With the new edition of Echoshare Enterprise 4.1 there is support for integration with Microsoft Active Directory (AD). The basic solution provides the following benefits:
- A Echoshare team may now be linked to AD.
- User accounts may be provisioned and maintained using account information from AD.
- User accounts share the account lockout policies from AD.
- Group and group relationships are imported and maintained by AD.
- User authentication is performed though the integration link to AD.
Basic Active Directory integration architecture
The link to AD is done through a Echoshare Windows Agent that is installed on one or more machines that are connected to the domain:
- The Company creates a team in Echoshare – all employees that need to use the Echoshare functionality must have an account in the Echoshare Cloud. The Echoshare Company team is initially created and managed by a Team Admin (TA).
- A Echoshare Agent is installed on a computer inside the company firewall on a computer that is connected to the AD Domain.
- The TA turns on AD in the Echoshare portal and selects the installed agent as an AD Integration Agent. This enables Echoshare to connect to the Company AD when required through the installed agent.
The security in the solution is centered on the following important aspects:
- The link between the installed agent and the Echoshare cloud is an outward bound connection established from the Echoshare agent to the Echoshare cloud and is fully encrypted using 256 bit encryption and running with a SSL certificate for protection against man in the middle attacks.
- The Echoshare agent does not manipulate the AD but only performs the following operations against the AD:
- Queries the AD for users and groups based on the query criteria defined in the AD configuration in the Echoshare portal.
- Password authentication when users log into the Echoshare company team. The authentication procedure is the same as the standard interactive workstation log in done by user – but the request is passed on to the Integration Agent and validated against AD.
- This is in addition to all the regular security aspects of the Echoshare service.
- Team - the team that has been purchased.
- Team Admin - the person responsible for managing the team and AD integration.
- Team Members - the regular people in the team - whether they are only set up in Echoshare or whether they are managed through AD.
- AD Linked account. An account that exists in both the Echoshare system and in AD.
- Provisioned Account – An AD account that is created in the Echoshare system based on information imported from AD.
- Linked account – An account in Echoshare that is linked to an account in AD. It was either provisioned via data from AD or matched during AD Sync.
- Unlinked account – An account in Echoshare that is not linked to any account in AD.
- Integration Agent - an agent that belongs to a Team admin that has been designated as integration agent through which communication with AD behind the corporate firewall can happen.
- Echoshare Password – password for non-AD linked accounts. Used by accounts that are not linked to AD. Maintained by Echoshare.
- AD Password – the password for a user maintained by AD and used for AD linked accounts except some non-standard situations. The AD password is only stored in AD and validated against AD.
- AD Data cache – cached view of AD users/groups in Echoshare. The data does NOT contain passwords, only the groups/users and their attributes.
- AD Synchronization is the process of extracting complete group and user information from AD and comparing / updating the team state in Echoshare. The AD data cache is updated as well.
Enabling / disabling AD
- When enabling AD for the first time, AD (team) admin must set up
- LDAP Search fields to isolate what is to be imported from AD.
- An Integration Agent.
- Set up the domain name which linked accounts are authenticated against.
- Do a test authentication with a domain username/password (optional).
- After enabling AD all team admins will receive information e-mail that AD has been enabled.
- When enabled and synchronized accounts will be imported from AD and matched with Echoshare accounts by email address.
- All matched accounts will become AD linked accounts. After this they will authenticated through AD.
- If AD is disabled all team admins will receive an e-mail with a URL link. Following the link disables AD. At this point AD authentication is no longer active.
- If AD is turned off all AD provisioned users will receive a password reset mail - users can then follow link and set a new Echoshare password.
- If AD is turned back all users will receive a mail stating that their account is now AD managed and they must use their AD password.
- Any agent installed by a Team admin may be selected as Integration agent.
- The requirements are that the agent is installed on a workstation that is attached to the Domain that hosts the AD.
- The Integration agent should not be installed on the domain server because the logins to the domain server is restricted to domain admins.
- The agent connects to Echoshare using the normal agent to service connection model running over SSL and using high encryption.
- Integration to AD goes from the Agent into the Windows OS where there are API’s available for connecting to AD.
- When an agent is being used for AD Integration it is displayed in the About box of the agent.
- Multiple Integration agents can be set up for extra redundancy and reliability:
- The master agent will be contacted as the first, if the connection fails, then one of the other integration agents are contacted in a random manner.
- If all AD Integration agents are off-line the system will send the Team Admins a warning mail that the AD link is down.
- When AD link has been reestablished an AD Link back up mail is sent to all Team Admins.
- Groups may be defined in Echoshare as well as in AD and they can co-exist.
- Groups imported from AD are AD Managed groups.
- If there is a name collision between a Echoshare group and AD group both will exists.
- Groups in AD are imported and updated on each AD Sync.
- Memberships in AD Groups are updated on each AD Sync and applied into the Echoshare system which may cause:
- Users to be added to groups resulting in new projects shared with the group.
- Users to be removed from groups resulting in projects being removed that were shared with the group.
- Groups added / removed from groups.
- Previously imported groups are removed if they cease to exist in AD.
- Groups imported from AD may be hidden from Echoshare team members - means that Team admin may decide that a sub set of AD groups are available.
- Project sharing may happen to AD groups as well as Echoshare groups.
- Team Admin cannot add / remove AD linked accounts from AD managed groups.
Accounts and passwords
- Accounts that are linked to AD via email managed through AD and authentication happens through AD:
- Full name, email address, phone number, password are managed from AD. The AD Display name is what maps to the Echoshare full name.
- E-mail address is considered a mandatory attribute from Echoshare’s aspect. An account with empty e-mail can’t be provisioned or linked together with a Echoshare account.
- Mapping of group attributes (AD -> Echoshare):
- Display Name -> name.
- Description -> description.
- E-mail -> e-mail.
- Mapping of account attributes(AD->Echoshare)
- Display Name -> full name.
- E-mail -> e-mail.
- Telephone Number -> phone number.
- Locked/Disabled -> disabled.
- Accounts that have been locked out in AD (lockout policy, admin decision) cannot authenticate after the lockout. Their status will be updated in Echoshare after the next AD sync.
- Accounts that are not linked to AD remain unlinked and are managed and authenticated locally in Echoshare.
- If AD link is down all accounts that are linked to AD cannot authenticate and user will get error when trying - agents can still connect as they do not use passwords to connect.
- Once AD link is back up the users can authenticate again.
- Admin user in the team will receive an AD Link down mail with a link to allow them to set a new Echoshare Password to log in and fix any issues.
- Once AD link is back up the Admins get an AD Link back up mail.
- Synchronization can be run manually or automatically by a scheduled task. The team admin can schedule the AD Sync to be done at arbitrary hour of the day. The sync is done every day.
- The AD Sync process may require a non-trivial CPU load on the host machine as well as traffic overhead.
- Each AD Sync performs the following:
- Checks the AD data cache and compares it to AD live data:
- If there are new accounts, then these accounts are marked as “New accounts since last sync” and shown in the UI.
- If there are accounts deleted in AD which are linked to accounts in Echoshare, then these accounts are marked as “Deleted account from AD” and shown in the UI. The account is not deleted from Echoshare but only deactivated and marked as described.
- The above situations should be processed by a team admin in the Admin area.
- Iterates through all groups defined and imports/removes any groups and updates any existing. Group state consists of :
- Group name.
- Group members - groups or users.
- Iterates through all accounts and imports information about new accounts and updates any existing. Account information includes the following:
- Full name.
- Email address.
- Phone number.
- Checks the AD data cache and compares it to AD live data:
- Each AD Sync operation generates a log of changes which is visible in the AD Log view.
- New AD Groups or any changes to groups are applied to the Echoshare system when imported from AD. This includes group memberships.
- Changes to existing provisioned linked accounts are applied as they are imported:
- Changes to Full name, email address or Phone number.
- If the AD account is locked or disabled the linked Echoshare account is disabled as well.
- A user account that is disabled cannot be logged into and the agents attached to the account are disconnected.
- For helping Team Admin with optimizing and tracking down issues an AD Log view is available.
- The Log view displays a log of all events that are going to Integration agents.
- AD access check (runs a dummy query on every configured account) – configured per server (1 minute default).
- Time before the first connection check is done (after server startup) – configured per server (1 minute default).
- AD log is kept for 10 days by default – configured per server.
- AD sync time – scheduled for every day (default at 00:00) – configured per team.
- The AD status on the UI is updated at the same frequency as the AD access check interval.