An On-Premise Axero installation supports Active Directory integration for single-sign-on (SSO). After integration, users can log into your intranet without having to register for an account, and their data will be automatically imported. Your intranet will use Windows Authentication to verify users — no login required.
This page covers information about Active Directory SSO, walks you through how to configure Active Directory SSO on your intranet, and provides solutions to common issues. For more information or assistance from the Axero team, submit a private case.
On visiting your intranet, users will be prompted to log in with their username and password.
Note: To enable automatic login in Chrome and Firefox, Internet Explorer must be configured to pass credentials via group policy. See the setup guide below for how to configure automatic login in Windows.
By default, the session expires 30 days from the date of log in. You can control when the session expires using System Properties > FormsAuthPersistentCookieTimeOutInMinutes. By default this value is set to 43200, which is 30 days.When the property MakePermanentCookieForThirdPartyLogin is set to true, a cookie is generated for the user that expires based on the value found in FormsAuthPersistentCookieTimeOutInMinutes. If MakePermanentCookieForThirdPartyLogin is set to false, the user will be logged out when the browser is closed.
Return to top
Note: Automatic login is not supported on Mac.
Users must use their Active Directory username and password to log into the app. The username must be entered as DOMAIN\username, where DOMAIN is the Active Directory domain name.
A user is created in Axero when the user logs in for the first time. You can add users to Axero before they log in using the methods below.
Bulk import users
Pre-populate users before Active Directory setup or launch with Bulk Import Users . The Axero usernames you create must match the usernames in Active Directory. Note that the domain (DOMAIN\username) is excluded when we create a user in Axero. Only the username is stored.
Add users in Control Panel > People > Manage People > Add User . The Axero username you create must match the username in Active Directory.
You can use our REST API to import users.
Adding Axero administrator accounts
If Axero administrator accounts are created before Active Directory is set up and the Axero usernames match Active Directory usernames, the administrator accounts will sync with the corresponding Active Directory accounts. If not, you will need to re-configure permissions for the admin Active Directory accounts and remove the previous Axero administrator accounts.
Groups in Active Directory are imported to Axero as top level Roles and assigned to users. You can use User Space Assignment Rules to automatically add users to spaces based on their roles. When a user is added to or removed from an Active Directory group, their Axero roles are updated.
See the Configure Group Import section in the setup guide below for how to import Active Directory groups as Axero roles.
Any data can be imported from Active Directory, as long as there are corresponding User Profile Fields in Axero. Attribute mappings must be added to Control Panel > System > Sync Active Directory Data > Mapping. Enter the outgoing claim type as the property name in Axero. See the table below for common fields to import.
You can also use the REST API to import user data.
You can prevent Active Directory profile pictures from being imported to Axero to allow users to change their Axero profile picture. Set System Properties > ADSyncProfilePicture to false.
Active Directory imports user data when the user first logs in. User data is synced every 120 minutes by default. You can set the sync interval by editing ActiveDirectorySyncManagerInterval in System Properties . You can sync data immediately at anytime in Control Panel > System > Sync Active Directory Data > Sync Now.
When a user is disabled in Active Directory, this information is not sent to Axero. You can Delete User and delete their content or re-assign their content to another user or to the system anonymous user. You can also Ban User , which will prevent the user from logging in, but will retain their content.
By default, Axero ships with FormsAuthentication for user authentication and authorization. In order to use Windows Authentication instead of FormsAuthentication, follow the guide below.
Client-side setup is estimated to take 1-2 hours and Axero team setup is estimated to take 1-2 hours. The time to set up SSO can vary based on how long it takes to set up internal systems and to provide the Axero team with required information. The total time for setting up SSO may take up to 1-2 business days.
Once you complete the guide, Active Directory SSO will be active on your intranet. If you run into any issues, submit a case here for assistance.
<remove name="WindowsAuthentication" />
<authentication mode="Windows" />
Follow the steps below to enable the Export as PDF feature.
<!-- Set HttpAuthenticationUsername,HttpAuthenticationPassword of app pool user so that pdf converter can pass those credentials
to gerneate pdf else, it will show missing images and css in pdf.
Double check the username/password, otherwise it will show missing images and css. -->
<add key="HttpAuthenticationUsername" value="my.domain.com\Communifire"/>
<add key="HttpAuthenticationPassword" value="@bcd1234"/>
This section provides instructions for configuring folder permissions in Windows to enable certain Axero features and functions.
Configure folder permissions to enable file upload
Configure folder permissions to enable the export as PDF feature
You can configure AD SSO to import organizational units as Roles in Axero when users login.
Get the distinguishedNames of the organizational units to import as roles
In WindowsADSettings.config, find the following line:
<add key="RoleGroupsContainer" value=""/>
For value, enter a pipe-separated list of the distinguishedNames of the organizational units.
<add key="RoleGroupsContainer" value="OU=Developer,OU=CommunifireTeam,DC=adqa,DC=communifire,DC=com|OU=QA,OU=CommunifireTeam,DC=adqa,DC=communifire,DC=com"/>
You can initiate a manual sync in Sync Active Directory Data.
Windows Internet Settings must be configured in order for a user to log in automatically based on server credentials. Follow the instructions below to configure automatic login.
This section covers adding a custom user in the domain controller, setting the user as the Axero application pool identity in IIS, giving permissions to the user for several folders, updating properties for the media server folders, making web config changes, and updating modes.
Adding a custom user in domain controller
Setting the communifirewebfarm user as the Axero application pool identity in IIS
Purpose: A common user must be set as the pool identity in each Axero application in IIS present on all the servers under webfarm. Let's say you have two servers: WebServer 1 and WebServer 2, and Axero is deployed on both the servers. In this case, the Axero application present on both the servers, WebSever 1 and WebSever 2, should have <domain/communifirewebfarm> user set as the application pool's identity in IIS.
Giving Read permission to the communifirewebfarm user at the root of the Axero application
Giving Read permission to Domain Users (<Domain>\ Domain Users) at the root of the Axero application
<Domain>\ Domain Users
Purpose: Since our application is Windows Authentication and the Anonymous authentication is off, the logged in users in Axero applications will need Read access of various files, photos, script files etc. The application will request the GET request of all those files under the identity of Authenticated user and therefore the "<Domain>\Domain Users" group must have Read permissions over the entire application.
Giving Write permissions to the communifirewebfarm user for the four media server folders (Uploaded-CMS-Files, Uploaded-Files, Uploaded-Photos, and Uploaded-Videos)
Repeat steps 2-6 for the other three media server folders (Uploaded-Files, Uploaded-Photos and Uploaded-Videos), and check the Write permission.
Purpose: The Modify and Write permissions are necessary for the communifirewebfarm user because the application will write files over those four folders on various operations like Image Upload, File Upload, Video Upload, and will delete files, videos, and photos on various actions.
Giving Write permission to the communifirewebfarm user for Assets/CF-Utilities folder
Give the Write permission to the communifirewebfarm user for the Assets/CF-Utilities folder in the same way as the section above.
Purpose: The Assets/CF-Utilities folder needs the Modify permission because the Lucene dictionary search suggestion feature in Axero needs to write over that folder.
Giving Read and Read and Execute permissions to bin\HiQPDF.dep file
Purpose: The Read and Read and execute permissions are needed so that users can export content to PDF. The user running the HiQPdf HTML to PDF Converter should have execute permission for the HiQPdf.dep file. http://www.hiqpdf.com/FAQs.aspx
Setting the value of "authenticatedUserOverride" property to "UseWorkerProcessUser" for all the four media server folders (Uploaded-CMS-Files, Uploaded-Files, Uploaded-Photos and Uploaded-Videos)
Repeat the steps above for the rest of the three media server folders (Uploaded-Files, Uploaded-Photos, and Uploaded-Videos).
Web config changesSetting "Authentication" mode to "Windows":
<authentication mode="Windows" />
<deny users="?" />
Adding machine key:
You need to generate your own machine key.
Seting RAMMFAR setting to true:
Issue: Login modal keeps on prompting despite adding the correct credentials.Fix: https://stackoverflow.com/questions/18107044/401-unauthorized-error-web-api-mvc-windows-authentication/24333926#24333926
Fix: Disable the loopback check
Issue: Users are able to login via Active Directory using Chrome and Firefox, but not Internet Explorer.
Fix: Make sure that the SPN is configured properly for your ADFS service account. A service principal name (SPN) is a name that uniquely identifies an instance of a service. There should be an SPN registered for your ADFS service account. To verify this, refer to the following instructions:
Issue: Login modal coming on uploading files
Fix: Disable "Anonymous ;Authentication" if enabled.
Issue: Images are missing on the site
Fix: In web.config, keep the value of the line below to false.
This fix is for virtual directories in the Assets folder (Uploaded Photos, Uploaded CMS files, Uploaded Videos, Uploaded Files).
Will this pull the profile photo and other information into the profile for each users?
In the next version that should be released in a few months, AD pulls photos. The other information we pull is located in the View FAQ section above under attributes.
Do you have a special code to make it happen now? Otherwise, is it possible to do a bulk import?
We don't have special code to do it now. You would have to use REST API: Add User Image to bulk import images.
Will the app ever be able to use AD credentials?
We do not have an ETA, but it is a very high priority. iOS didn't support ADFS(surprising, I know) until a few months ago which opens a new door for SSO integration.
A few of the admin users are getting prompted every time accessing the site. Is there a posting to help troubleshoot the configuration?
Check out View Setup Guide > Configure Automatic Login in Windows > Step 6. Make sure their browsers have the correct setting and they are logged in as the correct user.
I believe the saved password in the profile is conflicting with AD login. We have to update our password every 30 days.
AD authentication doesn't use the Communifire password. Communifire asks windows if the user is who they say they are, they send us a true or false message if they are the correct user.
I followed all the instruction from the following pages:
I am still getting prompted for username / password on Chrome and IE.
Can you please submit a private case and include screenshots of your ad settings in System Properties? Also include any details on recent changes or when/why this started happening.
is requesting access to a wiki that you have locked: https://my.axerosolutions.com/spaces/5/communifire-documentation/wiki/view/19950/active-directory-sso