An On-Premise Communifire installation supports Active Directory integration for single-sign-on (SSO). After integration, users can log into your intranet without having to register for an account, and their data will be automatically imported. Your intranet will use Windows Authentication to verify users — no login required.
This page covers information about Active Directory SSO, walks you through how to configure Active Directory SSO on your intranet, and provides solutions to common issues. For more information or assistance from the Axero team, submit a private case.
On visiting your intranet, users will be prompted to log in with their username and password.
Internet Explorer
Chrome
Firefox
Note: To enable automatic login in Chrome and Firefox, Internet Explorer must be configured to pass credentials via group policy. See the setup guide below for how to configure automatic login in Windows.
Session expiration
By default, the session expires 30 days from the date of log in. You can control when the session expires using System Properties > FormsAuthPersistentCookieTimeOutInMinutes. By default this value is set to 43200, which is 30 days.When the property MakePermanentCookieForThirdPartyLogin is set to true, a cookie is generated for the user that expires based on the value found in FormsAuthPersistentCookieTimeOutInMinutes. If MakePermanentCookieForThirdPartyLogin is set to false, the user will be logged out when the browser is closed.
Return to top
Note: Automatic login is not supported on Mac.
Users must use their Active Directory username and password to log into the app. The username must be entered as DOMAIN\username, where DOMAIN is the Active Directory domain name.
A user is created in Communifire when the user logs in for the first time. You can add users to Communifire before they log in using the methods below.
Bulk import users
Pre-populate users before Active Directory setup or launch with Bulk Import Users . The Communifire usernames you create must match the usernames in Active Directory. Note that the domain (DOMAIN\username) is excluded when we create a user in Communifire. Only the username is stored.
Add users
Add users in Control Panel > People > Manage People > Add User . The Communifire username you create must match the username in Active Directory.
REST API
You can use our REST API to import users.
Adding Communifire administrator accounts
If Communifire administrator accounts are created before Active Directory is set up and the Communifire usernames match Active Directory usernames, the administrator accounts will sync with the corresponding Active Directory accounts. If not, you will need to re-configure permissions for the admin Active Directory accounts and remove the previous Communifire administrator accounts.
Groups in Active Directory are imported to Communifire as top level Roles and assigned to users. You can use User Space Assignment Rules to automatically add users to spaces based on their roles. When a user is added to or removed from an Active Directory group, their Communifire roles are updated.
See the Configure Group Import section in the setup guide below for how to import Active Directory groups as Communifire roles.
Any data can be imported from Active Directory, as long as there are corresponding User Profile Fields in Communifire. Attribute mappings must be added to Control Panel > System > Sync Active Directory Data > Mapping. Enter the outgoing claim type as the property name in Communifire. See the table below for common fields to import.
You can also use the REST API to import user data.
Profile pictures
You can prevent Active Directory profile pictures from being imported to Communifire to allow users to change their Communifire profile picture. Set System Properties > ADSyncProfilePicture to false.
Active Directory imports user data when the user first logs in. User data is synced every 120 minutes by default. You can set the sync interval by editing ActiveDirectorySyncManagerInterval in System Properties . You can sync data immediately at anytime in Control Panel > System > Sync Active Directory Data > Sync Now.
When a user is disabled in Active Directory, this information is not sent to Communifire. You can Delete User and delete their content or re-assign their content to another user or to the system anonymous user. You can also Ban User , which will prevent the user from logging in, but will retain their content.
By default, Communifire ships with FormsAuthentication for user authentication and authorization. In order to use Windows Authentication instead of FormsAuthentication, follow the guide below.
Client-side setup is estimated to take 1-2 hours and Axero team setup is estimated to take 1-2 hours. The time to set up SSO can vary based on how long it takes to set up internal systems and to provide the Axero team with required information. The total time for setting up SSO may take up to 1-2 business days.
Once you complete the guide, Active Directory SSO will be active on your intranet. If you run into any issues, submit a case here for assistance.
<modules runAllManagedModulesForAllRequests="true">
<remove name="WindowsAuthentication" />
<configuration> ... <system.web> ... <authentication mode="Windows" /> <authorization> <deny users="?"/> </authorization> ... </system.web> ... </configuration>
Follow the steps below to enable the Export as PDF feature.
<!-- Set HttpAuthenticationUsername,HttpAuthenticationPassword of app pool user so that pdf converter can pass those credentials to gerneate pdf else, it will show missing images and css in pdf. Double check the username/password, otherwise it will show missing images and css. --> <add key="HttpAuthenticationUsername" value="my.domain.com\Communifire"/> <add key="HttpAuthenticationPassword" value="@bcd1234"/>
In IIS:
This section provides instructions for configuring folder permissions in Windows to enable certain Communifire features and functions.
Configure folder permissions to enable file upload
Configure folder permissions to enable the export as PDF feature
You can configure AD SSO to import organizational units as Roles in Communifire when users login.
Get the distinguishedNames of the organizational units to import as roles
Update WindowsADSettings.config
In WindowsADSettings.config, find the following line:
<add key="RoleGroupsContainer" value=""/>
For value, enter a pipe-separated list of the distinguishedNames of the organizational units.
Example:
<add key="RoleGroupsContainer" value="OU=Developer,OU=CommunifireTeam,DC=adqa,DC=communifire,DC=com|OU=QA,OU=CommunifireTeam,DC=adqa,DC=communifire,DC=com"/>
Open Communifire:
You can initiate a manual sync in Sync Active Directory Data.
Windows Internet Settings must be configured in order for a user to log in automatically based on server credentials. Follow the instructions below to configure automatic login.
This section covers adding a custom user in the domain controller, setting the user as the Communifire application pool identity in IIS, giving permissions to the user for several folders, updating properties for the media server folders, making web config changes, and updating modes.
Adding a custom user in domain controller
Setting the communifirewebfarm user as the Communifire application pool identity in IIS
<domainname>\<username>
Purpose: A common user must be set as the pool identity in each Communifire application in IIS present on all the servers under webfarm. Let's say you have two servers: WebServer 1 and WebServer 2, and Communifire is deployed on both the servers. In this case, the Communifire application present on both the servers, WebSever 1 and WebSever 2, should have <domain/communifirewebfarm> user set as the application pool's identity in IIS.
Giving Read permission to the communifirewebfarm user at the root of the Communifire application
Giving Read permission to Domain Users (<Domain>\ Domain Users) at the root of the Communifire application
<Domain>\ Domain Users
Purpose: Since our application is Windows Authentication and the Anonymous authentication is off, the logged in users in Communifire applications will need Read access of various files, photos, script files etc. The application will request the GET request of all those files under the identity of Authenticated user and therefore the "<Domain>\Domain Users" group must have Read permissions over the entire application.
Giving Write permissions to the communifirewebfarm user for the four media server folders (Uploaded-CMS-Files, Uploaded-Files, Uploaded-Photos, and Uploaded-Videos)
Repeat steps 2-6 for the other three media server folders (Uploaded-Files, Uploaded-Photos and Uploaded-Videos), and check the Write permission.
Purpose: The Modify and Write permissions are necessary for the communifirewebfarm user because the application will write files over those four folders on various operations like Image Upload, File Upload, Video Upload, and will delete files, videos, and photos on various actions.
Giving Write permission to the communifirewebfarm user for Assets/CF-Utilities folder
Give the Write permission to the communifirewebfarm user for the Assets/CF-Utilities folder in the same way as the section above.
Purpose: The Assets/CF-Utilities folder needs the Modify permission because the Lucene dictionary search suggestion feature in Communifire needs to write over that folder.
Giving Read and Read and Execute permissions to bin\HiQPDF.dep file
Purpose: The Read and Read and execute permissions are needed so that users can export content to PDF. The user running the HiQPdf HTML to PDF Converter should have execute permission for the HiQPdf.dep file. http://www.hiqpdf.com/FAQs.aspx
Setting the value of "authenticatedUserOverride" property to "UseWorkerProcessUser" for all the four media server folders (Uploaded-CMS-Files, Uploaded-Files, Uploaded-Photos and Uploaded-Videos)
Repeat the steps above for the rest of the three media server folders (Uploaded-Files, Uploaded-Photos, and Uploaded-Videos).
Web config changesSetting "Authentication" mode to "Windows":
<authentication mode="Windows" /> <authorization> <deny users="?" /> </authorization>
Adding machine key:
<machineKey validationKey="9A18701973D521FD800088F461DF740E20698D264A7375094434C1B82012253B67324D96560518B769F2E50560C8804710EF606C7EEEE83C837C94DC4887E9C8" decryptionKey="DFA2EED3F3C215F976F4E16FCFF5CB418FF4FEF4042C9711" validation="SHA1" />
You need to generate your own machine key.
Seting RAMMFAR setting to true:
Issue: Login modal keeps on prompting despite adding the correct credentials.Fix: https://stackoverflow.com/questions/18107044/401-unauthorized-error-web-api-mvc-windows-authentication/24333926#24333926
Issue: https://serverfault.com/questions/485006/why-cant-i-log-in-to-a-windows-protected-iis-7-5-directory-on-the-server
Fix: Disable the loopback check
Issue: Users are able to login via Active Directory using Chrome and Firefox, but not Internet Explorer.
Fix: Make sure that the SPN is configured properly for your ADFS service account. A service principal name (SPN) is a name that uniquely identifies an instance of a service. There should be an SPN registered for your ADFS service account. To verify this, refer to the following instructions:
Issue: Login modal coming on uploading files
Fix: Disable "Anonymous ;Authentication" if enabled.
Issue: Images are missing on the site
Fix: In web.config, keep the value of the line below to false.
<modules runAllManagedModulesForAllRequests="false">
This fix is for virtual directories in the Assets folder (Uploaded Photos, Uploaded CMS files, Uploaded Videos, Uploaded Files).
is requesting access to a wiki that you have locked: https://my.axerosolutions.com/spaces/5/communifire-documentation/wiki/view/19950/active-directory-sso
Your session has expired. You are being logged out.