SSO Client authentication with Groups
See KB article on how to configure Single Sign On (SSO) with PassagePoint Client AD Authentication
To configure Single Sign On (SSO) with Groups PassagePoint must be on build version 6438 or higher.
To find your build version:
1) Login to PassagePoint with admin
2) Navigate to home > configure system > product licenses > last 4 numbers
New User Accounts that are created using the “AD LDAP Login” feature, instead of assigning a fixed User Role, assign the User Role depending upon the AD Group that person belongs to. For example, if the user is from the Admin Group then when PassagePoint creates the User Account for this user it should assign the Admin User Role, the same way, if the user is from the Reception Group then PassagePoint should assign the Reception User Role.
In the Authentication rules >> Click "add" at the bottom >> enter the group name and the user role you want to assign it to.
- Group Name (text field): the Group Name should be the same as the name of the
"member of" in AD.
see sample below:
To see a user's group, use the command
net user username /domain
After running through the KB, navigate to Exit PassagePoint >> log back in with admin >> home > configure system > Global settings >> check "Enable AD LDAP" >> click "Save"
PassagePoint services is required after configuring.
If Active Directory Authentication rule is configured (with “Map AD Group with User Role” setting configured) and “AD LDAP Login” setting is enabled, then when user will log-in windows machine and click on PassagePoint icon:
PassagePoint verifies the Active Directory Username of logged in Windows User with the Active Directory configured.
If the username is found in the Active Directory then it will look for the AD Group ("member of" in AD.) of that logged in user.
If the user AD Group found, matches with the AD Group defined in the Authentication Rule, then if the logged-in user does not exist in the PassagePoint system, then it will create the User Account for the logged in user with the User Role that is defined for that particular AD Group
If the User Account already exists, then PassagePoint will not make any
change in the User Account and will use the same existing User Role for that account.
If the user AD Group does not match with any of the AD Group defined in the
Authentication Rule, PassagePoint will create the User Account for the logged in user.
If it does not exist already with the User Role defined in the “AD LDAP Login” Global Setting
Related Articles
Single Sign On (SSO) with PassagePoint Client AD Authentication
PassagePoint's client authentication can work with AD via the LDAP protocol to provide a seamless Single Sign on (SSO) into passagepoint. This requires the windows user on the passagepoint client to be logged in as a domain user that has rights to ...SSO setup with IIS
Prerequisites 1) This document assumes you've laready setup passagepoint with IIS. if not, pls review here and set up IIS with passagepoint first: https://support.stopware.com/portal/en/kb/articles/iis-setup-with-passagepoint 2) LDAP directory Link ...IIS/passagepoint SSO integration Troubleshooting steps
PassagePoint uses IIS windows authentication via NTLM for SSO into PassagePoint 1) Receiving 404, page not found or page not loading at all a) Disable URL rewrite double click on URL rewrite click on the rule, then hit Disable rule b) Test IIS by ...IIS SSO is prompting for username/password realm challenge
As PassagePoint use NTLM SSO via IIS one issue that could be problematic is with DNS if a browser determines it is outside of the "intranet" realm If the DNS record has a different suffix and is not considered to be part of "Intranet" but instead is ...How to repoint a PassagePoint client to an entirely different PassagePoint server
Pls note. this is to repoint a passagepoint client to a completely different passagepoint server. If you've move the passagepoint server, and need to repoint the client, use this link instead. ...