Participant Users from other AD orgs

asked on March 27

We have a unique where we are the consortium for a bunch of work groups who have their own laserfiche servers. We only have one entity that owns all the licenses and one LFDS server. We've purchased a big pack of Participant users and we want to be able to use those users across all our other entities with all our other Laserfiche servers, but all of these entities all have their own laserfiche servers and their own Active Directory servers and domains that they use to access these laserfiche servers.

We were told at one point in the past that we can create "Domain trusts" with these other AD servers and then we can use specific security groups in their AD server to tell the LFDS to issue them participant licenses to just those users, but we and our VAR is unclear on how to make this work. Anyone successfully issue and use participant licenses across different domains?

0 0

replied on March 27

We issue Participant licenses across different domains all the time using LFDS. We have 10 different domains and 2 Okta SAML identity providers in LFDS.

The domain that LFDS is installed on must have a trust between it and the other domains so it can query Active Directory accounts. The user that runs the LFDS services and IIS application pool will also need permissions to query the other domains.

Creating trusts between domains should be done by a domain administrator.

1 0

View 1 previous reply

replied on March 27

Thanks Blake, for some reason our Domain admin has had issues creating Domain trusts to our other AD environments, do you have a set of instructions you've used? I'm I'm wondering if there is a version mismatch with the instructions my admin has been using to try to create the trusts.

0 0

replied on March 27

I wouldn't say there is really step-by-step instructions as there are several things that need to be evaluated when setting up trusts between domains. Is each domain just using Windows Server Active Directory Servers or are they using Azure AD? Can the domains talk to each other? What DNS forwarding needs to be configured between the domains? Do secondary DNS zones need to be configured? What type of trust should be configured between the 2 domains?

I would recommend hiring someone to consult on what the best options would be for your organization.

1 0

replied on March 27

Thanks for all the quick feedback Blake, we'll reach out to some options.
Out of curiosity, you said you linked participant users via OKTA SAML. We are in the middle of trying to get Google SAML to work as an authentication option for our own LF server. If we can get that working would it be possible to create SAML Identity Providers for the other orgs using their Google Domains, and hand out participant licenses from groups in their Google environment instead of using AD? I think they are all running google domains too. This would have the benefit of avoiding any of the security concerns with setting up domain trusts with other AD servers at these other orgs.

0 0

replied on March 27

I personally have not configured a Google Domain with LFDS, but LFDS supports SAML 2.0, so if Google supports that you should be able to get it to work. You might create a new post in Answers specifically about using Google Domains as a SAML provider with LFDS and see if anyone else in the community has successfully done it.

0 0

Question

Question

Participant Users from other AD orgs

Replies

Sign in to reply to this post.