User Authentication module

The User Authentication module integrates with your Active Directory (AD) or LDAP environment to authenticate users by using various workflows within MaaS360®. With this module, your users can reuse corporate credentials without having to generate and manage a new set of credentials.

The Cloud Extender® facilitates AD/LDAP authentication for the following scenarios:

Mobile device self-service enrollment into MaaS360
User portal access to manage devices
When authentication is required before accessing secured applications and documents
When a workplace PIN is reset by the user
MaaS360 administrator authentication for portal access
Signing into shared devices

The Cloud Extender receives the credentials securely from the MaaS360 Cloud (client originated) and validates those credentials against your directory server. The credential information is passed from the client through the MaaS360 Cloud to your Cloud Extender, but the information is not stored locally.

Modes of operation

The Cloud Extender integrates with the corporate directory by using the following modes:

Active Directory Mode: This mode is specific to Microsoft Active Directory environments. The Cloud Extender runs as a service account and runs PowerShell commands to authenticate any user in your directory. If you have multiple trusting forests or domains in your environment, some additional configuration is required. In this mode, the Cloud Extender can authenticate users in the entire scope of your directory.
LDAP Mode: This mode is used for any corporate directory. The Cloud Extender offers standard LDAP templates to integrate with Domino® LDAP, Oracle LDAP, Novell eDirectory, and OpenLDAP. In addition to these standard LDAPs, use this mode to configure against any customized LDAP. The Cloud Extender also provides a template to help you configure Microsoft Active Directory in LDAP mode.

To determine which implementation mode to use for your environment, consider these guidelines:

If you are not using Microsoft Active directory (AD), use LDAP mode.

If you are using Microsoft Active directory (AD), the following table provides LDAP options for your environment:

Table 1. Determining which LDAP implementation mode to use for your environment
Scenario	Active Directory Mode	LDAP Mode
Ability to limit authentication scope to a certain OU, subtree, or group		✓
Requirement that the Cloud Extender needs to be part of your domain	✓
Ability to support trusted forest/domain authentication	✓	✓
Ability to support untrusted forest/domain authentication		✓
Ability to customize attributes that are read from AD during the user authentication process		✓
Support for User Custom Attributes¹		✓
Ability to customize user and group filters for optimized user authentication performance		✓
Support for High Availability (HA)	✓	✓
Ease of configuration	Easy	Medium
Implementation technology	.NET libraries	LDAP libraries
Configured along with User Visibility on the same Cloud Extender²	✓	✓
Time to authenticate	Limited to .NET libraries	Typically faster than AD

In most situations, the LDAP mode of authentication is the implementation of choice even in Microsoft Active Directory environments with consideration to the advantages listed in the table and easy adaptability to future requirements.

Requirements and scaling

The User Authentication module for LDAP or Active Directory does not have scaling limits. However, the following specifications are the minimum requirements that are needed by a server to incorporate scaling. Increase these limits for better server functions and usability.

In large environments, deploy separate instances of the Cloud Extender to service Corporate Directory Integration and to provide predicable performance of all functions. You can deploy as many instances of the Cloud Extender as needed. However, enable at least two User Authentication modules on two instances of the Cloud Extender for redundancy.

Table 2. Scaling requirements for the User Authentication module
Item	Minimum requirement
Scaling (for both Active Directory and LDAP implementations)	CPU: 2 cores
	Memory: 2 GB to 8 GB
	Storage: 50 GB
	Scaling: One Cloud Extender for 10,000 devices and one Cloud Extender for High Availability (HA) Supports installation on multiple instances of theCloud Extender Install on a dedicated Cloud Extender or enabled on Cloud Extender with the User Visibility, Certificate Authority Integration, Exchange Integration, or IBM® Traveler Integration services enabled. For accurate scaling of your environment, see the Cloud Extender scaling document at Setup > Services > Enterprise Email Integration.
	Limits: None known
Network traffic	Authentication request/response = 1 KB per request
Active Directory	Hardware specs meet minimum requirements
	PowerShell 3.0+ installed
	Windows operating system is joined to the domain
	Service Account Domain User Password does not expire Non-interactive account Local Administrator on the Cloud Extender server
LDAP	Hardware specs meet minimum requirements
LDAP	Service Account User name and password to bind to LDAP server Password does not expire Non-interactive account

¹ User Custom Attributes is a feature in MaaS360 where you define your own attribute and use this attribute in various configuration workflows.

For example: You define a User Custom Attribute that is called Employee Serial Number and use this value in MaaS360 policies for device configuration, application configuration, or a part of Identity Certificates. This attribute can be read directly from your directory by using the LDAP configuration.

² Consider whether to configure the User Visibility service along with the User Authentication service for your Cloud Extender. If so, then the mode of configuration for both these services is either Active Directory or LDAP. For example, User Authentication as AD and User Visibility as LDAP on the same Cloud Extender is not possible. If you require this combination, you must use separate instances of the Cloud Extender.