On-premise authentication
Overview
To deliver authentication, Data Hub supports various authentication providers. By default, the Windows authentication provider is used. The product ships with two other providers: ADFS and AzureAD, both of which use claims-based authentication.
Providers:
Active Directory (Windows) - By default, Data Hub is configured to use Windows authentication; no additional configuration is required. Windows authentication recognizes local system users and groups configured on the webserver computer, as well as Active Directory users and groups configured for the web server's domain.
Azure Active Directory (Azure AD) – Azure AD allows claims-based user and group management for Data Hub and other on-premises and cloud applications, such as Office 365 and Dynamics CRM Online. Once configured, users logging into Data Hub will be redirected to Azure AD to authenticate.
Active Directory Federation Services (ADFS) – ADFS implements claims-based federated identity for Windows for Data Hub installations. ADFS enables single sign-on to authenticate users across security and enterprise boundaries.
Active directory
Configure application authentication settings
Select your application authentication method using the Authentication area of the Settings tab.
Authentication tab features:
Windows (Active Directory) authentication – allows you to authenticate users within an Active Directory domain.
Azure Active Directory (OpenId Connect) authentication – allows claims-based authentication using Microsoft Azure AD.
Active Directory Federation Services (ADFS / WSFederation) authentication – allows claims-based authentication using Microsoft ADFS.
Allow Anonymous Viewers check box – When selected, allows any unauthenticated users to view links that have been shared with them.
Note
The Allow Anonymous Viewers feature may require a specific license permission to use. Without permission, the check box may not be visible.
Only resources in the Public folder (and its subfolders) may be shared with this feature.
To share a resource or folder with anonymous viewers, its viewer access setting must be enabled, by displaying the resource's security screen, and then clicking the Viewer Access on the HOME screen.
You may also need to override the inheritance of security permissions for the resource (Override on the security screen's HOME screen) before you can enable Viewer Access.
Azure Active Directory (AzureAD) authentication
Azure AD allows claims-based user and group management for Data Hub and other on-premises and cloud applications, such as Office 365 and Dynamics CRM Online. Once configured, users logging into Data Hub will be redirected to Azure AD to authenticate.
To use Data Hub with Azure AD:
Select Azure Active Directory (AzureAD) from the Configure Security Settings screen.
Complete an application registration for Data Hub in the Azure portal.
The configuration values for Tenant, Client ID, Application Key obtained during the registration process must be pasted into the corresponding boxes in the Configure Security Settings screen.
Click Save.
For details on registering the Data Hub application and obtaining the Tenant, Client ID, and Application Key values, refer to the following Knowledge Base article: https://zendesk.zaptechnology.com/hc/en-us/articles/207150197.
Windows (Active Directory) authentication
Selecting the Windows (Active Directory) option on the Configure Security Settings screen option requires no further configuration. Data Hub uses the application pool identity of the webserver it is installed on to access Active Directory to authenticate users. Local system users and groups configured on the webserver computer, as well as Active Directory users and groups configured for the web server's domain may be used.
The best practice for Active Directory authentication is to use the AGDLP nested group model to minimize administration.
Note
Users from other domains may also authenticate if the appropriate trusts and group structures are set up.
The optional Active Directory Search Filter box lets you type an LDIF string to specify the distinguished name (DN) of the organization unit (OU) to use for Active Directory searches.
For example, to specify the US\Washington OU for the contoso.com domain, type: OU=Washington, OU=US, DC=contoso, DC=com.
Specifying a search filter may be useful if you have many users in your Active Directory, or your Active Directory is distributed across multiple sites connected by WAN links, in order to improve performance. Any filter specified here will be applied when you search for users and groups to add to a Data Hub policy in the Users and Groups screen.
Use Active Directory Federation Services (ADFS) authentication
ADFS implements claims-based federated identity for Windows for your Data Hub installation. ADFS enables single sign-on to authenticate users across security and enterprise boundaries.
To use Data Hub with ADFS:
Configure a relying party trust in the ADFS Management console, and the Federation Metadata URL and enter Realm URI (the Data Hub application's web address) into the appropriate boxes in the Configure Security Settings screen.
Click Save to finish.
For details on configuring a relying party trust and obtaining the Federation Metadata URL and Realm URI values, values, refer to the following Knowledge Base article:
Refresh user and group Information
If you are using Active Directory or Active Directory Federation Services (ADFS), you can manually force Data Hub to update the information displayed on the Users and Groups tab by clicking Clear Membership Cache on the HOME screen.
This action allows you to guarantee that you are viewing the most up-to-date user and group information.
If you do not want to wait for the database to automatically update new users or groups in Active Directory, you can force Data Hub to contact Active Directory and perform an IIS refresh to retrieve the new user or group information.