User Authentication module
The User Authentication module integrates with your Active Directory (AD) or LDAP environment to authenticate users by using various workflows within MaaS360®. With this module, your users can reuse corporate credentials without having to generate and manage a new set of credentials.
The Cloud Extender® facilitates AD/LDAP authentication for the following scenarios:
- Mobile device self-service enrollment into MaaS360
- User portal access to manage devices
- When authentication is required before accessing secured applications and documents
- When a workplace PIN is reset by the user
- MaaS360 administrator authentication for portal access
- Signing into shared devices
The Cloud Extender receives the credentials securely from the MaaS360 Cloud (client originated) and validates those credentials against your directory server. The credential information is passed from the client through the MaaS360 Cloud to your Cloud Extender, but the information is not stored locally.
Modes of operation
- Active Directory Mode: This mode is specific to Microsoft Active Directory environments. The Cloud Extender runs as a service account and runs PowerShell commands to authenticate any user in your directory. If you have multiple trusting forests or domains in your environment, some additional configuration is required. In this mode, the Cloud Extender can authenticate users in the entire scope of your directory.
- LDAP Mode: This mode is used for any corporate directory. The Cloud Extender offers standard LDAP templates to integrate with Domino® LDAP, Oracle LDAP, Novell eDirectory, and OpenLDAP. In addition to these standard LDAPs, use this mode to configure against any customized LDAP. The Cloud Extender also provides a template to help you configure Microsoft Active Directory in LDAP mode.
To determine which implementation mode to use for your environment, consider these guidelines:
- If you are not using Microsoft Active directory (AD), use LDAP mode.
- If you are using Microsoft Active directory (AD), the
following table provides LDAP options for your environment:
Table 1. Determining which LDAP implementation mode to use for your environment Scenario Active Directory Mode LDAP Mode Ability to limit authentication scope to a certain OU, subtree, or group ✓ Requirement that the Cloud Extender needs to be part of your domain ✓ Ability to support trusted forest/domain authentication ✓ ✓ Ability to support untrusted forest/domain authentication ✓ Ability to customize attributes that are read from AD during the user authentication process ✓ Support for User Custom Attributes1 ✓ Ability to customize user and group filters for optimized user authentication performance ✓ Support for High Availability (HA) ✓ ✓ Ease of configuration Easy Medium Implementation technology .NET libraries LDAP libraries Configured along with User Visibility on the same Cloud Extender2 ✓ ✓ Time to authenticate Limited to .NET libraries Typically faster than AD
In most situations, the LDAP mode of authentication is the implementation of choice even in Microsoft Active Directory environments with consideration to the advantages listed in the table and easy adaptability to future requirements.
Requirements and scaling
The User Authentication module for LDAP or Active Directory does not have scaling limits. However, the following specifications are the minimum requirements that are needed by a server to incorporate scaling. Increase these limits for better server functions and usability.
In large environments, deploy separate instances of the Cloud Extender to service Corporate Directory Integration and to provide predicable performance of all functions. You can deploy as many instances of the Cloud Extender as needed. However, enable at least two User Authentication modules on two instances of the Cloud Extender for redundancy.
Item | Minimum requirement |
---|---|
Scaling (for both Active Directory and LDAP implementations) | CPU: 2 cores |
Memory: 2 GB to 8 GB | |
Storage: 50 GB | |
Scaling:
For accurate scaling of your environment, see the Cloud Extender scaling document at . |
|
Limits: None known | |
Network traffic | Authentication request/response = 1 KB per request |
Active Directory | Hardware specs meet minimum requirements |
PowerShell 3.0+ installed | |
Windows operating system is joined to the domain | |
Service Account
|
|
LDAP | Hardware specs meet minimum requirements |
Service Account
|
For example: You define a User Custom Attribute that is called Employee Serial Number and use this value in MaaS360 policies for device configuration, application configuration, or a part of Identity Certificates. This attribute can be read directly from your directory by using the LDAP configuration.