You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Clarification on Participant Users showing in DS server instead of Forms

Directory Server Licensing
Updated March 9, 2020
posted on March 6, 2020 Show version history

Want to clarify this for certain. If I see my Participant Licenses shown in this way, listed in the DS server instead of in Forms, there is additional configuration needed before I can apply them?

Is there no way to transfer these to Forms and The Repository Directly like we do with Named User Licensing, I can't find any option when adding an application in DS to push these out.

If there is additional configuration required, is it documented?

Searching fancy terms like SSO, STS, SAML, and Directory Server auth only gets scattered results.

0 0
replied on March 9, 2020

To utilize subscription user licenses, you must assign these licenses to users within LFDS. This requires enabling LFDS authentication for your end applications. You can find our whitepaper on enabling Directory Server authentication (which SSO comes along with) here: https://support.laserfiche.com/resources/3878/configuring-single-sign-on-for-laserfiche-web-products

0 0
replied on March 9, 2020

Is there documentation on how to perform the following steps?

When turning on the alternate STS, the configuration utility prompts for a certificate. This certificate does not have to be the same certificate used for IIS SSL bindings. The certificate for the alternative service is used only for validating the WCF connection between the various client applications and the Directory Server service. See the following list of requirements for the certificate:

• The certificate subject name must match the Directory Server host name configured in the Directory Server's Endpoint Configuration Utility (XmlEndpointUtility.exe).

• The certificate must be allowed for server authentication and client authentication purposes (i.e., have the Server Authentication and Client Authentication application policies).

• The certificate must have a private key.

• The Directory Server service user must have Read access to the private key.

• The certificate must be able to pass chain trust validation (i.e., the issuer chain list must contain at least one issuer in the machine's root trusted store.).

0 0
replied on March 6, 2020

You need to assign the licenses to a user either by syncing an identity provider in LFDS and assigning the license to the goup ( I use AD groups).  If the users aren't in your AD, you can create a Laserfiche User in LFDS and assign them the participant license.  You will also need to assign them to a LFDS group that you create which will be one of the groups that has access to forms (setup on the User Authentication tab in the formsconfig page):

 For the repository - add the LFDS group within the Laserfiche Directory Accounts node in your Administration console under Users and Groups.

 

0 0
View 4 previous replies
replied on March 6, 2020

This is only available if we re-configure Forms and Web client to use Directory Server Authentication, which then also requires an installation and configuration of the STS server correct?

0 0
replied on March 6, 2020

Yes - That's how I have my environment setup.

 

Can you create a user in the repository and assign them a Participant User License then?

 

0 0
replied on March 6, 2020

No, we are looking for concise, ordered documentation on how to setup Directory Server Authentication then. In the past in order to do this, the config files had to be manually modified by Laserfiche support using Notepad and extra config utilities had to be run as well.

We are looking to do this using the standard configuration pages, instead of knowing exactly how to modify the code of the default installation.

0 0
replied on March 6, 2020

Sadly that documentation doesn't exist.  

I requested months ago more documentation for LFDS and how to install and configure according to best practices.

 

 

0 0
replied on March 6, 2020

Can I ask how you were able get enough understanding in order to get it working?

0 0
replied on March 9, 2020 Show version history

The whitepaper on Forms configuration in the DMZ was updated last November to include additional details on how to modify the configuration files direction. For example, the first configuration (two Forms servers, one SQL server) has instructions for config file modification starting on page 6.

While we don't yet have a UI available, the whitepaper should include all necessary steps to modify the config files.

0 0
replied on March 9, 2020

Hi Brianna

This document doesn't match the environment I am currently working in. I am working with a 2 server environment. Repository Server, and Web Server.

If I install Directory Server on the Web Server, then I can hook up to it without an error.

If I install Directory Server on the Repository Server, I get an error "SOAP Negotiation Failed" and no one can determine what this error means.

We have successfully hooked up Forms, Web Client, and Mobile to the repository server without issue, but trying to hook up to the Directory Server throws this error, why should it be any different?

I do think we are missing the documentation I requested below regarding setting up a special certificate. We have our IIS certificate hooked up and working but we need to know how to configure this DS certificate.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...