Enabling LDAP authentication for your account allows you to leverage your existing Active Directory or other LDAP server infrastructure to manage your GoCanvas users.
To begin, ask your GoCanvas sales representative to enable LDAP integration for your account. Once that's done, visit the LDAP Authentication settings page by navigating to Home>Account>Customize>LDAP Authentication Settings (Edit).
On this screen, you're presented with several fields:
- LDAP Host: This is the DNS name or IP address of your public-facing LDAP server.
- Base DN: This is the base distinguished name in which your users are stored. GoCanvas will search within this base DN when attempting to authenticate your company's users. An example DN is shown below the field.
- Encryption: LDAP integration requires that connections between GoCanvas and your authentication server take place over a secure channel. You can choose between StartTLS and SimpleTLS here.
- Port: This is the port on which GoCanvas should connect to your server. This field is optional, and the default setting depends on the encryption method chosen. For StartTLS, we'll try port 389 by default; for SimpleTLS, we'll use port 636. You can customize this if you need to, with a value between 0 and 65535.
The next section of the form allows you to test your settings to ensure that GoCanvas is able to communicate with your server, and authenticate users against it. To test, enter the DN or Active Directory User Principal Name (UPN) of a user that exists in your directory along with their password, and hit the "Test" button.
GoCanvas will attempt to authenticate those credentials using the settings you provided. If all goes well, you'll see a message near the bottom of the form indicating success. If something isn't quite right, you'll see a message there that may be helpful in understanding what went wrong. Note: If you provide an Active Directory UPN here, it must match the "mail" attribute of the corresponding user, or authentication will fail. When in doubt, use a complete DN here.
Once you've got things working, go ahead and save your settings. Note: The credentials you provided in the test area of the form are not saved.
You can add your LDAP or Active Directory users to GoCanvas by visiting Home>Account>Add Users. You can choose to add users one by one, or you can add multiple user seats at once and then populate them with your users by clicking the "Fill Seat" button for any empty seat.
In either case, if you have LDAP configured within your account, the form will choose the "Use LDAP Authentication" checkbox for you by default, and will provide you with a field for their DN or Active Directory UPN. If you wish to set up any particular user to *not* use LDAP for authentication, unchecking this box will present you with options for setting the user's password directly within GoCanvas.
As the field name implies, you can use a Distinguished Name or an Active Directory User Principal Name here. Even easier, if it happens that your users' Active Directory UPN and "mail" attributes match within your directory, you can leave this field blank. When the user attempts to authenticate, GoCanvas will try to authenticate them using their email address as their UPN.
Disabling a user within your authentication server will not disable their GoCanvas account, but it will prevent them from logging in. Note that already authenticated users will remain authenticated on the web, but will be unable to log in or sync via the GoCanvas mobile application. If it's important that their access to GoCanvas be revoked immediately, disable the user on the website by visiting Home>Account>Users and clicking the "Disable" link for that user.
Editing a User's Settings
At any time you may change a user's DN or UPN, or turn off LDAP authentication for their GoCanvas account by visiting Home>Account>Users clicking on the user's name, and then clicking "Edit LDAP Settings."
Ordinarily GoCanvas provides a user who has forgotten his or her password a means by which to reset it. There's a "Forgot Password?" link underneath the login form that allows the user to have a link sent to them by which they can recover their account. However, when a user is configured to authenticate to an external server, GoCanvas is unable to provide this service. Instead, when a user visits the "Forgot Password" form and enters their email address, GoCanvas detects that they are an LDAP user and prompts them to seek help from their company IT department or help desk.
How It Works
GoCanvas uses a "double bind" method of authenticating your users to your LDAP server. This allows some customers to allow for anonymous binding to their servers without compromising the security of their account. When a user attempts to authenticate, GoCanvas looks up the authentication server settings you configured, and figures out the user's Distinguished Name or User Principal Name (using their email address as the latter if nothing else is set in that field). GoCanvas then uses the DN or UPN it has calculated for the user along with the password they provided to bind to the LDAP server. If that's successful, GoCanvas then searches within the base DN you've configured by either the "mail" attribute (if a UPN was used), or by the given DN. If a match is found, GoCanvas then binds to the LDAP server again using the newly-discovered DN (which often, but not always, matches the DN we started with) and the password the user provided. If this second bind succeeds, GoCanvas considers the user to be authenticated and allows them access. If either bind fails, the user is denied access.