Configure EMS Web App to Use LDAP Authentication

Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information.

The LDAP Authentication method provides single-sign-on capability using your organization’s LDAP environment. You can use it in intranet and internet deployments of EMS Everyday applications like EMS Web App and EMS Mobile App.

When a user logs into EMS Web App or EMS Mobile App with their User ID and Password, their credentials are authenticated against LDAP and compared against corresponding user information recorded in the Network ID and/or External Reference fields of your EMS Everyday User records. If a match exists, the Everyday User will be logged in to the application, inheriting any Everyday User Process Template rights to which their LDAP Group has been assigned.

The EMS Web App LDAP-Process Template assignment process requires that your implementation of LDAP stores group information (e.g., staff, student, department, etc.) as a Directory Service object containing a property (i.e., member) that contains the users that belong to your various groups. 

The Field Used to Authenticate Everyday User parameter (within System Administration > SettingsParameters > Everyday User Applications tab) is used by the applications to determine which value should be used for authentication.

ClosedConfigure EMS Web App for LDAP Authentication

To configure EMS Web App for LDAP authentication:

  1. Log into EMS Web App with a User that belongs to an Everyday User Security Template containing the Web Administrator role (controlled in the EMS Desktop Client under Configuration > Everyday User ApplicationsEveryday User Security Templates).
  2. From the User Options, select Admin Functions.
  3. Click the LDAP Configuration tab. 

    The LDAP Configuration window opens. 

ClosedConfigure EMS Web App Security

To configure EMS Web App Security:

  1. On the Security tab, select Authenticate users via LDAP to enable LDAP authentication.
  2. To use LDAP to assign Everyday User Process Templates to Web Users, select Use LDAP to assign Process Templates.
  3. Use advanced communication options  – Enable for Active and Non-Active Directory environments. Enabling this checkbox requires that you complete the settings on the Communication Options tab.
  4. In Path for LDAP Query, specify a valid LDAP path (For example – ip:port, LDAP://domain or LDAP://domain:port).
  5. In the List of Domains field, provide a comma separated list of your domains.

    Skip this step if your organization uses a single domain.

  6. In Network UserId Without Domain Name, enter a directory admin user name (For example - YourDomain\User, LDAP_FullUserId).  
  7. In Password, enter a valid password for the user account entered in the previous step.
  8. Specify the appropriate LDAP Authentication Type for your environment.

ClosedConfigure Communication Options

The Communication Options tab includes fields that define how to fetch a Group or a User when sending communications from the EMS Desktop Client. You can also set the SSL configurations, including the Security Certificate Path. Checking the Use SSL box will force communication to use SSL. 

  • Certificate Path – If there is a specific certification that you want to use to validate your authentication.
  • Authentication Type  – Type of authentication that your LDAP server will use during the binding process. Basic is the default because it is the most common. 
  • Search Root  – DN (Distinguished Name) to search under. In simple configurations it is the root domain component.
  • User Search Filter – Specifies the filter to use when performing the user search. 

    Example: (&(objectClass=Person)(SAMAccountName={0})) or (&(objectClass=Person)(uid={0}))

  • Group Search Filter  – Specifies the filter to use when performing the group search. 

    Example: (&(objectClass=Person)(objectClass=user))

  • Protocol Version – Insert the current version number here. The default is 3, as the current version should be 3. 

ClosedConfigure Core Properties

Indicate whether your LDAP implementation is Active Directory. These properties are set to the common defaults, but can be changed here if the LDAP properties differ from the defaults displayed.

  • LDAP Name Property – The property for user name on the user record in LDAP that will be displayed. Display name is the default, as it is the most common. 
  • LDAP Phone Property – The property for the phone number on the user record in LDAP that will be displayed. Telephone number is the default, as it is the most common.
  • Domain to append to users – This field is unnecessary unless the domain of your user is different from the domain returned from the query. 
  • Field for LDAP Group Lookup – This identifies the EMS property that should be utilized when performing the search. For example, if you use LDAP solely to assign templates and you want the EMS Web App to look up group membership using a field other than the login name, then you must enter that field's name here. Currently Assigning Process Templates using LDAP is supported through all Current Auth Methods, i.e. SAML 2.0 & Native Auth, and you do not have to use LDAP Authentication to use this.

ClosedConfigure without Active Directory

If your LDAP implementation is not Active Directory, use these fields to redefine the LDAP property names used when searching directory information.

  • LDAP Account/User ID Property – The property in your LDAP store that contains the user name. 

    Example: If sameaccountname=xxxx, then enter sameaccountname

  • Full LDAP User ID Format – Leave blank unless authentication requires a full path. 

    Example:  cn={0},ou=staff,o=yourdomain

  • LDAP Group Category – The property in your LDAP store that contains the group category. 

    Example: If filter should be objectClass=groupOfNames, then property should be groupOfNames

  • LDAP Group Name – The property in your LDAP store that contains the group name. 
  • LDAP Group Member Name – The property in your LDAP store that contains the name of a single member in the group. 

    Example: If member property is member=jdoe, then property should be member

  • LDAP Group Member User Name Attribute – The property of the user record that corresponds to the group's member property to determine group membership. 

    This is an attribute unique to the user. For example, if you use the attribute cn for two users – Alice of Copper and Alice of Iron, Alice of Copper will be considered a member of the same groups as Alice of Iron.

    cn=Alice, ou=Copper, ou=People, dc=Accruent, dc=Fortive

    cn=Alice, ou=Iron, ou=People, dc=Accruent, dc=Fortive

ClosedConfigure LDAP Queries

These are LDAP query overrides to fetch Groups and Users from the domain. These settings rarely need to overridden, but can be used to customize queries.

  • LDAP query for security groups – Query used to search for security groups in your LDAP store. Required to assign templates in DC.
  • LDAP query to find users – Query used to search for users in your LDAP store.
  • LDAP query for find users with space – Query used to search for users that have spaces surrounding their user names in your LDAP store. 

ClosedSave Your Configuration

To save your configuration:

  1. Click Save

    If you want Everyday Users to inherit Everyday User Process Templates based on the LDAP Group(s) with which they belong, see LDAP Groups Tab. Otherwise, you have completed the configuration process.

  2. Within EMS Desktop Client, go to the Everyday User Process Templates area (Configuration > Web Everyday User Process Templates).
  3. Within an Everyday User Process Template, locate the LDAP Groups tab and select the appropriate LDAP Group(s) to map to that Everyday User Process Template.
  4. Click OK.

ClosedTest Your Configuration

To test your configuration:

  1. Navigate to EMS Web App > LDAP ConfigurationTest Configuration tab. 
  2. Enter your Network UserId Without Domain Name.
  3. Enter your Password.
  4. Click Test.
    1. If your configuration was successful, you will receive a message in a green box at the top that includes domain information and the words "Authentication successful" (please see example below).
    1. If the configuration was unsuccessful, you will receive a prompt stating that LDAP could not be accessed. Check your logs to determine the reason for the failure. 

ClosedConfigure Authentication for EMS Mobile App

To configure authentication for EMS Mobile App:

  1. If your organization uses the EMS Mobile app and you want to use LDAP to authenticate, you need to configure LDAP within the Web App.

    To use LDAP successfully for Mobile app authentication, use LDAP's Advanced Communication Options within the Web app. For more information refer to Configure Communication Options.

  2. In the Mobile App Integration within the Platform services, enable LDAP Authentication for the Everyday User Authentication Method.