A realm defines a protection space. Realms allow the protected resources on the server to be partitioned into a set of protection spaces, each with its own authentication and authorization settings.
By default, all protected resources on the server are configured in the config.xml file. This is the (Home) realm. Specific folders may be manually configured to have their own set of permissions and authentication groups. For more information about folder permissions read this post.
Server permissions may be configured for anonymous users and for authentication groups.
A group may have a list of authentication mechanisms and server permissions.
For instance, the server may be configured to have a group named 'Data Analysts' with permissions to:
- List directory
- View in mobile
- Export view data
and authenticate users through LDAP Query and List Of Users.
List Of Users mechanism let's you define custom Omniscope users that are stored and managed by the Omniscope Mobile server. No third party servers/services are involved. Users are manually added/edited/removed by an administrator of the server.
A user name and a password has to be added for each individual user. Read this post for more information about List Of Users mechanism configuration.
LDAP Query authentication mechanism let's you configure Omniscope Mobile server to query an LDAP server to validate user credentials.
To learn how to configure Omniscope server to use LDAP Query read this post.
SPNEGO (Single-Sign-On) mechanism allows users to authenticate automatically with their LDAP/AD account without asking them for credentials. Having a proper setup, authorized users never type their credentials in any dialog or form. Unauthorized users, however, are either prompted for credentials or are denied server access.
How does SPNEGO work ?
The browser negotiates with the LDAP/AD server and gets a temporary ticket which is further used to generate temporary unique tokens that are included in every client/browser request sent to Omniscope Mobile server. The tokens contain no information about client user name, password, or any other sensitive data, they are simple strings that can be verified only by the LDAP/AD server. Whenever Omniscope Mobile receives requests having SPNEGO tokens, Omniscope Mobile asks the LDAP/AD for token validation and if the token is valid, LDAP/AD provides only the user name associated with that token. Omniscope server checks whether this user is authorized to be served the requested resource and proceeds accordingly.
To learn how to configure Omniscope server to use SPNEGO mechanism read this post.
A group may have multiple authentication mechanisms. Each mechanism will be used during authentication until the user authenticates successfully. If no group authorizes the action that has been requested by the user, the access will be denied.
You may want to temporarily disable groups instead of deleting them and then adding them back later when needed. Disabled groups are disregarded during authentication.
print-screen-presentation.png | 199K | |
print-screen-presentation-2.png | 165K | |
print-screen-presentation-2.png | 154K |
It looks like you're new here. If you want to get involved, click one of these buttons!