Identity provider - Integrated Windows Authentication
Overview
The web application can authenticate users using Microsoft Windows domain authentication information. If a user is logged into the Windows Domain on a PC, the same user can access the web application without authenticating again.
When the domain user opens the web interface the system automatically authenticates the Windows user against the AD and logs in him/her to the recording system seamlessly. However this still requires a user created in the Verba Recording System due to the need for configuration settings not available in active directory.
Do not confuse this SSO functionality with the separate Single Sign-On API, that allows Single Sign-on integration with any systems/portals using a simple web protocol.
This SSO function helps you stop managing user passwords and user deletions in the Verba Recording System. You will still need to create the users in Verba, configure access rights and assign phone numbers to them.
Configuring Integrated Windows Authentication
Follow three steps to enable/configure SSO.
Step 1 - Make sure your Verba web app server in the same domain where your users are.
Step 2 - Configure the web app for SSO. With System Administrator rights you fill find these under Administration menu / Verba Servers / (select your server) / Change Configuration Settings / Web Application Configuration / Single sign on settings. See the parameters in the Web application settings topic.
Configuration Parameter Name | Description |
---|---|
Strip Domain Information from Login ID | If enabled, the system will not use the Windows domain information during the single sign-on process. Practically it means, that the users - configured in the Verba system - do not contain the domain information in the login ID. |
Domain User Account Format | If the Windows domain information is used during the single sign-on process (the Strip Domain Information from Login ID setting is disabled), then the users - configured in the Verba system - have to contain the domain information. This setting allows users to select the way the domain information is stored in the login ID in the Verba system. |
Allow Single Sign-On for System Administrators | Enables or disables the single sign-on feature for system administrators. If disabled, the users with system administrator privileges are not allowed to authenticate using the single sign-on functionality. |
Step 3 - Configure users with the login name in the Verba Recording System as in Active Directory
If you have problems with SSO verify the following:
- Integrated Windows Authentication browser requirements
- Integrated Windows Authentication server requirements
Accessing the web interface with IWA
In order to access the web interface using SSO, use the following URL:
When Verba is configured to use the secured SSL (HTTPS) protocol, to access the web interface, the following must be in the address bar:
If a user already logged in to the domain of the web application, they can just access the system. If they are not logged in, the browser will automatically asks for the Windows user credentials.
You can use Active Directory / Windows Domain based authentication and standard Verba authentication at the same time on one system. Your users need to access the web interface using the above links to use SSO. Other web links do not provide this capability.
Forcing non-IWA login when IWA is enabled
It is possible to force a non SSO login by visiting the following URL:
Changing the default login procedure to single sign-on
You can change the above behaviour, where SSO requires a separate link.
Step 1 - If you have not already done that, please follow the above steps to enable SSO
Step 2 - Access the Verba server using Remote desktop
Step 3 - Open the <PROGRAM FILES>\Verba\tomcat\webapps\ROOT\index.html file where <PROGRAM FILES> is e.g. "C:\Program Files (x86)"
Step 4 - Change the META line from
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=/verba">
to
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=/verba/sso">
Step 5 - This change goes live without any restart, point your browser to http://ServerNameorIPAddress