AD-Pro Authentication: Role Mapping

Avatar
Will Strohl

Overview

Note Objective of this chapter is to show how: transfer Active Directory groups into DNN website restrict access to the AD login for users from specified AD groups

Requirements

The following prerequisites are necessary to address this issue:

  • Valid Active Directory connection established in the AD-Pro Authentication module
  • Administrator access to the DNN Platform
  • Knowledge of your Active Directory group structure
  • DNN roles defined or permission to create new ones

Getting Started

Before mapping roles, ensure you’ve configured a valid connection to Active Directory using the AD-Pro Authentication module. You'll also want to have clarity around which DNN roles align with your Active Directory groups.

How to Map AD Groups to DNN Roles and Control Access

5. Role mapping

Objective of this chapter is to show how:

  • Transfer Active Directory groups into the DNN website
  • Restrict access to the AD login for users from specified AD groups

5.1. Overview

The ‘AD-Pro Authentication’ plugin allows pushing Active Directory groups to the DNN website, in other words, an AD user can have the same groups asthe  corresponding DNN user. This significantly improves user management tasks. For example, access to the DNN page can be restricted only for specified AD groups. Now from Active Directory level we can decide if user can get access to DNN page.

Additionally ‘AD-Pro Authentication’ plugin can allow sign-in only for users from a specified Active Directory group(s). For example, only users who belong to AD group ‘Students’ are able to sign in to DNN website.

To work with ‘Role mapping manager’ first a valid connection to Active Directory needs to be set, see chapter for more info.

5.2. Transfering AD groups to DNN

‘AD-Pro Authentication’ can push AD group to DNN. What is important is what happens only at sign-in process. When the role is transferred to DNN, it can havethe  same name as AD group or, using a special mapping, AD group can be connected with any DNN role. It’s even possible to connect one AD group with multiple DNN roles. Below are the configuration steps that need to be done to transfer AD group GroupTest1 to DNN.

  1. First sign in to DNN website as a ‘DNN Host’ or ‘DNN Administrator’.
  2. Go to page where ‘AD-Pro Authentication’ module is placed.
  3. Set DNN into ‘Edit’ mode, then go to ‘Module Options’, see figure below.
open-module-options_1.png
  1. Go to ‘Role Manager’ tab where Active Directory groups should be listed, see image below.
role-manager_2.png

If ‘Role Manager’ tab displays message like: Can’t load Active Directory groups The server is not operational, this means that DNN is unable to estabiblish connection with Active Directory and you need adjust the connection settings, see image below.

role-manager_3.png
  1. In the filter box enter group name, this will narrow list of the displayed groups, see image below.
role-manager_4.png
  1. Set one or more corresponding DNN roles from ‘DNN role mapping’ column, see image below.
role-manager_5.png
  1. We want set mapping from AD group ‘GroupTest1’ to DNN role ‘GroupTest1’, but that group doesn’t exist in DNN yet. Click on Create it link to create ‘GroupTest1’ in DNN, see image below.
role-manager_6.png
  1. Now we can easily set mapping from AD group ‘GroupTest1’ to DNN role ‘GroupTest1’, see image below. Please notice that Create it link no longer exist.
role-manager_7.png
  1. Click on ‘Update role mapping’ to save the changes, see image below.
role-manager_8.png

Task is completed. Now AD user that belongs to group ‘GroupTest1’, will have the same role in DNN, please remember that this will happen on next login process.

5.3. Allow logon for all Active Directory users

In easy way you can open access to DNN website for all Active Directory users. Please notice that all AD users are members of group ‘Domain Users’, therefore setting this group as a authorization group, will open DNN for all users.

To do that please go to ‘AD-Pro Authentication-> Module options-> Role Manager’ tab, and for role ‘Domain Users’ enable checkbox under ‘Authorization’ column. Now all AD users can sign in to DNN. See figure below for more details.

role-manager_11.png

5.4. Restrict logons to a group of users

The ‘AD-Pro Authentication’ module allows you to limit Active Directory users that are able to sign in to DNN. This can be done through ‘Role manager’ and column ‘Authorization Group’. Below are simple steps that needs to be done to allow all AD users to sign in to DNN. We will utilize AD group ‘Domain Users’, to which by default all AD users are assigned.

At least one Active Directory group needs to be enabled inside ‘Authorization Group’ column. In other case all AD users will be rejected from the logon.

  1. First sign in to DNN website as a ‘DNN Host’ or ‘DNN Administrator’.
  2. Go to page where ‘AD-Pro Authentication’ module is placed.
  3. Set DNN into ‘Edit’ mode, then go to ‘Module Options’, see figure below.
open-module-options_1.png
  1. Go to ‘Role Manager’ tab where Active Directory groups should be listed, see image below.
role-manager_2.png
  1. Find ‘Domain Users’ group (for simplify put ‘domain users’ string inside filter box), then tick chckbox, see image below.
_images/role-manager_9.png
  1. Click on ‘Update role mapping’ button, to save the changes, see image below.
_images/role-manager_10.png

Task is completed. Now all Active Directory users will be able to sign in to DNN website, through the ‘AD-Pro Authentication’ plugin.

5.5. Revoking user from a role

The “AD-Pro Authentication” can unassign DNN user from a DNN role, only if:

  • the login process is happening,
  • corresponding AD user doesn’t belong to specified AD group,
  • AD group has a mapping in the “AD-Pro Authentication->Role Manager”,

Consider following scenario where we have:

  • Active Directory user: “AD\Bob”,
  • Active Directory group “Role_1”,
  • DNN user “Bob”,
  • DNN role “Role_1”;

Now let’s say that:

  • DNN user “bob” was manually assigned to the DNN role “Role_1”,
  • corresponding AD user “AD\Bob” doesn’t belongs to AD group “Role_1”,
  • in “AD-Pro Authentication” in “Role Manager” following mapping is created: if AD user belongs to AD group “Role_1”, add to the corresponding DNN user role “Role_1”,

Now user “AD\Bob” is trying to login to DNN using “AD-Pro Authentication” module. And at the login process DNN user “Bob” is removed from DNN role “Role_1”. It’s because “Role_1” has a mapping in “Role Manager” and AD user “AD\Bob” doesn’t belong to AD group “Role_1”.

5.6. Toggle switch On/Off role sync

In some circumstances, usually if Active Directory system has thousands of groups, the performance of the sign-in procedure could be to low. In this case it could be worth thinking to disable AD role sync at all.

To easily swich ON or OFF Active Directory role synchronization, please click green button in ‘Role Manager’ tab, see fiigure below.

role-manager_12.png

Please remember that when AD role synchronization is turned off, module will allow all Active Directory users to sign-in to DNN. In other words, the ‘Authorization’ attribute that each AD group has will not be check, .

Important Notes

  • Role mapping only takes effect during the user login process.
  • Users will be removed from DNN roles if they no longer belong to the corresponding AD group.
  • You must enable at least one group in the 'Authorization Group' column to allow AD login.
Have more questions? Submit a request

Need More Help?

Do you need more assistance with this article? Please review your support options.