The customer uses Microsoft Active Directory as an external identifiable source to access resources such as users and groups. The authentication allows network access only to users and groups listed in AD. The users and groups are mapped to determine the authorization level. The AD enables the customers to retrieve information from its data store through STS. The customer communicates with an STS using a predetermined set of messages. The authentication of users is done by ADFS (Active Directory Federation Services). The ADFS validates the user and returns the information to STS. The STS verifies if the user is configured as an AD user and maps the AD roles. The VHQ authorization process determines whether a user is allowed to take action on specific areas within the system.
EXAMPLE:
A user can be authorized to read or update or delete.
On successful verification, STS returns a SAML (Security Assertion Markup Language) based authentication token designed in a single log in mode. The data service validates the token and processes the API.
NOTE:
- When authentication and authorization mode is AD and the isHierarchyaccessviaAdfs flag is set to True, the system will consider the hierarchy assignment for a user.
- When authentication and authorization mode is AD and the isHierarchyaccessviaAdfs flag is set to False, the system will not consider the hierarchy assignment for a user.
