Single SignOn with ActiveDirectory integration

1) Enable Active Directory integration in the Bulksign configuration. The config settings are :

ActiveDirectoryEnableAuthentication: true

This enables Active Directory in Bulksign.

ActiveDirectoryLDAPConnectionString: LDAP://MyOrganization.Local

Set the name of your Active Directory domain controller

ActiveDirectoryUserName: user
ActiveDirectoryPassword: password

Set the name and password of the user which Bulksign will use to query Active Directory.

ActiveDirectoryFilter: OU=Groups,DC=MyOrganization,DC=Local

The filter used to query AD. Set the name of the required AD groups here

ActiveDirectoryUserGroups: sales, marketing

Set the names of the AD user groups which will be queried and imported by Bulksign. Imported users from this groups will NOT have administrator privileges in Bulksign.

ActiveDirectoryAdministratorGroups: admins

Set the names of the AD user groups which will be queried and imported by Bulksign. Imported users from this groups WILL have administrator privileges in Bulksign.

ActiveDirectoryPageSize: 3

The number of items returned per page, feel free to increase this for very large number of users.

ActiveDirectoryTimeout: 6360000

The timeout (in miliseconds) used to query AD. Feel free to increase this value if needed.

  1. In IIS enable "Windows Authentication" for the Bulksign website
Important!

Note : Make sure ONLY Windows authentication is enabled, all other authentication modes must be disabled

iis

  1. In web.config enable Windows authentication
<system.web>
    <authentication mode="Windows" />
</system.web>

Troubleshooting Integration problems

Bulksign comes with ActiveDirectorySynchronizer tool which allows for troubleshooting the AD integration. Run the tool from :

c:\Program Files\Bulksign\Tools\ActiveDirectorySynchronizer.exe

Running the tool will list the problems with the configuration. If there are no configuration problems, it will list all the found users.

To force a user import into Bulksign run the tool with an extra parameter :

ActiveDirectorySynchronizer.exe import

FAQ

What user data is required and why some users aren't imported ?

The following user attributes are read from Active Directory :

  • objectSid
  • sn
  • mail
  • name
  • givenName
  • sAMAccountName
Important!

Users which do not have valid values for all those attributes CANNOT be imported by Bulksign.


How do i delete a user from Bulksign when Active Directory integration is enabled ?

Just remove the user from the Bulksign ActiveDirectory group. The user data will be kept in Bulksign but login will not be possible anymore.

How often is the automatic user synchronization performed ?

Automatic user synchronization with Active Directory is done once every 24h.

I have just made some changes in Active Directory, can i force a user synchronization from the Bulksign UI ?

Yes, login in BulkSign as a administrator, navigate to Settings, Users and click the "Synchronize" button.

What if i want to run a automatic synchronization more often ?

You can schedule to run the ActiveDirectorySynchronizer tool, like described above.

If i am already using Bulksign with user/password authentication, what will happen with existing users if i enable AD single sign-on ?

Those users will be disabled and login wont be possible anymore for them.

Is the Bulksign api access still accessible after AD single sign-on ?

Yes, it is, just be aware that your integration code will need to authenticate first with a NTLM / Kerberos token before accessing the API.