How to enable LDAP Authentication

Have more questions? Submit a request

Enabling LDAP authentication for your account allows you to leverage your existing Active Directory or other LDAP server infrastructure to manage your GoCanvas users.

LDAP Authentication

To begin, ask your GoCanvas Account Representative to enable LDAP integration for your account. Once that's done, visit the LDAP Authentication settings page by expanding the Account drop down and selecting Account Settings. Scroll to Advanced Settings and select the Settings buttons associated with LDAP Authentication Settings.

Account_Account Settings_LDAP.png

On this screen, you're presented with several fields.

Account_Account Settings_LDAP Settings.png

  • LDAP Host: This is the DNS name or IP address of your public-facing LDAP server.
  • Base DN: This is the base distinguished name in which your users are stored. GoCanvas will search within this base DN when attempting to authenticate your company's users. An example DN is shown below the field.
  • Encryption: LDAP integration requires that connections between GoCanvas and your authentication server take place over a secure channel. You can choose between StartTLS and SimpleTLS here.
  • Port: This is the port on which GoCanvas should connect to your server. This field is optional, and the default setting depends on the encryption method chosen. For StartTLS, we'll try port 389 by default; for SimpleTLS, we'll use port 636. You can customize this if you need to, with a value between 0 and 65535.

The next section of the form allows you to test your settings to ensure that GoCanvas is able to communicate with your server, and authenticate users against it. To test, enter the DN or Active Directory User Principal Name (UPN) of a user that exists in your directory along with their Password, and select Test.

Account_Account Settings_LDAP Test Settings.png

GoCanvas will attempt to authenticate those credentials using the settings you provided. If all goes well, you'll see a message near the bottom of the form indicating success. If something isn't quite right, you'll see a message there that may be helpful in understanding what went wrong.

Note

If you provide an Active Directory UPN here, it must match the "mail" attribute of the corresponding user, or authentication will fail. When in doubt, use a complete DN here.

Once you've got things working, go ahead and save your settings.

Please Note

The credentials you provided in the test area of the form are not saved.

Adding Users

You can add your LDAP or Active Directory users to GoCanvas by visiting Account Users. You can choose to add users one by one, or you can add multiple user seats at once and then populate them with your users by selecting the Fill Seat hyperlink for any empty seat.

In either case, if you have LDAP configured within your account, the form will choose the Use LDAP Authentication checkbox for you by default, and will provide you with a field for their DN or Active Directory UPN. If you wish to set up any particular user to not use LDAP for authentication, unchecking this box will present you with options for setting the user's password directly within GoCanvas.

As the field name implies, you can use a Distinguished Name or an Active Directory User Principal Name here. Even easier, if it happens that your users' Active Directory UPN and "mail" attributes match within your directory, you can leave this field blank. When the user attempts to authenticate, GoCanvas will try to authenticate them using their email address as their UPN. 

Disabling Users

Disabling a user within your authentication server will not disable their GoCanvas account, but it will prevent them from logging in. Note that already authenticated users will remain authenticated on the web, but will be unable to log in or sync via the GoCanvas mobile application.

If it's important that their access to GoCanvas be revoked immediately, disable the user on the website by navigating to Users under the Account drop down and selecting the Disable hyperlink for that user.

Editing a User's Settings
At any time you may change a user's DN or UPN, or turn off LDAP authentication for their GoCanvas account by navigating to Users under the Account drop down and selecting the user's name, and then selecting Edit LDAP Settings.
Forgotten Passwords

Ordinarily GoCanvas provides a user who has forgotten his or her password a means by which to reset it. There's a Forgot Password? link underneath the login form that allows the user to have a link sent to them by which they can recover their account.

However, when a user is configured to authenticate to an external server, GoCanvas is unable to provide this service. Instead, when a user visits the "Forgot Password" form and enters their email address, GoCanvas detects that they are an LDAP user and prompts them to seek help from their company IT department or help desk.

How it Works

GoCanvas uses a "double bind" method of authenticating your users to your LDAP server. This allows some customers to allow for anonymous binding to their servers without compromising the security of their account.

When a user attempts to authenticate, GoCanvas looks up the authentication server settings you configured, and figures out the user's Distinguished Name or User Principal Name (using their email address as the latter if nothing else is set in that field).

GoCanvas then uses the DN or UPN it has calculated for the user along with the password they provided to bind to the LDAP server. If that's successful, GoCanvas then searches within the base DN you've configured by either the "mail" attribute (if a UPN was used), or by the given DN.

If a match is found, GoCanvas then binds to the LDAP server again using the newly-discovered DN (which often, but not always, matches the DN we started with) and the password the user provided. If this second bind succeeds, GoCanvas considers the user to be authenticated and allows them access.

If either bind fails, the user is denied access.

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

1 comment

Please sign in to leave a comment.

  • Hi, I have a professional license and i'm an admin but i don't have an option for LDAP under Home>Account>Account Settings. Has this been moved or is there an issue with my account?

    Thanks

    0