User Administration Tips and Best Practices

Tuesday, December 13th, 2011 at 11:00am -- Joel BaxterBookmark and Share


User administration always seems to be a popular topic amongst our clients, and I can certainly see why. Universities and large organizations alike are notorious for having large, sometimes unorganized LDAP servers and authentication systems within their environments. Some clients want to simply import a select few of their LDAP users from a specific Container (typically being an Organization Unit but not exclusively) and have those users authenticate against their LDAP server via Cascade Server. Other clients have more elaborate scenarios that need to be addressed, like tying their Single-Sign-On service in with Cascade Server, which also authenticates via LDAP. Regardless of your current or desired authentication method, Cascade Server can accommodate it.


Authentication Methods

1. Normal Authentication

In this method, users are authenticated via their stored credentials within the Cascade database. This would work well for you if you are looking to do one of the following:

  • Create your users manually within the CMS and let Cascade Server handle authentication.
  • Automate this user creation process via a custom web services script via Cascade Server’s web services API.
  • Merely import your users via LDAP sync but have them authenticate via normal authentication handled by the CMS.

2. LDAP

You can authenticate your users via your LDAP server if you have one currently within your environment. This method would work well for you if you are looking to accomplish the following:

  • Create and import your users into default groups and roles within the CMS.
  • Have LDAP manage the synchronization schedule for those associated Containers (which will most likely be Organization Units) or Groups (Active Directory only) with their default groups and roles within the CMS.

Here are some of the key considerations about using LDAP authentication that clients often ask about:

  • If your users exist within other groups defined within the CMS but not the LDAP configuration, would you want to remove them from those other groups and roles? 
  • How would you like to handle orphaned users, which are users that were imported via LDAP into the CMS at one time but no longer exist within the LDAP server? 

Both of these issues are documented and described in greater detail within our Knowledge Base.

3. Custom Authentication

This refers to any third-party authentication system or single-sign on framework that your organization may be using. This method is a good option for you if you are looking to do one or more of the following:

  • Use the Cascade Server API to provide a way for developers to authenticate your users via a third-party authentication system or single-sign on framework, such as Shibolleth.
  • You also want to tie LDAP authentication into your Custom Authentication system to work together with Cascade Server.

Typical New Client Scenarios

1. You have just a handful of clients (20-100)

  • Best Solution: Import the users via LDAP using the configuration <authentication-mode> element set to use "normal".  If this route is taken, you will still need to provide each user with a password as Cascade will not use the LDAP password nor authenticate via LDAP.
  • Good Solution: Create the users manually via Cascade Server’s interface.

2. You have one large LDAP server with an unorganized Organizational Unit ("OU") and need to import 1k-2k users

  • Best Solution: Move all users that you're wanting to import into their own OU and sync against that OU.
  • Good Solution: Create a free-form filter based of off a unique attribute that all of the soon-to-be-imported LDAP users possess to sync from, and place them into individual user-policies for their specified default group and role.

3. You have a large and well organized LDAP server with smaller OU’s

  • Best Solution: Create individual user-policies for each OU that you want to import.
  • Good Solution: Create a free-form filter based on a unique attribute that all of the soon-to-be-imported LDAP users possess to sync from, and place them into individual user-policies for their specified default group and role.

4. You have a Custom Authentication System and Single-Sign On Service already in place

  • Best Solution: Import and create the users via LDAP, then authenticate all users through the Single-Sign On system for uniformity, but authenticating users via LDAP for aggregate control over users.
  • Good Solution: Manually create users via the interface, then authenticate all users through a third-party authentication system.

You Might Also Enjoy

Category

  • Resources
Bookmark and Share

Comments

blog comments powered by Disqus