Single sign-on allows iCM to authenticate users against an external source like Active Directory. This is most commonly used so that users can log into iCM using their domain username and password.
iCM SSO can be set up to use the LDAP or LDAPS protocols and will work with directory services like Active Directory and Azure AD.
As well as user authentication, iCM SSO also performs user and user group synchronisation.
Single Sign On Overview
In this scenario, a user goes to the iCM URL and is greeted with the iCM login page. They enter their domain username and password (the same as they use for logging on to the network). iCM uses a custom script and configuration to authenticate them against Active Directory and if successful, logs them in.
The iCM privileges users receive within iCM are set by the groups that the users belong to. iCM groups sharing the same name as Active Directory groups are synchronised, and the required iCM privileges set on those groups.
Seamless Single Sign On Overview
Here, a user goes to the iCM URL and their correctly configured browser uses Windows Integrated Authentication to inform IIS of the identity of that user. iCM then queries Active Directory to verify these credentials. If successful, the user is logged in to iCM. iCM privileges are assigned in the same way they are for Single Sign On.
In order for Seamless Single Sign On to work, the user's browser must have NTLM authentication (Windows Integrated Authentication) enabled. This is most commonly used with Internet Explorer, but is also supported in some form by Chrome and Firefox. Our detailed instructions here deal with Internet Explorer, which is the most common implementation and has the longest history of compatibility with this approach.
The PDF document iCM Single Sign On, in the download section of this page, covers the configuration and implementation of SSO and SSSO in more detail.
Authentication and user group synchronisation are handled by a set of custom scripts, an iCM scheduled task, and needs to be enabled in iCM's autoconfig.
LDAP or LDAPS
The configuration for either protocol is the same. The ldapConfig.cfm script is where you set the details of the remote server. If the
When network authentication is enabled in iCM's autoconfig, a new checkbox for "Allow iCM authentication" appears when you are editing iCM users. Enabling this setting allows a user to log into iCM via a username and password set in iCM, rather than authentication via LDAP. At least one user must have this setting enabled.
Groups are synchronised by the iCM scheduled task "AuthenticateGroups". To synchronise a group, the name set in iCM must match the name in the external directory and the "Allow network synchronisation" setting (when editing a user group) should be ticked. See the PDF in the downloads area for more information about how synchronisation works.