CentricMinds supports integration with an LDAP compliant data source, such as Microsoft Active Directory and OKTA.
This background task will connect to and synchronize user information from LDAP into CentricMinds (based on a defined position within LDAP or a desired search criteria). The sync adds, modifies and/or deletes user accounts within CentricMinds as needed.
When an individual user attempts to authenticate with CentricMinds, that authentication can be performed against an LDAP data source. After successful authentication, a synchronization of that user's information is performed.
During a synchronization of a user's information into CentricMinds, the following is supported:
- User details: Retrieving standard user information such as username, first name, last name, email address, phone number, mobile number, date of birth and manager.
- Group associations: Retrieving group associations and creating and associating groups with the same name within CentricMinds.
- Additional details: Retrieving additional and/or custom information and adding it as metadata associated with the user.
This has made it possible for organizations to use an LDAP data source as a 'source of truth' for user information and provide access to CentricMinds content in a structured and automated way. It has also made it possible to support user personalization and automated subscription and/or notifications, by matching content-based metadata against synchronized user metadata.
Flexible Authentication Model
CentricMinds provides a flexible authentication model which includes support for the following approaches:
- Traditional Authentication: CentricMinds provides 'out of the box' support for the internal storage of user accounts and their associated authentication. User information is stored within the CentricMinds database.
- LDAP Authentication: CentricMinds provides 'out of the box' support for authentication with a LDAP compliant data source such as Microsoft Active Directory. The data source will remain the 'source of truth' and all authentication attempts via CentricMinds will include communication and verification with the data source. Information (included security group and role associations) is synchronized and used by CentricMinds.
- Mixed Mode Authentication: A combination of Traditional and LDAP Authentication; which first tests against an LDAP compliant data source followed by an authentication attempt against CentricMinds (in the event that the LDAP authentication fails). This provides the ability to support internal authentication of staff, but also support authentication of external users (who do not have an LDAP account) as needed. This brings greater flexibility in supporting user authentication across varying target audiences who are working across different domains.
- External Authentication: CentricMinds also provides the ability to perform authentication against external systems (via HTTPS requests) or external databases (via direct data querying).
Single Sign On
CentricMinds provides support for Single Sign-On (SSO). SSO is an approach to access control of multiple, related, but independent software systems. With this approach a user logs in once and gains access to all systems without being prompted to log in again at each of them. CentricMinds supports the following:
- SSO Basic: CentricMinds supports a basic approach to SSO using the browser's ability (via NTHMLv2) to retrieve the username of the user currently logged into Windows (i.e. within a domain). When the site is accessed, the user will be silently logged into CentricMinds via their Windows user account.
- SSO Advanced: CentricMinds supports an advanced approach to SSO (which will work with all browsers) and makes use of Microsoft Active Directory Federation Services (ADFS). When CentricMinds is accessed, a secure ADFS token is checked for authentication information. If one exists, the user will be silently logged into CentricMinds. If a token does not exist, the user will be directed to login via ADFS and then passed back accordingly.