Single SignOn with ActiveDirectory integration


1) Enable Active Directory integration in the Bulksign configuration.

The config settings are :

    "ActiveDirectorySettings" : {
        "Enabled" : false,
        "TimeoutSeconds" : 0,
        "PageSize" : 0,

        "Entries" :[{
            "OrganizationName":"FirstOrganization",
            "LDAPConnectionString":"LDAP://MyOrganization.Local",
            "UserName":"test",
            "Password":"test",
            "FilterQuery":"",
            "UserGroups":["Group1","Group2"],
            "AdministratorGroups":["Admin1","Admin2"],
            "CustomGroups" : [
                {"Key" : "RoleName", "Value" : "ADGroupName"}
            ],
        },
        {
            "OrganizationName":"SecondOrganization",
            "LDAPConnectionString":"LDAP://MyOrganization.Local",
            "UserName":"test2",
            "Password":"test2",
            "FilterQuery":"",
            "UserGroups":["Group1","Group2"],
            "AdministratorGroups":["Admin1","Admin2"],
            "CustomGroups" : []
        }]
    }

Enabled : this enables (if value set to "true") the Active Directory synchronization in Bulksign.

PageSize : the number of items returned per page, feel free to increase this for very large number of users

TimeoutSeconds : the timeout used to query AD. Feel free to increase this value if needed

Entries : for each Bulksign organization , the following information needs to be configured :

OrganizationName : the name of Bulksign organization

LDAPConnectionString : configure the LDAP protocol connection to your Active Directory domain controller

UserName : the user name which will be used to connect to the domain controller

Password : the password

Filter : the LDAP search filter (example : "OU=Groups,DC=MyOrganization,DC=Local")

UserGroups : set the names of the AD user groups which will be queried and imported by Bulksign. Imported users from this groups will NOT have administrator privileges in Bulksign.

AdministratorGroups : set the names of the AD user groups which will be queried and imported by Bulksign. Imported users from this groups WILL have administrator privileges in Bulksign.

CustomGroups : this allows you to synchronize users for custom roles (it's possible to define multiple roles). The configuration looks like this :

 "CustomGroups" : [
                {"Key" : "RoleName", "Value" : "ADGroupName"},
                {"Key" : "AtherCustomRole", "Value" : "MyGroup"},
            ],

where the value of Key is the name of the Bulksign custom role (please note this is case insensitive) and "Value" is the name of the AD group from which the users will be synchronized.

2) In IIS enable "Windows Authentication" for the Bulksign website

Important!

Note : Make sure ONLY Windows authentication is enabled, all other authentication modes must be disabled

iis

3) In web.config enable Windows authentication

<system.web>
    <authentication mode="Windows" />
</system.web>

Troubleshooting Integration problems

Bulksign comes with ActiveDirectorySynchronizer tool which allows for troubleshooting the AD integration. Run the tool from :

c:\Program Files\Bulksign\Tools\ActiveDirectorySynchronizer.exe

Running the tool will list the problems with the configuration. If there are no configuration problems, it will list all the found users.

To force a user import into Bulksign run the tool with an extra parameter :

ActiveDirectorySynchronizer.exe import

FAQ

What user data is required and why some users aren't imported ?

The following user attributes are read from Active Directory :

  • objectSid
  • sn
  • mail
  • name
  • givenName
  • sAMAccountName
Important!

Users which do not have valid values for all those attributes CANNOT be imported by Bulksign.


How do i delete a user from Bulksign when Active Directory integration is enabled ?

Just remove the user from the Bulksign ActiveDirectory group. The user data will be kept in Bulksign but login will not be possible anymore.

How often is the automatic user synchronization performed ?

Automatic user synchronization with Active Directory is done once every 24h.

I have just made some changes in Active Directory, can i force a user synchronization from the Bulksign UI ?

Yes, login in BulkSign as a administrator, navigate to Settings, Users and click the "Synchronize" button.

What if i want to run a automatic synchronization more often ?

You can schedule to run the ActiveDirectorySynchronizer tool, like described above.

If i am already using Bulksign with user/password authentication, what will happen with existing users if i enable AD single sign-on ?

Those users will be disabled and login wont be possible anymore for them.