Skip to end of metadata
Go to start of metadata

You can integrate IMS password authentication with external systems by purchasing the Authentication Module.

Intended audience

This guide is primarily aimed at IT teams but a simplified version which is aimed at non-technical IMS users can be found here. It is strongly recommended that IT teams pass the link onto the administrators of the IMS software before external authentication is deployed to ensure that a number of concepts are understood ahead of time.

Available schemes

Active Directory LDAP integration requires that your IMS system is hosted on your own network i.e. you have a self-hosted Enterprise Edition. AD FS does not require that you host your own server and is possible on our Premium and Enterprise (customer or Third Light hosted) packages.

Additionally, OpenID can be used with an IMS system hosted on Third Light's or your own network i.e. you have either the IMS Premium or Enterprise package.

Third Light provide a SAML2 or LDAP interface to allow you to integrate with identity provider services  but please be aware that we don't have specific installation instructions for all the different identity services on the market. Examples are linked above and if your service is not on the list you may find that the instructions for Windows Server or Shibboleth provide a general guide to the process but you must adjust this to the specific implementation of your own identity provider service.

Third Light do not provide support for the configuration of third party software.

Planning ahead

Notes for IMS administrators - Please be aware that use of external authentication effectively 'outsources' many aspects of user account management from the IMS system to systems controlled by your IT department. You will need to liaise with them in situations where you want to control which IMS groups externally authenticated users are placed in and also when your system is first configured to make use of external authentication.

Notes for IT Staff - Please communicate with administrators of the IMS system when you setup external authentication as decisions may need to be made on what should be done with existing internally authenticated users and to setup IMS-group-to-external- group mappings. Ongoing communication maybe needed when the IMS administrator needs to create new user accounts.

 

Internally authenticated user accounts are controlled by the IMS system itself and the IMS adminstrator has control over account creation, password resets and group assignment.

Externally authenticated user accounts are controlled by the external system (e.g. Active Directory) and your IT department has control over account creation, password resets and can influence which IMS group a user account appears in.

 

Administrators and IT departments need to be jointly aware of the following when external authentication is in use:

  1. Users may need to use a different upload mechanism. The IMS application is capable of using external authentication mechanisms but other tools are not. Please consider this compatibility table when changing authentication schemes.

     Browser UploaderDesktop UploaderFTP UploadsAdobe Bridge PluginAdobe Lightroom PluginIOS App
    LDAP (Active Directory)YesYesNoYesNoYes
    SAML2 (AD FS, Shibboleth)YesNoNoNoNoNo

    OpenID

    YesNoNoNoNoNo
  2. When a user logs in via external authentication for the first time, a new user account is created inside IMS. This will not replace or convert any existing internally authenticated account the user may already possess. Decide whether you want to delete or convert your existing internally authenticated accounts to use external authentication prior to the first externally authenticated login.

    Failure to do so may lead to the creation of duplicate accounts.
    Please also read the entries in our FAQ before proceeding to avoid common mistakes that may be hard to rectify afterwards.
  3. If you wish to automatically place your externally authenticated users into an IMS group, you will need to ensure two things

    a) Your IT team have placed externally authenticated users into groups defined on the external authentication system.

    b) The IMS administrator has setup a mapping between the groups in a) and your IMS groups e.g. from Configuration > System Administration [LDAP/SAML2] > Group Bindings

  4. It is recommended that administrators keep at least one internal account so that they can still access the IMS system should there be a problem with the external authentication service. Make a note of the credentials of this account so that you won't loose access to IMS should the external authentication service stop working or its configuration changes. An internal account will also give an administrator more upload options. e.g. the Desktop Uploader

  5. Externally authenticated accounts are represented by one of the following icons on the Users > Users & Groups page:

    LDAP (AD) / SAML2 (AD FS or Shibboleth)
    OpenID
    API
  6. You may want to consider changing the login screen temporarily to warn the existing users not to use the external authentication box while IT are testing logins of external accounts e.g. by changing the translation strings for the libraryhome.tpl template.

 

User Logins

Login boxes will be presented differently when SAML based authentication is in use.

Internal authentication, LDAP (e.g. AD) or OpenIDSAML2 (AD FS, Shibboleth)

 

 

 

  • No labels