AD Planning [Legacy]

warning

This page refers to the older LDAP integration and is only valid for v10 servers before 10.24.

Basic principles

To sign in using Active Directory (AD) at least two different AD-groups are required.

The first group determines the right to login and which site the user belongs to.
The second group determines the user profile to use.

To be able to login, an AD user must match the following requirements

The user must be explicitly linked to a single site in Smartsign
The user must be explicitly linked to a single user profile in Smartsign

There is no need to import users to Smartsign. Users will be automatically created at sign in if the AD authenticates them.

As an option, the first AD group can be reused within Smartsign to provide default access rights to resources in the site

Additional groups can be used to differentiate between different sites, different user profiles and groups within Smartsign that determine access to resources such as screens, layers and media folders.

Please have a look at the section Differences from previous versions below for important notes on changes compared to previous versions.

Suggested Active Directory groups

For clarity and readability, we suggest naming your ad groups similar to the below examples.

One AD group for each site (minimum one)

Example:
Smartsign_Site_MySiteName

The site group should only be linked to a single site in Smartsign. It should not be linked to any user profile

One AD group for each user profile (minimum one, at least two normally)

Example:
Smartsign_Userprofile_Publisher
Smartsign_Userprofile_SiteAdmin
Smartsign_Userprofile_Admin

Each user profile group must be linked to a single user profile

Optional

If you wish to manage access to resources, such as screens, folders and layers, from the AD. Additional groups should be created for that purpose.

Example:
Smartsign_Resources_Finance
Smartsign_Resources_Marketing

It's possible to reuse the site group for this purpose

Differences from previous versions

Version 10 has a new and improved Active Directory implementation. The function is very similar to previous versions, but there are some important changes which you will need to adjust for in your Active Directory if you are migrating from a previous version.

All installations

In v9 it was assumed that you were a Publisher if there was no other user profile specified. In v10 a user profile must always be specified. This means you must create an AD group for the Publisher user profile and add it to the users that only had the Publisher login group previously. In addition, the LDAP path for that group must be configured on the Pro Publisher user profile in Smartsign.

Single-Site installations

Your Publisher login group should be configured on the site in Smartsign. This is equivalent to configuring the Publisher login group in the old AD settings.

Multi-Site installations

In this case you should have a group for each site in the AD already. Configure these on each site in Smartsign. The Publisher login group is no longer needed and can be removed if desired.

Known limitations

If you want to move a user to another site, you must first change the users site AD group in the AD and delete the user in Smartsign. When the user signs in again a new user will be automatically created in the correct site.

Basic principles​

Suggested Active Directory groups​

Differences from previous versions​

All installations​

Single-Site installations​

Multi-Site installations​

Known limitations​