Skip to main content

AD Planning

Differences from previous versions

Version 10.24 has a new completely rewritten Active Directory implementation using OpenID/OAuth2 and ADFS instead of LDAP. Principles are similar to previous versions, but there are some important changes which you will need to adjust for if you are migrating from the older implementation. Also note that using https is a requirement.

Basic principles

To sign in using Active Directory (AD) at least two different AD-groups are required.

  • The first group determines the right to login and which site the user belongs to.
  • The second group determines the user profile to use.

To be able to login, an AD user must match the following requirements

  • The user must be explicitly linked to one or more sites in Smartsign
  • The user must only match a single user profile in each of the matched sites in Smartsign

There is no need to import users to Smartsign. Users will be automatically provisioned at sign-in if the AD authenticates them.

Additional groups can be used to differentiate between different sites, different user profiles and groups within Smartsign that determine access to resources such as screens, layers and media folders.

Please have a look at the section Differences from previous versions below for important notes on changes compared to previous versions.

Suggested Active Directory groups

For clarity and readability, we suggest naming your ad groups similar to the below examples.

One AD group for each site (minimum one)

Example:
Smartsign_Site_MySiteName

The site group should only be linked to a single site in Smartsign. It should not be linked to any user profile

One AD group for each user profile (minimum one, at least two normally)

Example:
Smartsign_Userprofile_Publisher 
Smartsign_Userprofile_SiteAdmin
Smartsign_Userprofile_Admin 

Each user profile group must be linked to a single user profile in each site.

Optional

If you wish to manage access to resources, such as screens, folders and layers, from the AD. Additional groups can be created for that purpose.

Example:
Smartsign_Resources_Finance
Smartsign_Resources_Marketing 

tip

The site-linked AD group can be reused to provide default access rights to resources within the site

Known limitations

It's not possible to sign-out from and ADFS-login without closing the browser.