Server must be a part of the domain, and has access to the global catalog.
When configuring for SSO the template must be:
GC://domain-name
The domain name is the entry point to the Global Catalog.
So in the SSO scenario, where Datacap Navigator is involved, when redirect to the Datacap Navigator page after a user has already been authenticated, the user name only be validated for the existence in the Datacap application’s admin database. This is because when using GC:// is listed in the authentication template, only Datacap user authentication is supported. So ensure that the user name is listed in the Datacap application admin database, and has the appropriate rights to perform Datacap Navigator operations.