The section includes settings for controlling and tracking user logins, the complexity of the password they use, as well as authorization options to improve security. To start your work with this section, you need to get access to it for user group in the section"Groups access rights".
The section contains three tabs with settings:
1. Authentication settings, a number of restrictions on user login to the system, some of them are also implemented for user groups in the "Groups access rights" section:
- Remember me - allows you not to enter your password every time.
- Check IP - user who logs in using a different IP address must enter a password.
- For how many days it remembers - how many days the system remembers your login information and will not ask for a password.
- Number of login attempts is a convenient function, when process of attempting to gain access to a system through the systematic guessing of passwords and usernames happens, the system blocks the user who has exceeded the specified number of attempts.
2. Password policy, a set of rules to improve security by checking the reliability and requesting to change user passwords, such policy may be part of the official requirements and rules of the company. More details about each setting can be found in the article "Configuring the password policy for users of the HelpDeskEddy system"
Single Sign-On (SSO), a technology that combines several different login screens on different platforms into one. With SSO, the user only needs to enter their credentials (username, password, etc.) once on one page to access all of their SaaS applications. SSO is not only much easier and more user-friendly, but it is also considered more secure.
More information about the options and connections already implemented using examples can be found in the article "Single sign-on - SSO SAML integration with HelpDeskEddy (OneLogin, Okta)"
LDAP / AD authentication.
How to set up integration with LDAP / Active Directory:
- Check the box "Use LDAP for authentication";
- Next, configure the system in accordance with the settings of your server;
After saving the settings, users are synchronized.
Let's consider the features of LDAP operation in the HelpDeskEddy system:
- In the "Dispatcher" section you can use tags, they have also been added to the API.
- Email from LDAP must match the system email, if mail doesn't match, authorization will be canceled. For example, if you register e-mail for users, they will not be able to log into the Active Directory account. Next, you will need to use one of the options:
- remove mail from LDAP, then will be created that type of email - email@example.com;
- Return the mailbox from LDAP to the user under the appropriate login.
- The "Account suffix" field is optional when connecting. You can specify only one suffix in this field, for example @hde.com, which will work as a restriction and will allow users with such a domain to log in only by name. If you have several domains in Active Directory, the field is not filled in and users will be able to log in under any domain, specifying it and their name, for example firstname.lastname@example.org.
- Synchronization and addition of contacts from AD occurs by pulling information from the samaccountname field, if full email is registered there, its value will be displayed in the system. Synchronization of contacts occurs one at a time automatically after successful authorization. There are two options for working with synchronization in the system:
- If synchronization is used only for authorization - synchronization can be disabled, accounts will be created when you try to log in and will be updated in the same way every time you authorize again.
- If you leave synchronization, accounts will have to be created, perhaps the expected LDAP username in the card will not coincide with what the user enters, but the user can log in without any problems under this account by specifying the suffix (email@example.com) in the login that matches the system mail.
If these options don't work for you for any reason, please don't hesitate to contact us at firstname.lastname@example.org, colleagues will help you adjust the synchronization and make changes to refuse suffixes, as well as advise you with any other issues.