SSO Client authentication with Groups

SSO Client authentication with Groups

See KB article on how to configure Single Sign On (SSO) with PassagePoint Client AD Authentication

To configure Single Sign On (SSO) with Groups PassagePoint must be on  build version 6438 or higher.

To find your build version:

1) Login to PassagePoint with admin
2) Navigate to home > configure system > product licenses > last 4 numbers

New User Accounts that are created using the “AD LDAP Login” feature, instead of assigning a fixed User Role, assign the User Role depending upon the AD Group that person belongs to. For example, if the user is from the Admin Group then when PassagePoint creates the User Account for this user it should assign the Admin User Role, the same way, if the user is from the Reception Group then PassagePoint should assign the Reception User Role.

In the Authentication rules >> Click "add" at the bottom >> enter the group name and the user role you want to assign it to. 

- Group Name (text field): the Group Name should be the same as the name of the
"member of" in AD. 

After running through the KB, navigate to Exit PassagePoint >> log back in with admin >> home > configure system > Global settings >> check "Enable AD LDAP" >> click "Save" 

PassagePoint services is required after configuring.

If Active Directory Authentication rule is configured (with “Map AD Group with User Role” setting configured) and “AD LDAP Login” setting is enabled, then when user will log-in windows machine and click on PassagePoint icon:

PassagePoint verifies the Active Directory Username of logged in Windows User with the Active Directory configured.
If the username is found in the Active Directory then it will look for the AD Group ("member of" in AD.) of that logged in user. 

If the user AD Group found, matches with the AD Group defined in the Authentication Rule, then if the logged-in user does not exist in the PassagePoint system, then it will create the User Account for the logged in user with the User Role that is defined for that particular AD Group

If the User Account already exists, then PassagePoint will not make any 
change in the User Account and will use the same existing User Role for that account.

If the user AD Group does not match with any of the AD Group defined in the 
Authentication Rule, PassagePoint will create the User Account for the logged in user.
If it does not exist already with the User Role defined in the “AD LDAP Login” Global Setting

    • Related Articles

    • Single Sign On (SSO) with PassagePoint Client AD Authentication

      PassagePoint's client authentication can work with AD via the LDAP protocol to provide a seamless Single Sign on (SSO) into passagepoint. This requires the windows user on the passagepoint client to be logged in as a domain user that has rights to ...
    • SSO setup with IIS

      Prerequisites 1) This document assumes you've laready setup passagepoint with IIS. if not, pls review here and set up IIS with passagepoint first: 2) LDAP directory Link ...
    • How to Disable client SSO when "AD LDAP LOGIN" is enabled

      6434 or higher user this: lower than 6434 use this: On the PassagePoint Application server: 1) Stop the PassagePoint services 2) Go to >> ...
    • Using windows authentication for SQL server

      To use Windows Authentication,  add service account to "PassagePoint Server" services The account used to start the passagepoint service is the account used to connect to SQL server The SQL context file will need to contain the following string: ...
    • IIS/passagepoint SSO integration Troubleshooting steps

      PassagePoint uses IIS windows authentication via NTLM for SSO into PassagePoint 1) Receiving 404, page not found or page not loading at all a) Disable URL rewrite double click on URL rewrite click on the rule, then hit Disable rule b) Test IIS by ...