Single SignOn with ActiveDirectory integration


1) Enable Active Directory integration in the Bulksign configuration.

The config settings are :

    "ActiveDirectorySettings" : {
        "Enabled" : false,
        "TimeoutSeconds" : 0,
        "PageSize" : 0,

        "Entries" :[{
            "OrganizationName":"FirstOrganization",
            "LDAPConnectionString":"LDAP://MyOrganization.Local",
            "UserName":"test",
            "Password":"test",
            "FilterQuery":"",
            "UserGroups":["Group1","Group2"],
            "AdministratorGroups":["Admin1","Admin2"],
            "CustomGroups" : [
                {"Key" : "RoleName", "Value" : "ADGroupName"}
            ],
        },
        {
            "OrganizationName":"SecondOrganization",
            "LDAPConnectionString":"LDAP://MyOrganization.Local",
            "UserName":"test2",
            "Password":"test2",
            "FilterQuery":"",
            "UserGroups":["Group1","Group2"],
            "AdministratorGroups":["Admin1","Admin2"],
            "CustomGroups" : []
        }]
    }

Enabled : this enables (if value set to "true") the Active Directory synchronization in Bulksign.

PageSize : the number of items returned per page, feel free to increase this for very large number of users

TimeoutSeconds : the timeout used to query AD. Feel free to increase this value if needed

Entries : for each Bulksign organization , the following information needs to be configured :

OrganizationName : the name of Bulksign organization

LDAPConnectionString : configure the LDAP protocol connection to your Active Directory domain controller

UserName : the user name which will be used to connect to the domain controller

Password : the password

Filter : the LDAP search filter (example : "OU=Groups,DC=MyOrganization,DC=Local")

UserGroups : set the names of the AD user groups which will be queried and imported by Bulksign. Imported users from this groups will NOT have administrator privileges in Bulksign.

AdministratorGroups : set the names of the AD user groups which will be queried and imported by Bulksign. Imported users from this groups WILL have administrator privileges in Bulksign.

CustomGroups : this allows you to synchronize users for custom roles (it's possible to define multiple roles). The configuration looks like this : 

 "CustomGroups" : [
                {"Key" : "RoleName", "Value" : "ADGroupName"},
                {"Key" : "AtherCustomRole", "Value" : "MyGroup"},
            ],

where the value of Key is the name of the Bulksign custom role (please note this is case insensitive) and "Value" is the name of the AD group from which the users will be synchronized.

2) In IIS enable "Windows Authentication" for the Bulksign website

Important!

Note : Make sure ONLY Windows authentication is enabled, all other authentication modes must be disabled

iis

3) In web.config enable Windows authentication 

<system.web>
    <authentication mode="Windows" />
</system.web>

Troubleshooting Integration problems

Bulksign comes with ActiveDirectorySynchronizer tool which allows for troubleshooting the AD integration. Run the tool from :

c:\Program Files\Bulksign\Tools\BulksignCli\BulksignCli.exe
  • running the tool with parameter "adlist" will list ALL ActiveDirectory users found with the current configuration.
BulksignCli.exe adlist
  • running the tool with parameter "adimport" will import ALL ActiveDirectory users found with the current configuration.
BulksignCli.exe adimport

FAQ

What user data is required and why some users aren't imported ?

The following user attributes are read from Active Directory :

  • objectSid
  • sn
  • mail
  • name
  • givenName
  • sAMAccountName
Important!

Users which do not have valid values for all those attributes CANNOT be imported by Bulksign.


How do I delete a user from Bulksign when Active Directory integration is enabled ?

Removing users is a 2 step process :

  • log into Bulksign as an administrator user (or user with custom rights which has access to the users list), navigate to Settings\Users and delete the user. You will be prompted to re-assign the user's envelopes and contacts (optional) to another user.

  • remove the user from AD group.

Important!

Please note that these 2 operations need to be done immediately one after another.

How often is the automatic user synchronization performed ?

Automatic user synchronization with Active Directory is done once every 24h.

I have just made some changes in Active Directory, can i force a user synchronization from the Bulksign UI ?

Yes, login in BulkSign as a administrator, navigate to Settings, Users and click the "Synchronize" button.

What if I want to run a automatic synchronization more often ?

You can schedule to run the ActiveDirectorySynchronizer tool, like described above.

If I am already using Bulksign with user/password authentication, what will happen with existing users if I enable AD single sign-on ?

Those users will be disabled and login wont be possible anymore for them.