1:
Forms Authentication (Default)A user authentication method refers to the system a web site or network relies on to restrict access to authorized users. MarketDirect StoreFront offers administrators several main options for authenticating users:
1:
Forms Authentication (Default)This option is the default user authentication method in MarketDirect StoreFront (i.e., users log into your site by entering a valid registered username and password).
Internal Forms Authentication is the
default "built-in" user authentication method in MarketDirect
StoreFront that requires users to enter a valid username and password
on the login screen to log into your site. This is the most common
user authentication method, known as "forms" authentication,
in which the user-entered username and password set is authenticated
against an internal list to grant the appropriate access and permissions
(e.g., what group the user belongs so, such as "administrators"
or "operators" or "everyone"). Users log into
the site via the login block on the site home page. Enforcement of
strong passwords is supported.
Ideal for: Sites that do not
need to share information on MarketDirect StoreFront
users with another system or provide users with single sign-on (SSO)
capabilities. Each user will be required to enter a valid username
and password (i.e., associated with a registered account) to log into
the site.
Site setup required: None.
2:
Active Directory Authentication (Licensed Option)Active Directory Authentication (available as a licensed option and in two different modes):
● Active Directory Authentication for Single Entities
● Active Directory with Federated Services Authentication for Multiple Entities
To use Active Directory Authentication option, you must obtain a license for the integration option Authentication Pkg: LDAP and Login Bypass (if the option is licensed, the item will be activated on the License page). For more information see Licensing.
Active Directory Authentication authenticates users who attempt to log into your site against an authoritative directory on a trusted Active Directory server and then assigns appropriate access and permissions and shares user information with the trusted server, for example, for single sign-on (SSO). Active Directory Authentication in MarketDirect StoreFront is offered in two modes: Site-Level Active Directory Authentication and Active Directory Services with Federated Identity Services for site and/or company level authentication.
This authentication method supports single sign-on (SSO) and user profile mapping to Active Directory attributes. In SSO, a user who logs into one system (say a university network) can access another associated system (such as MarketDirect StoreFront) without having to log into each system separately and at the same time ensuring all user information is synchronized through the use of user profile field mapping.
Site-Level Active Directory Authentication: Single Sign-On (SSO) Active Directory for Single Entities
For ePS-hosted (Cloud) sites, please refer to Active Directory Services with Federated Identity Services (described below).
In Site-Level Active Directory Authentication, MarketDirect StoreFront communicates with an enterprise-wide Active Directory (AD) server (in the same domain/network as the MarketDirect StoreFront server) that contains a directory of user information and associated privileges. When users log into MarketDirect StoreFront, their credentials are authenticated against the AD server, which in turn will communicate information on the user to MarketDirect StoreFront. This method requires that MarketDirect StoreFront be located on the AD domain.
Ideal for: Self-hosted (standalone) sites that want to provide users with single sign-on (SSO) capabilities and when authentication will be at the site level and against a single Active Directory server in the same network as the MarketDirect StoreFront server. That is, all users belong to the same organization and use the same active directory. Example: A university Print Shop that wants student, staff, and faculty members of the university to access the Print Shop's site with their university network login credentials (SSO).
Site setup required: For the steps to set up Active Directory Authentication at the site level using active directory authentication for same-network environments, see Site-Level Active Directory Authentication.
Important: In ePS-hosted (Cloud) or self-hosted (standalone) environments, you must set up Active Directory Federation Service to use Federated Identity Service authentication. ePS will not assist with setup nor support your AD FS setup or configuration. For more information, contact Microsoft.
Active Directory Services with Federated Identity Services: Single Sign-On (SSO) Active Directory for Multiple Entities
This option is available for both ePS-hosted (Cloud) environments and self-hosted (standalone) environments.
This option is not supported with PrintMessenger.
In Active
Directory Services with Federated Identity Services, MarketDirect
StoreFront communicates with one or more Active Directory Federation
Servers (AD FS) that contain a directory of user information and associated
privileges. When users log into MarketDirect StoreFront
through, for instance, a company-branded URL, their credentials are
authenticated against the appropriate Active Directory Federation
Server, which in turn will communicate information on the user to
MarketDirect StoreFront.
Ideal for: ePS-hosted (Cloud) sites
that want to provide users with single sign-on (SSO) capabilities
and authentication at the company
level with each company
pointed to its own Active Directory Federation Server (AD FS). Example:
A commercial printer that services multiple organizations (e.g., 20
accounts) and each company will have its own single sign-on active
directory. In this model, each company can have its own Active Directory
server against which to authenticate company users.
Site setup required: For the steps to set up Active Directory Authentication for ePS-hosted (Cloud) or self-hosted (standalone) environments for cross-network authentication, see Active Directory Services with Federated Identity Services.
Important: In ePS-hosted (Cloud) or self-hosted (standalone) environments, you must set up Active Directory Federation Service to use Federated Identity Service authentication. ePS will not assist with setup nor support your AD FS setup or configuration. For more information, contact Microsoft.
The
following decision tree may help you decide which authentication method
will best suit the needs of your organization.
Note: If you are not using
user authentication services, make sure the box Use
Directory Service Authentication on the Site
Settings | Authentication tab is unchecked.
3:
Login BypassImportant: Login Bypass functionality is intended to be used only by advanced users who are proficient in working with Web applications or for sites that have an IT staff capable of configuring and managing it.
To use Login Bypass you must obtain a license for the integration option Authentication Pkg: LDAP and Login Bypass (if the option is licensed, the item will be activated on the License page). For more information see Licensing.
Login Bypass allows different Web sites to redirect to MarketDirect StoreFront without the need for users to login manually. A token and password are sent via a POST request to the MarketDirect StoreFront server.
Ideal for: Customers without a centralized authentication server such as Active Directory but with multiple websites.
Site setup required: Changes must be made to the external Web sites to integrate a POST form to Digital StoreFonrt administrators to manage the user tokens in MarketDirect StoreFront.
In this section you will specify the method of user authentication you want to use on your site.
To use Login Bypass, see Login Bypass.
Authentication
Method SelectionIn this section, you will select the authentication method you want to use for your site.
1 Which authentication method to use for User Name and Password login form?
● MarketDirect StoreFront Internal Authentication: Select this option if you want to use MarketDirect StoreFront's standard forms authentication (described in the previous section) that requires registered users to login with a valid username and password combination.
● Directory Services Authentication: Select this option if you want to use Active Directory Authentication (site-level or with Federated Identity Services) as described in the previous section.
2 Which SSO strategy to use for Single Sign-on button or forced SSO?
If you selected MarketDirect StoreFront Internal Authentication, you should select the No Single Sign-on option in this section and then click Save.
● No Single Sign-on: Select this option if you do not want to use single sign-on (SSO), which enables users who are logged into other associated systems to log into MarketDirect StoreFront without having to enter their username and password.
● Directory Services SSO: Select this option if you are a self-hosted customer who is using Site-Level Active Directory Authentication and want to use single sign-on (SSO).
Then click Directory Services Authentication in the Authentication Method Configuration section below.
● Federated SSO: Select this option if you are using Active Directory Services with Federated Identity Services Authentication and want to use single sign-on (SSO).
Then click Federated SSO in the Authentication Method Configuration section below.
3 Force SSO for any user entering this site: Check this box if you want to force all users accessing the site to do so via SSO (i.e., already be duly logged into an associated system).
You can override this force SSO setting on a per-company basis when users access the site via a company-branded URL. Use the following link to login as administrator when the forced SSO option is enabled: ~/Admin/SSOLoginBypass.aspx
4 Click Save.
If you selected MarketDirect StoreFront Internal Authentication, you are finished. If you selected Directory Services Authentication, proceed to the next section, "Authentication Method Configuration."
Authentication
Method ConfigurationIn this section, you access the page to configure your selected Directory Services Authentication option.
● Directory Services Authentication: Select this option if you are a self-hosted customer and want to use site-level active directory user authentication at the site level. Then follow the setup instructions in Site-Level Active Directory Authentication.
● Federated SSO: Select this option if you are an ePS-hosted (Cloud) customer who wants to use active directory authentication or a self-hosted (standalone) customer who wants to use active directory user authentication (using Federated Identity Services) at the company level. Then follow the setup instructions in Active Directory Services with Federated Identity Services.
Notes
on Directory Services Authentication and Single Sign-On in MarketDirect
StoreFrontMarketDirect StoreFront supports the widely-used Active Directory type of LDAP.
● Automatically creates a MarketDirect StoreFront user account when a user first logs in to MarketDirect StoreFront via LDAP.
● When users log into MarketDirect StoreFront, LDAP authentication verifies their user name and password against the LDAP server to verify they are valid users.
● LDAP authentication prevents users who were deleted or made inactive in the LDAP user database from logging into MarketDirect StoreFront.
● LDAP authentication prevents users who were deleted or made inactive in the LDAP user database from creating a new user profile if they have been deleted or made inactive in the LDAP user database.
● Automatically updates the MarketDirect StoreFront user profile fields to match users' directory service profile as soon as the LDAP user with changed profile information logs into MarketDirect StoreFront. (For example, if an LDAP user's address has changed, the user's address will be updated in the MarketDirect StoreFront user profile).
● LDAP authentication automatically associates to the correct company and department.
● LDAP authentication can handle multiple domains: MarketDirect StoreFront queries the LDAP server for available domains and presents them in a pull-down list on the Login block on the storefront.
Users can still register manually when LDAP is enabled. The manually created user profile will not, however, be authenticated against LDAP.
What Is Required to Implement LDAP Authentication?
To implement LDAP authentication:
● You must be licensed for authentication. (The integration option Authentication Pkg: LDAP and Login Bypass must be selected on the License page in MarketDirect StoreFront.)
● You must be using an LDAP compliant server for managing user information.
● MarketDirect StoreFront must be customer-hosted (not in the cloud, hosted by ePS).
● MarketDirect StoreFront must be configured for LDAP (as described in online Help).
● The LDAP server must give access rights to the server on which MarketDirect StoreFront is located.
● The MarketDirect StoreFront server must be part of the user's domain.
● Authenticates both username and password against an Active Directory
● Requires the Domain Name or IP Address of the LDAP Server
● Requires a valid Base DN
● Requires the MarketDirect StoreFront server to be in the Domain
LDAP features are configured in the LDAP setup section on the Administration > Site Settings > Authentication page.
A typical example would be: myuniversity.com. LDAP user’s name: Mike Password: Test.
EFI
Professional Services can be contracted to create a customized synchronization
with your Active Directory or LDAP (that is beyond the abilities of
the Authentication Package available for MarketDirect StoreFront).
This requires the Authentication Package and the Scope of Work from
ePS Professional Services. ePS Professional Services can perform the
following customized synchronizations.
● Use Case: Customer wants to use User Name for login.
● When a user is logged in on a Windows system via the Windows authentication, MarketDirect StoreFront provides the option to automatically login in to MarketDirect StoreFront the moment the user browses to the MarketDirect StoreFront web application. This is called MarketDirect StoreFront SSO.
● Via LDAP Login
● When users log in to MarketDirect StoreFront via LDAP for the first time, their user accounts (profiles) are automatically created in MarketDirect StoreFront with their directory service user profile fields mapped to MarketDirect StoreFront user profile fields. The LDAP user information is copied into the MarketDirect StoreFront user profile fields (according to the mapping).
● User provides a username and password to MarketDirect StoreFront.
● MarketDirect StoreFront does a LDAP search for all objects where cn=USERNAME and LDAP verifies that the supplied password is correct.
● Active Directory Services with Federated Identity Services