¶ SSO, LDAP, ADFS and LDAP authenticate?
We regularly receive questions about the automatic login (SSO), LDAP, ADFS and LDAP authentication features. We hope to answer any questions related to these topics on this wiki page. Should any information be missing here, please do so. are passed on to our support desk (support@decos.com).
¶ Single Sign On
Single Sign On (also known as SSO) stands for automatic sign-in. If the user is already logged on to the domain of the organization, he does not need to log in again in the application (including JOIN Business & Document and JOIN Customer Contact). SSO is supported by default by Internet Explorer version 11, but is not supported by Google Chrome and Microsoft Edge. The settings for SSO are also not made in JOIN products, but directly in the browser.
No LDAP connection is required to use the current SSO. Keep in mind that SSO will no longer be possible from July 1, 2020, when Decos will stop browser support for Internet Explorer 11.
¶ LDAP
The LDAP link is not a standard function within JOIN Case & Document and JOIN Customer Contact, but an optional link that is offered for both applications.
With the LDAP link (or module) we check 1 or more times a day in the AD (Active Directory) of the customer for changes and these changes are imported into JOIN Case & Document and JOIN Customer Contact. We do this for JOIN Business & Document at the level of users and e-mail addresses (so that we can load the standard email list when sending mail from JOIN) and for JOIN Customer contact at the level of users and employees (so that we can can register callback notes). This can be set per group so that they also end up in the correct user group in JOIN (useful for setting up authorizations and assigning privileges (sets).
¶ ADFS
ADFS stands for Active Directory Federation Services and was developed by Microsoft. It enables organizations to centrally organize both the management of users (Active Directory) and the central logging in to all applications (both indoors and outdoors). ADFS offers the user a reliable, secure and user-friendly method for logging on once in the business applications. ADFS does not replace the LDAP link in most cases, although it is often presented as the successor to LDAP. Both are rather complementary, although ADFS (can) also take over functions from LDAP. We recommend using ADFS in combination with LDAP, especially if your organization has the JOIN products running locally. For more advice, we advise you to discuss this with one of our technical specialists.
When the organization starts using the ADFS integration with JOIN, a number of activities will be performed by the Decos technical consultant. Consider, for example, a possible user conversion (LDAP uses SamAccountName (username), while ADFS uses UserPrincipalName (email address) and setting HTTPS (where HTTP is often still used).
¶ ADFS and Active Directory?
ADFS uses the organization’s Active Directory (just like LDAP). In this active directory all data of the user is recorded centrally (such as name, telephone number and e-mail address), but application rights can also be assigned. In combination with ADFS, organizations can centrally control both access and authentication (login). It is therefore no longer necessary to regulate per application who is allowed to log in and how, this all takes place within ADFS.
¶ ADFS and JOIN?
With ADFS it is also possible to log in to applications that are active outside the network of the customer. In the case of JOIN, you can think of JOIN Case Types, JOIN Agenderen, JOIN Mobile, JOIN Case & Document (private cloud), JOIN Klantcontact (private cloud) and Fixi. The other way around is of course also possible: when the end user is outside the organizational network, it is possible with ADFS to log in to the applications that are located within the network. When you purchase ADFS, we set this up for all JOIN applications that support ADFS.
An additional advantage for the end user is that the login screens are always the same. The application sends the user directly to the ADFS login screen (which can be completely adapted to the look & feel of the organization) instead of the login screen of the relevant application. The user can log in with his email address and password in all applications that are connected to ADFS. Also think of Outlook, for example.
Finally, with ADFS, Single Sign On is also supported: the user no longer has to log in every time he has already logged on to the company network.
Integration with ADFS is supported for Chrome, Edge and Firefox browsers.
¶ ADFS and Multifactor authentication
The use of ADFS allows for indirect application for 2-factor authentication in JOIN. If 2-factor authentication is required by the organization when logging in to ADFS, an additional authentication step will be required after clicking on log in, for example re-entering an SMS code or authentication via the Microsoft Authenticator app. (https://www.microsoft.com/en-gb/account/authenticator). 2-factor authentication is possible with both on-premise ADFS and with Azure Active Directory (AAD).
No adjustments on the JOIN side are required to configure 2-factor authentication for both Microsoft ADFS and AAD. We refer you to the Microsoft website. If you want us to support you in setting up 2FA, you can hire a technical consultant for this.
