Enhanced Active Directory integration

You can use Xtraction Active Directory (AD) integration to manage Xtraction users from AD, rather than managing Xtraction user accounts from within Xtraction itself. Some examples of how this can be used include:

Only authenticating users who are a member of a particular AD group.

Mapping users of a particular AD group to Xtraction user attributes. For example, members of AD group X-NetworkOps should have the Xtraction designer role, have access to Xtraction dashboards and documents, be placed in the Network Operations Xtraction group, and have the Network Operations Xtraction data policy.

AD integration is handled via the WinAuth application, located by default under the Xtraction\Web\WinAuth folder. When you enable Windows authentication within Xtraction, all authentication requests are sent to this application where authentication will occur. After a user has been authenticated, the user’s details are queried from the directory (if enabled, see below) and returned to Xtraction. The user’s Xtraction account is then updated with these details.

Once settings have been configured, a page is available to test the configuration. For a default installation, this page can be accessed at: http://[SERVER]/XtractionWinAuth/UserInfo.aspx.

Settings

All settings for this authentication provider are set up via its Web.config file located at Xtraction\Web\WinAuth\Web.config. A configuration element is available (xtractionAuth) that’s used to configure all parameters. See samples of the settings below, along with these definitions:

xtractionAuth

secretKey: The key to use for secure communication between Xtraction and the authentication providers. This must match the token key on the Authentication tab in the Xtraction Settings utility.

userAttributeSource: The source where the user attributes will be queried from:

DIRECTORY – User attributes should be queried from a directory based on the directory location’s setup.

queryAdditionalUserAttributes: Should additional user attributes (full name, email) be queried from the user attribute source—valid values are true or false.

updateXtraction: Should Xtraction be updated based on the values queried from the user attribute source and the defined group mappings—valid values are true or false.

Note that if this value is set to true, Xtraction user accounts will be updated based on the user’s AD groups and the associated group mapping. Any manual changes to the roles, features, groups, or data policy of an Xtraction user account will be replaced.

authenticatedGroups: The list of group names (‘|’ delimited) that a user must be a member of to be able to access Xtraction. No check on group membership will be made if this value is empty.

directoryLocations

The directoryLocations define the user repositories to query. At least one directoryLocation is required.

name: A unique name for the directory location.

contextType: The type of directory:

MACHINE – Search the local machine to find users accessing Xtraction.

DOMAIN – Search a domain to find users accessing Xtraction.

connectionConfig: Additional configuration information required to query the directory. For MACHINE, this can be left empty. For DOMAIN, this needs to be a ‘|’ delimited list of configuration information. Some example configurations:

HOST/DOMAIN

HOST/DOMAIN|CONTAINER

HOST/DOMAIN|CONTAINER|USERID|PASSWORD

groupMap

The groupMap is used to map Windows group members to Xtraction user attributes. This enables you to manage Xtraction users from AD and have user attributes pushed into Xtraction. If multiple group mappings apply based on the user’s AD group membership, the actual group mapping will be a product of the matching mappings.

Note that if multiple group mappings are matched based on the AD group membership, and multiple security policies are in use across those mappings, Xtraction will not authenticate the user.

name: A unique name for this group mapping.

windowsGroupName: The AD group that this group mapping relates to.

roleIds: The Xtraction roles that members of this group should be assigned:

1 – Administrator

2 – Enterprise Designer

3 – Private Designer

4 – Designer

5 – Schedule Administrator

6 – Scheduler

7 – Alert Administrator

8 – Alert User

featureIds: The Xtraction designer features that members of this AD group should be assigned:

1 – Dashboards

2 – Documents

3 – SQL Reports

xtractionGroupNames: The Xtraction group names that members of this AD group should be assigned. This is a ‘|’ delimited list.

securityPolicyName: The Xtraction data policy that members of this AD group should be assigned. This can be left blank for users who don’t need a data policy assigned.

Examples

This section contains samples of the settings from above.

xtractionAuth

 

<xtractionAuth

    secretKey="abc123"

    userAttributeSource="DIRECTORY"

    queryAdditionalUserAttributes="true"

    updateXtraction="true"

    authenticatedGroups="X-Administrators|X-PrivateDesigners|X-Viewers"

    >

    <directoryLocations>

      <add name="domain" contextType="DOMAIN" connectionConfig="corp.domain.com" />

    </directoryLocations>

    <groupMap>

      <add

        name="administrators"

        windowsGroupName="X-Administrators"

        roleIds="1,2"

        featureIds="1,2,3"

        xtractionGroupNames=""

        securityPolicyName="" />

      <add

        name="private-designers"

        windowsGroupName="X-PrivateDesigners"

        roleIds="3"

        featureIds="1,2"

        xtractionGroupNames="Network Operations"

        securityPolicyName="Network Operations" />

      <add

        name="viewers"

        windowsGroupName="X-Viewers"

        roleIds=""

        featureIds=""

        xtractionGroupNames="Service Desk"

        securityPolicyName="Service Desk" />

    </groupMap>

  </xtractionAuth>

Directory

Connect to the corporate Active Directory using the currently executing user (from the Application Pool – XtractionWinAuth).

<add
    name=”domain”
    contextType=”DOMAIN”
    connectionConfig=”corp.domain.com”
    />

Connect to a container within the corporate Active Directory using the currently executing user.

<add
    name=”domain”
    contextType=”DOMAIN”
    connectionConfig=”corp.domain.com|CN=mydirectory,O=corp,C=au”
    />

Connect to the corporate Active Directory using a specified user.

<add
    name=”domain”
    contextType=”DOMAIN”
    connectionConfig=”corp.domain.com|USERNAME|PASSWORD”
    />

Group mapping

Users who are members of the Xtraction-Administrators AD group need to be Xtraction administrators and Xtraction enterprise designers with access to dashboards, documents, and SQL reports.

<add name="administrators"
    windowsGroupName="Xtraction-Administrators"
    roleIds="1,2"
    featureIds="1,2,3"
    xtractionGroupNames=""
    securityPolicyName="" />

Users who are members of the Xtraction-Enterprise-Designers AD group need to be Xtraction enterprise designers with access to dashboards and documents and assigned the Xtraction Standard User data policy.

<add name="enterprise-designers"
    windowsGroupName="Xtraction-Enterprise-Designers"
    roleIds="2"
    featureIds="1,2"
    xtractionGroupNames=" "
    securityPolicyName="Standard User" />

Users who are members of the Service Desk AD group need to be Xtraction private designers with access to dashboards, be placed into the Xtraction Service Desk 1 group, and assigned the Xtraction Standard User data policy.

<add name="service-desk"
    windowsGroupName="Service Desk"
    roleIds="3"
    featureIds="1"
    xtractionGroupNames="Service Desk 1"
    securityPolicyName="Standard User" />

Users who are members of the Xtraction-Read-Only AD group need to be assigned the Xtraction Restricted User data policy.

<add name="viewers"
    windowsGroupName="Xtraction-Read-Only"
    roleIds=""
    featureIds=""
    xtractionGroupNames=" "
    securityPolicyName="Restricted User" />