CHEQROOM supports Single Sign-On (SS0) by connecting to your organization's LDAP (Lightweight Directory Access Protocol) or Active Directory servers.
Setting up sync with your AD server
- Click Settings in the bottom left corner of your screen
- Click Add-ons
- Scroll down and activate 'sync remote users' if necessary
- Next, click Settings or this link
- Click New user sync
- Fill in your Host settings, port and authentication credentials
(you can use
ldaps://in host names)
- Click Check connection*
- Fill in the Sync settings
- Fill in the Field mappings
- Restrict access of synced users to certain locations
How does it work?
CHEQROOM can keep your user logins up to date by using nightly account synchronization. Our service will grab one or more sets of specified accounts using the configuration parameters and filters you've defined.
You can filter out users you don’t want in a variety of ways. One way is to use a specified attribute to record whether or not users should sync. You might find that you already have some attributes you can use to achieve the filter that you want.
LDAP and Active Directory won’t allow the password to be synchronized, but you can “phone-home” for authentications, which achieves the same thing, and is arguably more secure, since the password database remains only at the customer site. In this way your users can use their active directory password at the CHEQROOM login screen on the web application and on mobile apps.
Be careful opening up your firewall.
Make sure you lock down access to your server to only the IP mentioned below. Since you’re allowing access to your LDAP / Active Directory Server on the LDAP protocol, you will want to restrict it to only those who need it.
Use minimum privileges for remote LDAP access.
Allow only the least privilege possible to the account that is doing the sync. Most of the time, it will only need read access as this is a one-way synchronization. Write access should be forbidden.
Practice good password policies.
Make sure you choose a very long and difficult randomly generated password and make a schedule to update it.
Audit and review periodically.
Include this interface in your security reviews. Validate the settings, accesses, and firewall rules well and periodically.
Make sure your User Syncs do not overlap.
Configure your LDAP queries so a single user is only part of a single User Sync. Users that are match the queries of multiple User Syncs will produce unexpected behavior.
Whitelist access from our servers
*Your LDAP server should whitelist access from these IP addresses.
- Tips for crafting your User Sync query with LDAP syntax
- What happens to my existing users once I start to use the LDAP User Sync module?
- Troubleshooting issues with User Sync
- What should my LDAP server return in order for User Sync to work?
- Is there a limit to the number of users I can sync to CHEQROOM?