Difference between revisions of "Template:Directory Services Authentication"

[unchecked revision][unchecked revision]
Line 1: Line 1:
 
=== Authentication ===
 
=== Authentication ===
  
*'''Method'''<br/>Here you can choose how users that have been synchronized from {{{1|directory service}}} will be authenticated.<br /> When choosing the option ''{{#ifeq: {{{1|Active Directory}}}|Active Directory|Kerberos / NTLM|LDAP}}'', users log in using the MailStore Client, respectively the Outlook Add-In or Web Access, and the credentials are passed to MailStore Server that verifies them against the configured directory service. When choosing the option ''AD FS (Open ID Connect)'' the users will be redirected to the AD FS login page and authenticate themselves there. The policies configured in AD FS are taking affect for the MailStore Server login as well.<br /> When using Open ID Connect to authenticate users, accessing the archive via IMAP is not possible for technical reasons.
+
*'''Method'''<br/>Here you can choose how users that have been synchronized from {{{1|directory service}}} will be authenticated.
::When selecting ''AD FS (Open ID Connect)'', you have to configure your AD FS [[Setup_Active_Directory_Federation_Services|according to our setup guide]]. Afterwards you have to configure the following settings in MailStore Server:
+
** ''{{#ifeq: {{{1|Active Directory}}}|Active Directory|Kerberos / NTLM|LDAP}}''<br/>With this option, users can log on directly to MailStore Server with their {{{1|directory service}}} credentials. The provided credentials are relayed to {{{1|the directory service}}} for verification.
:*'''Discovery URI:''' The Discovery URI is the URI where the AD FS are reachable. Typically this is the host name of the AD FS server followed by the path ''/adfs'', e.g. ''<nowiki>https://adfs.example.com/adfs</nowiki>''. The certificate used by the AD FS must be trusted.
+
** ''AD FS (OpenID Connect)''<br/>If your company employs Active Directory Federation Services (AD&nbsp;FS), users can also log on to MailStore Server using OpenID Connect through AD&nbsp;FS. For this, you have to configure your AD&nbsp;FS [[Setup_Active_Directory_Federation_Services|according to our setup guide]] and enter the following parameters in MailStore Server afterwards.
:*'''Client ID:''' The ''Client Identifier'' of the ''Application Group'' that has been created for MailStore Server in AD FS.
+
*** '''Discovery URI'''<br/>The URI by which the AD&nbsp;FS are reachable. Typically, this is the fully qualified domain name of the AD&nbsp;FS server followed by the path ''/adfs'', e.g. ''<nowiki>https://adfs.example.com/adfs</nowiki>''. The certificate used by the AD&nbsp;FS must be trusted.
:*'''Redirect-URI:''' The ''Redirect-URI'' must match the ''Redirect-URI'' that has been configured in the ''Application Group''.
+
*** '''Client ID'''<br/>The ''Client Identifier'' of the ''Application Group'' that has been created for MailStore Server in AD&nbsp;FS.
 +
*** '''Redirect-URI'''<br/>The ''Redirect-URI'' that has been configured in the ''Application Group''.
 +
*** '''Always require credentials for login'''<br/>If this option is enabled, users must authenticate against AD&nbsp;FS everytime they log on to MailStore Server.
 +
*; <div class="msnote">'''Please note:''' When using OpenID Connect to authenticate users, [[Accessing_the_Archive_via_Integrated_IMAP_Server|accessing the archive via IMAP]] is not possible for technical reasons.</div>
 
<noinclude>
 
<noinclude>
 
[[de:Vorlage:Verzeichnisdienste_Authentifizierung]]
 
[[de:Vorlage:Verzeichnisdienste_Authentifizierung]]
 
[[en:Template:Directory_Services_Authentication]]
 
[[en:Template:Directory_Services_Authentication]]
 
</noinclude>
 
</noinclude>

Revision as of 13:25, 23 April 2021

Authentication

  • Method
    Here you can choose how users that have been synchronized from directory service will be authenticated.
    • Kerberos / NTLM
      With this option, users can log on directly to MailStore Server with their directory service credentials. The provided credentials are relayed to the directory service for verification.
    • AD FS (OpenID Connect)
      If your company employs Active Directory Federation Services (AD FS), users can also log on to MailStore Server using OpenID Connect through AD FS. For this, you have to configure your AD FS according to our setup guide and enter the following parameters in MailStore Server afterwards.
      • Discovery URI
        The URI by which the AD FS are reachable. Typically, this is the fully qualified domain name of the AD FS server followed by the path /adfs, e.g. https://adfs.example.com/adfs. The certificate used by the AD FS must be trusted.
      • Client ID
        The Client Identifier of the Application Group that has been created for MailStore Server in AD FS.
      • Redirect-URI
        The Redirect-URI that has been configured in the Application Group.
      • Always require credentials for login
        If this option is enabled, users must authenticate against AD FS everytime they log on to MailStore Server.
    Please note: When using OpenID Connect to authenticate users, accessing the archive via IMAP is not possible for technical reasons.