Updated on April 04, 2022 by Barbara Viskovic
If you are a small company, the answer to why use external authentication may not be apparent immediately, but if you are a big company, then you probably know that introducing a new system can be quite challenging and may bring a lot of work related to user management. First, you need to create users, set their passwords and then consistently keep all that in sync with existing systems afterwards. The more users there are, the more complicated things get. However, you can skip all that if the new system supports external authentication, or in other words, has the ability to connect to your central directory, e.g. LDAP, and access your user information stored externally. ISL Online’s remote desktop, live chat and web conferencing system are in the latter group and thus supports authentication through central directories (Server License only).
Before we continue to set up external authentication, it might be wise to start with this checklist:
- authentication server address (make sure you are allowed to access it from the machine where the ISL Online’s server application named ISL Conference Proxy is running!)
- appropriate username/password for performing a query (if needed, depends on your security settings)
- at least one test user, but it is much better to have two – one that should be allowed to log in and use ISL Online and one that should not (a positive and a negative test case)
- special access conditions (if needed, e.g. if you only wish to allow login to ISL Conference Proxy to users who are members of a certain group)
If all conditions from the checklist are met, we can easily continue to the main question of how to set up external authentication for ISL Online remote desktop, live chat and web conferencing users (Server License only).
6 steps to setup external authentication
There are many ways of external authentication, but the most common ones and also supported by ISL Online Server License are OpenLDAP, Microsoft Active Directory, Novell eDirectory and RADIUS. The setup procedure basically involves the following six steps:
1. Log in to your ISL Conference Proxy administration (http://localhost:7615/conf).
2. Go to User management, click on the Domains tab.
3. Select the desired domain that will use external authentication (e.g. ldapusers).
4. Click on the Security tab.
5. Uncheck the External authenticator option and paste an appropriate modified line.
6. Click on Save.
If you are like me, you must be wondering which modified line is appropriate and how to compose it. As this is a rather complex topic, I advise you to check this manual topic for more information and a few examples.
Here are also a few notes and hints to help you form the final string:
- Direct bind approach is usually used for simple situations, but if you want to set certain conditions, go for the search approach.
- If you require a special username and a password to connect (i.e. anonymous bind not allowed or it does not have enough privileges), then specify this username and password using BINDDN and BINDPASSWORD. Make sure to use an encoded bind password instead of a plain-text bind password.
- Before using a string in production, make sure to check our external authentication reference for important notes and security pointers, as well as advanced functionality.
In some cases you may wish to search for certain attributes and use them to decide whether to allow or deny the login. In general, you simply copy the desired custom search string from LDAP Admin or some similar tool and put the
@USERNAME@ into the correct location. Here is an example of an external authenticator string ready to be pasted into ISL Conference Proxy settings:
A short explanation is necessary: This external authenticator string binds to server at 184.108.40.206 with the user abc\islsearch and password topsecret (decoded bind password), then performs a search in dc=main,dc=company,dc=com with the specified SEARCHFILTER (i.e. search for the user with uid=@USERNAME@ that has the attribute memberOf set to a certain value). The username and the password are filled in by ISL Conference Proxy with the appropriate values from the product login.
Please note that it is also possible to have different external authenticators set for different ISL Conference Proxy domains, which can prove handy if your user tree is more like a forest with each tree representing a country, city, (sub)organization etc.
Useful hint: Even if you have “just” one tree, it might be useful to create a user or two in some other ISL Conference Proxy domain that does not use an external authenticator. This can act as a backup solution for cases when there is a temporary issue with the central directory.
How external authentication works
When the setup is finished, there are basically three steps ISL Online users should follow in order to login:
- Log into ISL Conference Proxy with a username and a password within a domain that has an external authenticator enabled.
- ISL Conference Proxy executes the provided external authenticator command for that domain and fills in the username and the password.
- If the external authenticator command returns OK, login is allowed. Otherwise, login is denied.
That’s it! You are done! In case your central directory is not supported out of the box by ISL Conference Proxy or if you encounter any problems, please contact us and we will gladly provide the help needed.
A perfect remote desktop for large businesses
The bigger the company, the more demanding the requirements related to a remote desktop software features and security measures. Apart from offering the possibility of external authentication, there’s a long list of customisation options and other conditions a large enterprise frequently requests.
ISL Online offers various plans for large enterprises, including cloud and self-hosted remote desktop solutions. Larger organisations and those who need 50+ simultaneous sessions and remote support services working uninterrupted 24/7/365 have found ISL Online Private Cloud is the best solution for the job. The ISL Online Private Cloud assures a robust, almost 100% fault-tolerant system with an incredible 99.96% uptime, providing an admirable performance of customer support services.
In short, to successfully fulfill the needs of a large enterprise a remote support software should assure uncompromised security, excellent uptime, a great deal of customisation and integration possibilities, cross-platform performance and responsive tech support.
Related article: Here Is How Corporate Users Should Choose Remote Support Software
Very well put!