Note: If you are not using user authentication services, make sure the box Use Directory Service Authentication on the Site Settings | Authentication tab is unchecked.
A user authentication method refers to the system a web site or network relies on to restrict access to authorized users. The system offers administrators several main options for authenticating users:
(1) Forms Authentication (the system default)
(2) Active Directory Authentication (available as a licensed option and in two different modes):
● Active Directory Authentication
● Active Directory with Federated Services Authentication
(3) Login Bypass
These methods enable you to set up your MarketDirect StoreFront-powered site. Let's examine each of these methods:
Note: This option is the default user authentication method in MarketDirect StoreFront (i.e., users log into your site by entering a valid registered username and password).
MarketDirect StoreFront
Internal Authentication is the default "built-in" user authentication
method in MarketDirect StoreFront
that requires users to enter a valid username and password on the login
screen to log into your site. This is the most common user authentication
method, known as "forms" authentication, in which the user-entered
username and password set is authenticated against an internal list to
grant the appropriate access and permissions (e.g., what group the user
belongs so, such as "administrators" or "operators"
or "everyone"). Users log into the site via the login block
on the site home page. Enforcement of strong passwords is supported.
Ideal for: Sites that do not need
to share information on MarketDirect StoreFront
users with another system or provide users with single sign-on (SSO) capabilities.
Each user will be required to enter a valid username and password (i.e.,
associated with a registered account) to log into the site.
Site setup required: None.
Note: To use Active Directory Authentication option, you must obtain a license for the integration option Authentication Pkg: LDAP and Login Bypass (if the option is licensed, the item will be activated on the License page). For more information see Licensing.
Active Directory Authentication authenticates users who attempt to log into your site against an authoritative directory on a trusted Active Directory server and then assigns appropriate access and permissions and shares user information with the trusted server, for example, for single sign-on (SSO). Active Directory Authentication in MarketDirect StoreFront is offered in two modes: Site-Level Active Directory Authentication and Active Directory Services with Federated Identity Services for site and/or company level authentication.
This authentication method supports single sign-on (SSO) and user profile mapping to Active Directory attributes. In SSO, a user who logs into one system (say a university network) can access another associated system (such as MarketDirect StoreFront) without having to log into each system separately and at the same time ensuring all user information is synchronized through the use of user profile field mapping.
Site-Level Active Directory Authentication: Single Sign-On (SSO) Active Directory for Single Entities
Note: For EFI-hosted (Cloud) sites, please refer to Active Directory Services with Federated Identity Services (described below).
In Site-Level Active Directory Authentication, MarketDirect StoreFront communicates with an enterprise-wide Active Directory (AD) server (in the same domain/network as the MarketDirect StoreFront server) that contains a directory of user information and associated privileges. When users log into MarketDirect StoreFront, their credentials are authenticated against the AD server, which in turn will communicate information on the user to MarketDirect StoreFront. This method requires that MarketDirect StoreFront be located on the AD domain.
Ideal for: Self-hosted (standalone) sites that want to provide users with single sign-on (SSO) capabilities and when authentication will be at the site level and against a single Active Directory server in the same network as the MarketDirect StoreFront server. That is, all users belong to the same organization and use the same active directory. Example: A university Print Shop that wants student, staff, and faculty members of the university to access the Print Shop's site with their university network login credentials (SSO).
Site setup required: For the steps to set up Active Directory Authentication at the site level using active directory authentication for same-network environments, see Site-Level Active Directory Authentication.
Note: Important Note: In EFI-hosted (Cloud) or self-hosted (standalone) environments, you must set up Active Directory Federation Service to use Federated Identity Service authentication. EFI will not assist with setup nor support your AD FS setup or configuration. For more information, contact Microsoft.
Active Directory Services with Federated Identity Services: Single Sign-On (SSO) Active Directory for Multiple Entities
Note: This option is available for both EFI-hosted (Cloud) environments and self-hosted (standalone) environments.
Note:
This option is supported only for SmartStore storefronts (not for classic
storefronts).
This option is not supported with PrintMessenger.
In Active Directory
Services with Federated Identity Services, MarketDirect StoreFront
communicates with one or more Active Directory Federation Servers (AD
FS) that contain a directory of user information and associated privileges.
When users log into MarketDirect StoreFront
through, for instance, a company-branded URL, their credentials are authenticated
against the appropriate Active Directory Federation Server, which in turn
will communicate information on the user to MarketDirect StoreFront.
Ideal for: EFI-hosted (Cloud) sites
that want to provide users with single sign-on (SSO) capabilities and
authentication at the company
level with each company pointed
to its own Active Directory Federation Server (AD FS). Example: A commercial
printer that services multiple organizations (e.g., 20 accounts) and each
company will have its own single sign-on active directory. In this model,
each company can have its own Active Directory server against which to
authenticate company users.
Site setup required: For the steps to set up Active Directory Authentication for EFI-hosted (Cloud) or self-hosted (standalone) environments for cross-network authentication, see Active Directory Services with Federated Identity Services.
Note: Important Note: In EFI-Hosted (Cloud) or self-hosted (standalone) environments, you must set up Active Directory Federation Service to use Federated Identity Service authentication. EFI will not assist with setup nor support your AD FS setup or configuration. For more information, contact Microsoft.
Note: Important Note: Login Bypass functionality is intended to be used only by advanced users who are proficient in working with Web applications or for sites that have an IT staff capable of configuring and managing it.
Note: To use Login Bypass you must obtain a license for the integration option Authentication Pkg: LDAP and Login Bypass (if the option is licensed, the item will be activated on the License page). For more information see Licensing.
Login Bypass allows different Web sites to redirect to MarketDirect StoreFront without the need for users to login manually. A token and password are sent via a POST request to the MarketDirect StoreFront server.
Ideal for: Customers without a centralized authentication server such as Active Directory but with multiple websites.
Site setup required: Changes must be made to the external Web sites to integrate a POST form to Digital StoreFonrt administrators to manage the user tokens in MarketDirect StoreFront.
The following
decision tree may help you decide which authentication method will best
suit the needs of your organization.
Note: If you are not using user
authentication services, make sure the box Use
Directory Service Authentication on the Site
Settings | Authentication tab is unchecked.
In this section you will specify the method of user authentication you want to use on your site.
Note: To use Login Bypass, see Login Bypass.
In this section, you will select the authentication method you want to use for your site.
1. Which authentication method to use for User Name and Password login form?
● [System Name] Internal Authentication: Select this option if you want to use the system's standard forms authentication (described in the previous section) that requires registered users to login with a valid username and password combination.
● Directory Services Authentication: Select this option if you want to use Active Directory Authentication (site-level or with Federated Identity Services) as described in the previous section.
2. Which SSO strategy to use for Single Sign-on button or forced SSO?
Note: If you selected Internal Authentication, you should select the No Single Sign-on option in this section and then click Save.
● No Single Sign-on: Select this option if you do not want to use single sign-on (SSO), which enables users who are logged into other associated systems to log into your site without having to enter their username and password.
● Directory Services SSO: Select this option if you are a self-hosted customer who is using Site-Level Active Directory Authentication and want to use single sign-on (SSO).
Note: Then click Directory Services Authentication in the Authentication Method Configuration section below.
● Federated SSO: Select this option if you are using Active Directory Services with Federated Identity Services Authentication and want to use single sign-on (SSO).
Note: Then click Federated SSO in the Authentication Method Configuration section below.
3. Force SSO for any user entering this site: Check this box if you want to force all users accessing the site to do so via SSO (i.e., already be duly logged into an associated system).
Note: You can override this force SSO setting on a per-company basis when users access the site via a company-branded URL. Use the following link to login as administrator when the forced SSO option is enabled: ~/Admin/SSOLoginBypass.aspx
4. Click Save.
Note: If you selected Internal Authentication, you are finished. If you selected Directory Services Authentication, proceed to the next section, "Authentication Method Configuration."
In this section, you access the page to configure your selected Directory Services Authentication option.
● Directory Services Authentication: Select this option if you are a self-hosted customer and want to use site-level active directory user authentication at the site level. Then follow the setup instructions in Site-Level Active Directory Authentication.
● Federated SSO: Select this option if you are an EFI-hosted (Cloud) customer who wants to use active directory authentication or a self-hosted (standalone) customer who wants to use active directory user authentication (using Federated Identity Services) at the company level. Then follow the setup instructions in Active Directory Services with Federated Identity Services.
● Active Directory Services with Federated Identity Services