Single SignOn with ActiveDirectory integration

1) Enable Active Directory integration in the Bulksign configuration. The config settings are :

ActiveDirectoryEnableAuthentication: true

This enables Active Directory in Bulksign.

ActiveDirectoryLDAPConnectionString: LDAP://MyOrganization.Local

Set the name of your Active Directory domain controller

ActiveDirectoryUserName: user
ActiveDirectoryPassword: password

Set the name and password of the user which Bulksign will use to query Active Directory.

ActiveDirectoryFilter: OU=Groups,DC=MyOrganization,DC=Local

The filter used to query AD. Set the name of the required AD groups here

ActiveDirectoryUserGroups: sales, marketing

Set the names of the AD user groups which will be queried and imported by Bulksign. Imported users from this groups will NOT have administrator privileges in Bulksign.

ActiveDirectoryAdministratorGroups: admins

Set the names of the AD user groups which will be queried and imported by Bulksign. Imported users from this groups WILL have administrator privileges in Bulksign.

ActiveDirectoryPageSize: 3

The number of items returned per page, feel free to increase this for very large number of users.

ActiveDirectoryTimeout: 6360000

The timeout (in miliseconds) used to query AD. Feel free to increase this value if needed.

  1. In IIS enable "Windows Authentication" for the Bulksign website
Important!

Note : Make sure ONLY Windows authentication is enabled, all other authentication modes must be disabled

iis

  1. In web.config enable Windows authentication
<system.web>
    <authentication mode="Windows" />
</system.web>

Troubleshooting Integration problems

Bulksign comes with ActiveDirectorySynchronizer tool which allows for troubleshooting the AD integration. Run the tool from :

c:\Program Files\Bulksign\Tools\ActiveDirectorySynchronizer.exe

Running the tool will list the problems with the configuration. If there are no configuration problems, it will list all the found users.

To force a user import into Bulksign run the tool with an extra parameter :

ActiveDirectorySynchronizer.exe import

FAQ

  • What user data is required and why some users aren't imported ?

    The following user attributes are read from Active Directory :

    • objectSid
    • sn
    • mail
    • name
    • givenName
    • sAMAccountName

    Users which do not have valid values for all those attributes cannot be imported by Bulksign.

  • How do i delete a user from Bulksign when Active Directory integration is enabled ?

        Just remove the user from the Bulksign ActiveDirectory group. His/her data will be kept in Bulksign
        but login will not be possible anymore.
    
  • How often is the automatic user synchronization performed ?

        Automatic user synchronization with Active Directory is done once every 24h.
    
  • I have just made some changes in Active Directory, can i force a user synchronization from the Bulksign UI ?

        Yes, login in BulkSign as a administrator, navigate to Settings, Users and click the "Synchronize" button.
    
  • What if i want to run a automatic synchronization more often ?

        You can schedule to run the ActiveDirectorySynchronizer tool, like described above.
    
  • If i am already using Bulksign with user/password authentication, what will happen with existing users if i enable AD single sign-on ?

        Those users will be disabled and login wont be possible anymore for them.
    
  • Is the Bulksign api access still accessible after AD single sign-on ?

        Yes, it is, just be aware that your integration code will need to authenticate first with a  
        NTLM / Kerberos token before accessing the API.