Integrated Authentication Considerations

When you purchase the Integrated Authentication Service, you can use LDAP Integration, Integrated Authentication (IA), or Portal Authentication. Integrated and Portal Authentications are true Single Sign-On (SSO) solutions but LDAP is not. These methods are not typically used together. This section explains how each one works, along with pros and cons for each method.

When you implement Integrated Authentication, your consultant will assist you with creating templates and web users. If you add this module separately and need assistance with virtual configuration contact your account manager about purchasing training. This document is intended to explain the different authentication options available, so you can anticipate any configuration needs.

If you choose LDAP Integration, you'll need to create an administrator account and admin web template to access the configuration page. See the EMS Configuration Guide for questions with creating that template. Using LDAP with IA or Portal Authentication requires each user be responsible for creating/verifying their account on the first visit. SSO isn’t immediate. Portal authentication can be used with LDAP, but this is atypical in most portal environments since other credentialing is available.

LDAP Integration

With LDAP integration you can bypass creating individual web users for your organization. By configuring EMS to query your LDAP groups, you can use LDAP groups to assign web template permissions. Your users would just use their windows credentials to login to the site. After creating a web user account (most data is pre-populated from their LDAP account), they receive the template permissions granted to their LDAP group.


  • No need to create/maintain individual accounts for web users. Mass assign process templates.


  • Requires LDAP groups to be precisely defined and maintained to ensure proper access. EMS does not create or update LDAP groups, so product may require assistance from LDAP/Exchange administrators.

  • NOT Single Sign-on – users must enter windows credentials on each visit.

Integrated Authentication

IA is SSO. For this to work, every user must have a web user account created (manually through client/virtual piece or using our HRToolkit module). In each web account, a network ID is added. When a user visits VEMS or EMS Web App, a call is made to the machine to retrieve the windows account signed in. It compares that value to the network ID field in existing accounts, logging in users automatically. Permissions are assigned to the individual web user accounts.


  • Can be true SSO – the account creation and maintenance can be completely invisible to the end user. Not reliant on Exchange/LDAP administrators.


  • Requires active web user creation and maintenance: manually on the client side, manually through end-user input, or automatically through an HR feed.

Portal Authentication

With Portal Authentication, user information is passed from your existing portal to records in EMS by cookie, session string or similar. Portal Authentication is true SSO when used with our supported methods.