Question

Authenticating from AD / storing user data in app

0

Hi, I extended the Administration.Account entity using generalization with some attributes we need for users. For now I can create the users based on an AD, update their attributes from the AD and other data sources, and I can set their roles. Everything works great, but… I have to set the Password attribute when I create a new user – now I set it for a constant for all the users to check whether my code works in general. We need to authenticate our users real-time from an AD (instead of authenticating them based on the Administration.Accounts entity), but we need the extension attributes too, so we need to store the users in the extended Administration.Account entity too (not for authentication but for store their special data). 1. Is it somehow possible to import users from an AD with their passwords (as I know not), or should I generate (in reality never used) passwords for the users (who will never authenticated from the app but from the AD) just to be able to create them (because password is a required attribute)? 2. Is it possible to set up the application to authenticate real-time from an AD? If yes, is there a tutorial for this? Thx, Thx,

asked 2019-12-23

Laszlo Kertesz

3 answers

Tim v Steenbergen · Answer 1 · 2019-12-23

Not sure what you mean with realtime. Using Account will also be realtime, no delay anywhere.

Storing the password twice is both not possible (since you don't get it from the AD) and bad practice.

But maybe this is a solution: Place the extra fields in an entity (say ‘Person’) having a 1-1 association with entity ‘User’ instead of ‘Account’.

Laszlo Kertesz · Answer 2 · 2019-12-27

I mean when a user tries to log in, the app should authenticate him/her against the AD, not against the User entity within the application. Is it possible?

Rom van Arendonk · Answer 3 · 2019-12-28

Getting user information from an external system and granting them access to your app are two different concepts (user provisioning and authentication, respectively) and both can be performed using something like AzureAD.

It seems like you have solved user provisioning, so you need to fix authentication. This is commonly done by importing an app store module with the correct technology and configuring it. Some authentication modules are SAML (has platform support), Kerberos (deprecated) and OAuth (community support). Other options, such as OpenID Connect have no app store module yet. The modules (SAML, OAuth) work by redirecting the user from your application to the AD, where the user will enter his password. AD then redirects the user back to your application where the module ensures the user is granted access. Therefore, you do not need to know the user's password in your application, but you do need to trust an external application to tell your Mendix who a user is – and that is what these modules do.

These modules contain documentation how to set them up. However, you should check with the engineers of your AD what technology can be used for authentication.