CHEQROOM supports Single Sign-On (SS0) by connecting to your organisation's LDAP (Lightweight Directory Access Protocol) or Active Directory servers.
Setting up sync with your AD server
- Click Users, next click User Sync
- Click New user sync
- Fill in your Host settings, port and authentication credentials
(you can use
ldaps://in host names)
- Click Check connection*
- Fill in the Sync settings
- Fill in the Field mappings
- Restrict access of synced users to certain locations
How does it work?
CHEQROOM can keep your user logins up to date by using nightly account synchronisation. Our service will grab one or more sets of specified accounts using the configuration parameters and filters you've defined.
You can filter out users you don’t want in a variety of ways. One way is to use a specified attribute to record whether or not users should sync. You might find that you already have some attributes you can use to achieve the filter that you want.
LDAP and Active Directory won’t allow the password to be synchronised, but you can “phone-home” for authentications, which achieves the same thing, and is arguably more secure, since the password database remains only at the customer site. In this way your users can use their active directory password at the CHEQROOM login screen on the web application and on mobile apps.
Be careful opening up your firewall.
Make sure you lock down access to your server to only the IP mentioned below. Since you’re allowing access to your LDAP / Active Directory Server on the LDAP protocol, you will want to restrict it to only those who need it.
Use minimum privileges for remote LDAP access.
Allow only the least privilege possible to the account that is doing the sync. Most of the time, it will only need read access as this is a one-way synchronization. Write access should be forbidden.
Practice good password policies.
Make sure you choose a very long and difficult randomly generated password and make a schedule to update it.
Audit and review periodically.
Include this interface in your security reviews. Validate the settings, accesses, and firewall rules well and periodically.
Make sure your User Syncs do not overlap.
Configure your LDAP queries so a single user is only part of a single User Sync. Users that are match the queries of multiple User Syncs will produce unexpected behaviour.
Whitelist access from our servers
*Your LDAP server should whitelist access from these IP addresses.
*This module is not activated by default. Want it for your account? Get in touch.