Active Directory Service Interfaces (ADSI) configuration
Active Directory Service Interfaces (ADSI) allows ActivityInfo to connect directly to your domain's Active Directory.
This requires that:
- The ActivityInfo server is running on Windows Server 2012 or later
- The machine on which ActivityInfo is running is joined to your domain
ActivityInfo uses email addresses to uniquely identify people. Active Directory, on the other hand, uniquely identifies people with a User Principal Name (UPN), that consists of their user account name and domain name.
Microsoft recommends that the UPN match a user's primary email address. However, in some networks, the UPN and the users email address may be different.
Email domains vs Active Directory Domains
For example, some legacy networks use non-routable domain names such as "example.local" while the email address domain is "example.gov".
To address these differences, you should:
- Specify "example.gov" as an Email Domain in the configuration below
- Ensure that the email address listed in Active Directory matches the routable domain name, for example "firstname.lastname@example.org".
User names vs email address
In other networks, someone's user name might be very different from their email address. The user name might be something like "email@example.com" while their email address might be "firstname.lastname@example.org".
This may lead to confusion among end-users as they will need to be invited to the system as "email@example.com", but then must log in as "ab2354".
Navigate to the Server settings page and then to the "Single-Sign On" section from the left-hand side.
From the "Add Provider" menu, click "Add ADSI".
Enter the "Email domains" for which Active Directory authentication should be used.
For example, if you want all users whose email addresses end with "@example.gov" to authenticate with Active Directory, then enter "example.gov" in the Email Addresses field.
You can include multiple domains by separating them with commas, for example:
Migrating existing accounts
Existing user accounts, including the initial administrator account, are not automatically switched to Active Directory. Existing users must connect their accounts manually with the following steps:
- Navigate to Profile Settings from the Profile menu.
- Click the "Enable SSO" button.
- Enter your Windows login user name and password
If completed successfully, ActivityInfo will always require you to log in through Active Directory in the future.