Toggle menu

iCM Single Sign-On

Single sign-on allows iCM to authenticate users against an external source like Active Directory. This is most commonly used so that users can log into iCM using their domain username and password.

iCM SSO can be set up to use the LDAP or LDAPS protocols and will work with directory services like Active Directory and Azure AD.

As well as user authentication, iCM SSO also performs user and user group synchronisation.

Single Sign On Overview

In this scenario, a user goes to the iCM URL and is greeted with the iCM login page. They enter their domain username and password (the same as they use for logging on to the network). iCM uses a custom script and configuration to authenticate them against Active Directory and if successful, logs them in.

The iCM privileges users receive within iCM are set by the groups that the users belong to. iCM groups sharing the same name as Active Directory groups are synchronised, and the required iCM privileges set on those groups. 

Configuration

The PDF document iCM Single Sign On, in the download section of this page, covers the configuration and implementation of SSO in more detail.

Authentication and user group synchronisation are handled by a set of custom scripts, an iCM scheduled task, and needs to be enabled in iCM's autoconfig.

LDAP or LDAPS

The configuration for either protocol is the same. The ldapConfig.cfm script is where you set the details of the remote server. If the ldapServer property is set to use an LDAPS address, the connection will be made over LDAPS.

iCM Authentication

When network authentication is enabled in iCM's autoconfig, a new checkbox for "Allow iCM authentication" appears when you are editing iCM users. Enabling this setting allows a user to log into iCM via a username and password set in iCM, rather than authentication via LDAP. At least one user must have this setting enabled.

Synchronising Groups

Groups are synchronised by the iCM scheduled task "AuthenticateGroups". To synchronise a group, the name set in iCM must match the name in the external directory and the "Allow network synchronisation" setting (when editing a user group) should be ticked. See the PDF in the downloads area for more information about how synchronisation works.

Last modified on 6 March 2024

Share this page

Facebook icon Twitter icon email icon

Print

print icon