Skip to main content

Active Directory with LDAP User synchronization

Following document is still under construction.

This section will introduce the step on how to integrate with Active Directory with LDAP user synchronization. Based on the following integration steps, user can:

  • Synchronize users from Active Directory via LDAP
  • User can perform login to Offision via LDAP

Network Connectivity

Network connection diagram

  1. Connect from User Web App, Outlook Add-in, Management Console to Offision Server

    • For open the WebApps of Offision.
    • Port: TCP 443
  2. Connect from Offision Server to Offision Player

    • For room display, floor display, etc.. connect to Servers to receive the signal., Offision Server can real-time update data through the https and wss protocol.
    • Port: TCP 443
  3. Connect from Offision Server to SMTP Server

    • For sending email through the SMTP Server, sending email to the receiver.
    • Port: TCP 25, 465, or 587 (depend on the SMTP Server setting)
  4. Connect from Offision Server to LDAP:

    • For synchronize users data from active directory.
    • Port: TCP 389 or 636 (depend on the LDAP Server setting)
  1. Connect from User Web App, Outlook Add-in, Management Console to the ADFS
    • For user single sign on with the Active Directory Federation Services (ADFS)
    • Port: TCP 443

Integration Steps

Prerequisites
  • Microsoft Active Directory
  • LDAP enabled
  • Service account for access LDAP

External Integration Setting

  1. Open Offision Management Console

  2. Navigate to Settings > External Integration

  3. Click New external integration + button, select Active Directory (with LDAP user synchronization)

  4. Fill in the host server address and port

    ⚠️ By default it will run in LDAPS, if you do NOT want to use SSL, uncheck the box for Run in LDAPS (Secure connection)

    ⚠️ If your LDAP server have any certificate issue, you may check the box for Ignore server certificate error to skip the error (shown when checked Run in LDAPS (Secure connection))

  5. Fill in service account username (normally with format: admin.super@company.hk or CompanyName\admin.super) and password

  6. Fill in distinguished name (Require) and LDAP filter (Optional)

    💡 Distinguished name should be in format like "OU=Users,DC=ones,DC=software", please point to the Organization Unit that contain the users you want to synchronization.

    💡 LDAP filter is an advanced filter function for filtering the specified users such as by security group or by specified name, format will be like "memberOf=CN=Development Teams,DC=ones,DC=software"

  7. System will not synchronize the disabled user by default. If you want to synchronize the disabled user, enable Synchronize disabled users .

  8. If you want to sync the specified active directory field into the user card number, select the option you need from the list. Default is No synchronize.

  9. For single sign on by, you can select ADFS or LDAP

  • For ADFS
    1. Configure the ADFS / Azure active directory. Please follow the ADFS setup guide and AzureAD setup guide
    2. Fill in the Metadata address and WtRealM
      • For Exchange server
        • In metadata address, fill in the address https://{your active directory address}/FederationMetadata/2007-06/FederationMetadata.xml
        • In Wt RealM, fill in the value for WS-Federation Passive protocol app's URL configured in active directory
      • For Microsoft 365
        • In metadata address, fill in WS-Federation middleware's MetadataAddress
        • In Wt RealM, fill in the Application ID URI
  • For LDAP, there are no extra setting are required
  1. (Optional) Fill in Login button name, it will show Login via Active directory if leave the field empty
  2. Click Save button.
  3. Now user can single sign on in login page
You can also set a "Default native user groups". This setting will automatically assign users to user groups when the system synchronizes users.

Login via Active directory

❓ What is the different between the single sign on by the ADFS and LDAP?

For ADFS, if the user are already signed in the Active directory account in the browser, they will not require to enter the username and password to sign in again.
For LDAP, it always need user to enter the username and password to login the system.

How to hide the default login fields and buttons in login page

Default login field and buttons are for user to login via system local accounts. If you are using the system without any local user accounts or you do not want user to login via local account, you can hide these fields by following steps in Management Console:

  1. Navigate to Settings > General
  2. Select Hidden local login in User App
  3. Click the Update button