Skip to main content
Version: 2.2.1

Scenarios

This section will describe some scenarios that may require variations in the configurations proposed in the step-by-step guide presented previously. It is important to highlight that there is no single configuration that applies to all environments, and prior planning is necessary before implementing integration with a directory service.

Scenario 1: I have more than one directory service running on different servers, and I want to import/authenticate users from all of them.

SoftExpert Suite supports multiple domain configurations. To this end, you can configure the desired domains in the SoftExpert Configuration component > Authentication (CM008), Directory Integration > Domains section. The synchronization will be carried out for all registered domains, generating a unique record in the synchronization history.

Furthermore, the system allows identical logins, but from different domains. This requires a specific configuration in the rules added to the federation service, if single sign-on via SAML 2.0 is being used. Next, see how to configure authentication via SAML 2.0 with multiple domains in AD FS:

  1. Set the configuration for single sign-on via SAML 2.0 normally, following the steps until you reach the "Claim rules" configuration. In this step, select the "Send claims using a custom rule" option and click on "Next".

Scenarios

  1. In the next step, give the rule a name and enter the following custom rule:

Scenarios

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",Issuer == "AD AUTHORITY"]=> issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"),
query = ";objectGUID;{0}", param = c.Value);
  1. Once done, click on Finish
caution

⚠️ Attention:

  • For this scenario, it is mandatory that the attribute mapped for the "ID # in domain controller" field in the domain configuration, in the Configuration component > Authentication (CM008), Directory integration > Domains section, be the "objectGUID" attribute.

Scenario 2: The company uses directory services in a forest architecture, with several independent servers managed by a centralizer that keeps a copy on read mode.

For this scenario, there are two possible solutions:

  1. The best solution is to point to the centralizer address in the domain configuration, as this server must have the most up-to-date data from all points in the structure.
  2. Connect directly to one of the servers that has the best connection to SoftExpert Suite. This alternative should be considered in situations where the system server does not have direct access to the centralizer, or the connection with it is limited.

Scenario 3: I want to import only specific users from the mapped directories, not all those contained in them.

We recommend creating a group for the users who must be imported into SoftExpert Suite. This way, you can include a specific filter that restricts synchronization to only users in that group, regardless of the directory in which they are located. See an example of how to do this:

  1. Create a group named "SESuiteUsers" in the directory service and add to it all users that will be imported into SoftExpert Suite. The field that identifies the group is "distinguishedName".

Scenarios

  1. Once this is done, include the filter in the domain configuration in the SoftExpert Configuration component > Authentication (CM008) > **Directory integration > Domains** section, as in the following example:
 (memberOf=CN=SESuiteUsers,OU=Groups,DC=contoso,dc=local)

Scenario 4: I have users that must have an attribute for a certain field, and others that must have another, within the same domain.

For example, for users in the "Employees" group, the attribute for the "ID" field must be "description", but for those in the "Interns" group, it must be "samAccountName". In this situation, you will need to create two domain configurations, even if they both connect to the same domain. The difference between the two configurations will be the ID # and the attribute, which varies from one to the other.

To set this configuration:

  1. Create two domain configurations in the SoftExpert Configuration component > Authentication (CM008), Directory integration > Domains section. One configuration will be for the "Employees" group, and the other, for the "Interns" group.
  2. In the domain configuration for "Employees", set the filter for the "ID" field to "description". Example: (description=_).
  3. In the domain configuration for "Interns", set the filter for the "ID" field to "samAccountName". Example: (samAccountName=_).

This way, each domain configuration will import the users corresponding to the specific desired attribute, according to the group to which they belong.