Hi Everyone,
My company is currently planning on migrating from Connections v7 to v8.
Since we are in general very Microsoft oriented, I'm toying around with a testing installation of Connections 8 and Azure AD Authentication via OIDC RP TAI.
My configuration looks good, SSO via Azure App registration works fine and I think our users will appreciate not having to enter a password anymore.
BUT: How to deal with guest accounts?
They are currently registered in an OpenLDAP directory, not even in AD DS.
However, Connections now doesn't even show a logon mask. Users are redirected to Microsoft login service, if not already authenticated.
So I think they have to exist in Azure AD too. Right?
But how do I get them over there? Do they need to exist in our local AD DS and then synchronized to Azure AD? Or are Azure AD B2B guest accounts enough to get them authenticated? How does this affect the invitation process? Is this even supported?
Many questions and I didn't find any information on this in the documentation.
Has anyone already tried this? Or is this uncharted territory?
Thanks for any hints!
Regards,
Daniel
Hi Daniel,
I don't know your configuration settings of connections at all at the moment, but it looks like that you try to find a different way for logging in to HCL Connections, when using guest users and/or general users that can authenticate with Microsoft AD. In WAS/Connection point of view I think there is no problem to have more than one ldap configured in your federated repository of WAS, for which I think both (openLdap and Microsoft AD) can be included in your federated repository at all as long as these users can be unique identified by IBM WAS/HCL Connections. Regarding the guest users.... That is maybe a question about the login-modules and their login-pages that you have installed in WAS. In HCL Connections there are options available to customize the login as described at URL:
https://help.hcltechsw.com/connections/v6/admin/customize/t_admin_common_customize_login_screen.htm
So far I know there are also options available to redirect users of specific domains. So if you want to allow guest users to login to the same HCL connections portal, why do you not offer to them a seperate login page for such users, for which you then can point to a different WAS login-module to log-in. An entry point for that could be the IBM documentation:
https://www.ibm.com/docs/en/was/8.5.5?topic=ujaaspmwa-developing-custom-login-modules-system-login-configuration-jaas
I hope that helps.
thanks, Thorsten
Hi
There's an option to use an intermediate IDP between Connections and Azure, for example Keycloak. Which would allow you to login to Connections with Azure AD and your existing OpenLdap at the same time.