OmniCenter offers several options for managing user login authentication.
- OmniCenter Local
- Active Directory
- SAML Server
Settings for authentication are configured on the Authentication Administration page (Administration → Users → Authentication Settings).
The default authentication mode is OmniCenter Local, where users are created and managed from within OmniCenter. Switching to one of the other options will require user accounts and passwords to be administrated externally. (Local “shadow” accounts will be automatically created within OmniCenter to administrate OmniCenter-specific user account options, such as user partitions and user dashboards.)
Authentication modes cannot be mixed. You will be required to select only one mode to manage all OmniCenter users. However, the Active Directory and SAML authentication modes do support multiple servers.
This is the default mode. Local authentication allows you to create and maintain user accounts and passwords from within OmniCenter using the Users Administration page (Administration → Users → Edit/Add Web Users).
OmniCenter can use LDAP to integrate with Active Directory authentication to manage user accounts and passwords.
Clicking the Add New Directory Server button above the LDAP (Active Directory) Administration section will allow you to add a new Active Directory server to OmniCenter. Fill in the IP address of the directory server (this will usually be a primary or backup domain controller in an Active Directory environment) that you want OmniCenter to use. Enter a description for this directory server (for example, “Primary Domain Controller”).
If you are only configuring a single directory server, specify the priority as “Primary.” You can optionally configure a backup server for use if the primary server is unreachable.
The account suffix is required; this is typically the part of your addressing system after the “at” symbol (@)—for example, “@netreo.com.” This is used to look up domain users and must be correct. Consult your Active Directory administrator if you are unsure of this setting.
The top level of the LDAP directory tree is the base, referred to as the “Base DN”. The Base DN typically takes the form “dc=netreo,dc=com” where each section of the account suffix is identified as a separate “dc=” section. In some cases, it may differ from your account suffix. This is used to look up domain users and must be correct. Consult your Active Directory administrator if you are unsure of this setting.
At least one AD Group Name setting is required. This can be either a “Security” group or a “Distribution” group, as either will work. Any user in your Active Directory environment who is a member of any of these groups will be able to log in to OmniCenter at the permissions level associated with that group name. Changes in permission levels for individual accounts within the specified group must be done in OmniCenter’s Users Administration page by a user with SuperAdmin user permissions.
OmniCenter administrators may also specify multiple AD user groups, one for each permissions level in OmniCenter, below the directory server settings. If multiple groups are configured, the group specified in the directory server settings will be ignored in favor of the groups configured for each permissions level. Specifying multiple user groups will also cause OmniCenter to update a user’s permissions level every time they log in (facilitating movement of a user from one group to another). If a user belongs to more than one of the configured groups, their permissions level will be set to reflect the highest permissions level group they are assigned to.
Once configured, to begin using Active Directory authentication, click the “Active Directory” option under the “Select an Authentication Type” section and save the changes. You will then need to log out of the local account and log back in using your Active Directory credentials.
Once Active Directory is enabled, you will only be able log in to OmniCenter using Active Directory usernames and passwords (except for the default OmniCenter administrator local account). To log in to OmniCenter using the default administrator local account, use the username/password “omnicenter/administrator” which will indicate to OmniCenter that you wish to bypass Active Directory. This is useful if your active directory server is down or unreachable for some reason.