User Login and Active Directory

User Login and Active Directory

  

Hi All,

I thinking that

(1).Doing an authentication against Outsystems user and Active Directory in such a way that after user success login to OutSystems, I will have 1 more authentication in AD.If either authentication fails,user will not be allowed to login to Outsystems.The password in OutSystems will also follow the password from AD.Is this doable in OutSystems?


(2).Retrieve user information from AD such as email, department and etc.Is that possible also?

Can anyone advise how to do the 2 items?


Hi,

(1) It's certainly possible to do that. Just override the login code and implement a call to AD to validate the username/password. You can even implement is as a single sign-on.

Don't worry about the password in OutSystems.Just leave it blank because you'll validate against AD. Saving the AD password in outsystems is not an options as you probably won't be able to decrypt it (I suppose AD uses a one-way encryption). Filling in a password in the OutSystems user table is also a security risk should your AD fail at some point. Then people would be able to get in and that's not what you want. Somebody with DB access could even grant himself access.

So just create OutSystems users - can be done directly via the database at first login time or via a sync procedure between your AD and OutSystems in order to create new users automatically - with an empty password


(2). If you have tha information available in your AD, I suppose you'll be able to retrieve it.


Solution

Hi Johnson,

(1) The Users' application already implements Integrated Authentication on its User_Login (that your application is likely already using), and behaves like you described (checks OutSystems credentials first, if there's no match check against Windows/AD... and if successful, creates a local "shallow" User record with the username but no password - you want to continue going through AD for authentication).

(2) Is most certainly possible, the Authentication extension module (part of the platform) already has:

  • the ActiveDirectory_GetAccountDetails action that provides access to Name, Email Address, Phone Number and whether the user is active or not.
  • the ActiveDirectory_GetAccountGroups action that returns a list of Groups.

And you can further explore the Active Directory forge component, that has quite an extensive list of available actions

Solution

Thanks Jorge and Kurt

Hi Jorge and Kurt,

I try to set up the Ad information as screen below but then i have below error.What should i do actually?

1.Does the domain user name and password is mandatory?Previously when we deal with Visual Studio there is not required.Perhaps they are the same Microsoft product.

2.For the domain, i just key in the server name such as "ADServer.com".Is there any extra text i need to put in?


Hi Johnson,

Looks like you have outdated dependencies somewhere?... make sure you're using the correct versions of CryptoAPI and ActiveDirectory components.

Jorge, I try to recompile and it is working.But then i hits below error(Screen 1).I have already key in the domain user and password which is of mine normal user account.

I try to debug but the the most debug point(screen 2) i can reach is AD_UserSearch2 which is from ActiveDirectoryCore module.Then i was prompted with screen below with error "The supplied arguments cannot be null."(screen 3). How to reach to debug further details for action AD_UserSearch  in ActiveDirectoryCore to find out the root cause?

                                                                      Screen 2

                                                                     Screen 3


Can anyone help?

Johnson, before dealing with installing/updating Applications, I suggest you open the Users Application and check how the User_Login Action is implemented. In order to view its contents:

  • Open a responsive module of any Web Application
  • Select the Interface tab
  • Expand the UI Flows folder
  • Right click on the Users dependency
  • Select "Open 'Users' eSpace".
  • You will be asked "Do you want to open a clone of the module?". Select "Open a clone".
  • On the CloneOfUsers module, switch to the Logic tab
  • Double-click on the User_Login server action

If you want to download/install/update an application, in Service Studio, go to the Environment tab and press "Install Application":

You will notice Service Studio switches to the first (black) tab, labeled "outsystems". Login using your OutSystems Community username/password and choose the application you want to install. For CryptoAPI, for instance, you can search for "crypto" and select the CryptoAPI application from the list and install/update it if needed.

 

Johnson Lim wrote:

I try to debug but the the most debug point(screen 2) i can reach is AD_UserSearch2 which is from ActiveDirectoryCore module.Then i was prompted with screen below with error "The supplied arguments cannot be null."(screen 3). How to reach to debug further details for action AD_UserSearch  in ActiveDirectoryCore to find out the root cause?

                                                                      Screen 2

This is explained on the online training, if you haven't gone through the Developing OutSystems Web Applications course, I can't recommend it enough (classroom training would be even better to get you up and running).

Open ActiveDirectoryCore module, and configure the Debugger there to hook to requests that start in your ADConfigurations module. Use the "Select Entry Module..." entry from the Debugger menu:

Then change the value from "(this module)" to "ADConfigurations" (by using the dropdown choices):

Make sure the debugger is running for the "ActiveDirectoryCore" module and now your breakpoints and Step Into should work on ActiveDirectoryCore as well, for requests that start in the ADConfigurations module.

Dears,
        I have an application which use active directory and outsystems users, and they are both inserted in the Users Outsystems table.

now I'm having Issue that If I logged in form the Admin(ActiveDirectory) Login Page using a public user, the user passes the login function but raise "no permission exception". 

The question here is how to differ between the active directory users and regular OutSystems Users while they are running on the same tenant and the same Users Entity.

Thanks in advance, 

Best Regards
Mohamed AlMokadem

The idea is you don't distinguish... but when you pass the login function you need to make sure the users from AD users have OutSystems roles assigned (typically you'd do this everytime a user logins if your roles somehow come from the AD as well, or manually add the roles to those users throught the OutSystems Users application)

Hi Mohamed ElMokadem,

Mind to share your code?  

Mohamed ElMokadem wrote:

Dears,
        I have an application which use active directory and outsystems users, and they are both inserted in the Users Outsystems table.

now I'm having Issue that If I logged in form the Admin(ActiveDirectory) Login Page using a public user, the user passes the login function but raise "no permission exception". 

The question here is how to differ between the active directory users and regular OutSystems Users while they are running on the same tenant and the same Users Entity.

Thanks in advance, 

Best Regards
Mohamed AlMokadem

Hi Mohamed,

I too have a Users (User Provider) in my espace project/application naming ProjectP&G. I have a requirement to use AD to login instead from the User outsytem table? Any idea how do i go about it?

Awaiting your response!


Hi Saswata,

Sorry if it feels like I'm stalking, but reviving two old threads with generic questions is really against the Community etiquette. 

If you have one problem, create one thread. Don't post the same issue to multiple Community threads. I know this feels like "various threads means more people can help me", but this will often be perceived a lack of respect for the time of the people who contribute voluntarily to the Community. 


Joao