You can integrate IMS password authentication with external systems by purchasing the Authentication Module.
This guide is primarily aimed at IT teams but a simplified version which is aimed at non-technical IMS users can be found here. It is strongly recommended that IT teams pass the link onto the administrators of the IMS software before external authentication is deployed to ensure that a number of concepts are understood ahead of time.
Third Light provide a SAML2 or LDAP interface to allow you to integrate with identity provider services but please be aware that we don't have specific installation instructions for all the different identity services on the market. Examples are linked above and if your service is not on the list you may find that the instructions for Windows Server or Shibboleth provide a general guide to the process but you must adjust this to the specific implementation of your own identity provider service.
Third Light do not provide support for the configuration of third party software.
Notes for IMS administrators - Please be aware that use of external authentication effectively 'outsources' many aspects of user account management from the IMS system to systems controlled by your IT department. You will need to liaise with them in situations where you want to control which IMS groups externally authenticated users are placed in and also when your system is first configured to make use of external authentication.
Notes for IT Staff - Please communicate with administrators of the IMS system when you setup external authentication as decisions may need to be made on what should be done with existing internally authenticated users and to setup IMS-group-to-external- group mappings. Ongoing communication maybe needed when the IMS administrator needs to create new user accounts.
Internally authenticated user accounts are controlled by the IMS system itself and the IMS adminstrator has control over account creation, password resets and group assignment.
Externally authenticated user accounts are controlled by the external system (e.g. Active Directory) and your IT department has control over account creation, password resets and can influence which IMS group a user account appears in.
Administrators and IT departments need to be jointly aware of the following when external authentication is in use:
Users may need to use a different upload mechanism. The IMS application is capable of using external authentication mechanisms but other tools are not. Please consider this compatibility table when changing authentication schemes.
Browser Uploader Desktop Uploader FTP Uploads Adobe Bridge Plugin Adobe Lightroom Plugin IOS App LDAP (Active Directory) Yes Yes No Yes No Yes SAML2 (AD FS, Shibboleth) Yes No No No No No
Yes No No No No No
When a user logs in via external authentication for the first time, a new user account is created inside IMS. This will not replace or convert any existing internally authenticated account the user may already possess. Decide whether you want to delete or convert your existing internally authenticated accounts to use external authentication prior to the first externally authenticated login.
If you wish to automatically place your externally authenticated users into an IMS group, you will need to ensure two things
a) Your IT team have placed externally authenticated users into groups defined on the external authentication system.
b) The IMS administrator has setup a mapping between the groups in a) and your IMS groups e.g. from Configuration > System Administration [LDAP/SAML2] > Group Bindings
It is recommended that administrators keep at least one internal account so that they can still access the IMS system should there be a problem with the external authentication service. Make a note of the credentials of this account so that you won't loose access to IMS should the external authentication service stop working or its configuration changes. An internal account will also give an administrator more upload options. e.g. the Desktop Uploader
Externally authenticated accounts are represented by one of the following icons on the Users > Users & Groups page:
LDAP (AD) / SAML2 (AD FS or Shibboleth) OpenID API
- You may want to consider changing the login screen temporarily to warn the existing users not to use the external authentication box while IT are testing logins of external accounts e.g. by changing the translation strings for the libraryhome.tpl template.
Login boxes will be presented differently when SAML based authentication is in use.
|Internal authentication, LDAP (e.g. AD) or OpenID||SAML2 (AD FS, Shibboleth)|