An LDAP integration allows your SafeNSound instance to use your existing LDAP server as the master source of user data.
SafeNSound integrates with a Lightweight Directory Access Protocol (LDAP) directory to streamline the user login process and to automate administrative tasks such as creating users and assigning them roles. Typically, an LDAP integration is also part of a single sign-on implementation.
The integration uses the LDAP service account credentials to retrieve the user distinguished name (DN) from the LDAP server. Given the DN value for the user, the integration then rebinds with LDAP with the user's DN and password. The password that the user enters is contained entirely in the HTTPS session. The integration never stores LDAP passwords.
The integration uses a read-only connection that never writes to the LDAP directory. The integration only queries for information, and then updates its internal database accordingly.
Prerequisites
- The directory services server must be LDAP v3 compliant
- Inbound network access through the firewall must be allowed (SafeNSound to the LDAP).
- External IP or Name of the LDAP server
- User credentials with read-only access
- For LDAPS, a PKI certificate
-
SafeNSound specific Security Groups
Authentication
When one of your users enters their domain credentials in the SafeNSound login page, the SafeNSound application passes those credentials to the defined LDAP server(s). The LDAP server responds with an authorized or unauthorized message which the SafeNSound application uses to determine if access should be granted. By authenticating against your LDAP server, users use the same credentials for the SafeNSound application that they use for other internal resources on your domain. Also, you can leverage any existing password and security policies that are already in place (for example: account lockout after a number of failed logins and password expiration dates). Since the SafeNSound application is receiving a "yes" or "no" from the LDAP server, these policies are enforced.
LDAP On-Demand Login
Once LDAP integration is complete, SafeNSound has the ability to allow new users to login to the system, even if their account has not yet been created. When the new user attempts to login to SafeNSound we look to see if this user has a SafeNSound account. When the account is not found, the instance automatically queries the LDAP server for the username that was typed in. If an account is found, we then try to authenticate with the user's password. If the password checks out, the instance creates an account for the user, populates the account with all applicable LDAP information, and logs the user into SafeNSound.
Scheduled LDAP Refresh
A scheduled scan of your LDAP server is usually run every two hours. It queries all applicable user records' attributes and compares them with the account on our servers. If there is a difference, we modify our user record with the changed attribute. The load placed upon the LDAP server during the refresh depends on how many records are queried, and the number of attributes being compared. For large environments we recommend scheduling the refresh during off-peak hours. A large refresh operation can affect other scheduled operations, such as running reports, and should be planned to minimize any conflicts.
Security Groups
All the users in SafeNSound can be managed through 6 security groups. The groups are required and must be setup as follows:
SafeNSound_Administrator
SafeNSound_Manager
SafeNSound_MonitorTech
SafeNSound_BioMed
SafeNSound_Caregiver
SafeNSound_Physician
SafeNSound will then use a vendor account to with read only permissions to read the AD Groups and auto create the user on the SafeNSound side. We will cache the path and refresh this every two hours. When a user tries to login send the validation request directly to AD and authenticate the user. If you need to add users or change a users role you manage them by taking them in and out of the groups in AD. We will then sync everything and update the role on the SafeNSound side within 2 hours.
Frequently Asked Questions (FAQs)
When is an LDAP integration done?
- LDAP integrations are usually done before the SafeNSound Go Live, but can be integrated at any time
Is this a synchronization or a copy?
- This question comes up regularly during our pre-integration discussions, and is centered around a concern of a third party (SafeNSound in this case) making changes (writing) to your LDAP server. In a SafeNSound LDAP integration, SafeNSound does not write to the internal LDAP directory. SafeNSound queries for information, and updates its database accordingly. No changes are made to the internal LDAP server by SafeNSound. The service account is read only.
Is it secure?
- Yes. The connection is made from SafeNSound using a fixed IP address through a specific port on your firewall. Authentication is done with a read-only LDAP account of your choosing. You can use standard LDAP or load the public side of an SSL certificate installed on your directory, in which case we can use LDAPS. To add another layer of security, we require a point-to-point IPSEC VPN tunnel.
How up to date is the information?
- Most changes (including additions) to your LDAP server are available to the SafeNSound instance within two hours. Changing of the users password is instant.
Which attributes need to be pulled from the LDAP into SafeNSound?
- SafeNSound reads the following LDAP attributes: sAMAccountName, sn, givenName, mail, and userAccountControl
How do you handle querying more than 1000 users?
- By default, Active Directory 2000/2003 has an LDAP query limit (maxPageSize) of 1000 objects to prevent excessive loads and denial of service attacks. We have two methods of dealing with this limit. The default method is to break up the query to return less than 1000 objects at a time. For example, query only for object starting with the letter 'a', then query for 'b' objects. The more efficient method for large environments is to enable paging. Paging is supported by default on all Microsoft Active Directory servers. It automatically splits the results into multiple result sets so we don't have to split up the query into multiple requests.
What type of LDAP query is done?
- If an LDAP password has been supplied then a "Simple Bind" is performed.
How is the user password stored?
- The password that the user enters is contained entirely in their HTTPS session and we do not store that password anywhere.
How do you manage users?
- After the initial setup, adding a user is as simple as adding the directory user to the appropriate security group. To remove a user, remove the user from the security group. If the user account exists in more than one security group, then the security group with lowest permissions will be applied. For example if a user is a member of SafeNSound_Caregiver and SafeNSound_Manager the applied permissions will be SafeNSound_Caregiver.
The order of permissions starting at greatest access to least is as follows:
SafeNSound_Administrator
SafeNSound_Manager
SafeNSound_MonitorTech
SafeNSound_BioMed
SafeNSound_Caregiver
SafeNSound_Physician
Administrator - Organization/Facility IT for technical logging and troubleshooting.
Manager - Staff managers & directors to support the nursing and monitor technician staff. Access to reporting for each department.
Monitor Tech - Staff assigned as Monitor Technicians to communicate and manage patients with the nursing staff, as well as document events.
Bio Med - Allows access to manage patient monitoring devices and their configurations for the organization / facility.
Caregiver - Nursing staff access for admission, transfer, discharge & location of patients.
Physician - Access for data research, patient review & analysis.