Authentication Guide
This guide provides additional details about how to configure different SimpleHelp authentication schemes. It covers more advanced configuration options such as LDAP / Active Directory integration, RADIUS support and multi-tier authentication.
Active Directory / LDAP Authentication
SimpleHelp can be configured to authenticate incoming technician logins with an LDAP directory server, such as Active Directory. LDAP authentication must be configured in two stages:
- The LDAP server connection must be specified first, which is the connection that SimpleHelp will establish in order to validate a login attempt.
- Each technician group must opt into LDAP authentication for its members. This allows each technician group to specify a different, group-specific search filter in order to pick our appropriate users during a login attempt.
Configuring the LDAP Server Connection
The LDAP server connection is specified in the Administration tab of the Technician Console. In order to set an LDAP server to use follow these steps:
- Log in as the SimpleHelpAdmin user.
- Switch to the Administration tab, and choose the Authentication Services section.
- Enable the LDAP checkbox.
You will see the following configuration options:
The configuration options are as follows:
X | X |
---|---|
LDAP Server Hostname / Port | The LDAP server's hostname or IP address, and the port to connect on. The default LDAP directory ports is 386, and 686 for SSL access. |
Username / Password | The username and password for an LDAP server user who has appropriate rights to search the directory. |
Authentication Mechanism | The authentication mechanism to use. Usually simple should be used. |
Enable LDAP over SSL | Check if you wish to access the LDAP server over SSL. If your LDAP server uses a self-signed certificate you can add the root certificate to the trusted store by pressing the Manage Trusted Certificates button. |
This is a Active Directory server | Specify whether the LDAP server is an Active Directory server or not. If not, specify the following three attributes that are utilised by your LDAP server implementation. SimpleHelp uses these attributes to search for technicians and groups within the LDAP server. |
Group Object Class | The class name that is used to identify a group within the server. |
User Login Attribute | The attribute in the LDAP server that should match the technician's supplied login name. |
User Group Member Attribute | The attribute within the LDAP server that details which groups a technician belongs in. |
Automatically Assign Technician Groups | An advanced option to automatically assign Technician Group membership to group-authenticated technicians. If enabled the SimpleHelp server will query the LDAP server for every Technician Group in the server to determine whether the logging in technician is a member of the group. Changes in membership on the LDAP server will then be reflected in the SimpleHelp server. |
Configuring Technician Groups for LDAP Authentication
Technician Groups can be configured to authenticate over LDAP once an LDAP connection has been set up. To configure a Technician Group follow these steps:
- In the Administration tab select the Technician Groups section.
- Pick a group to configure.
- Switch to the Authentication tab and enable the LDAP authentication check box.
Begin by specifying the Base DN to be used when searching the directory. This is typically the domain name in the following format: dc=domain, dc=simple-help, dc=com.
You can then choose between Group Configuration or Advanced Configuration:
Group Configuration is recommended if you wish to authenticate technicians in a particular LDAP group. SimpleHelp will use the attributes specified when the LDAP connection was configured to identify groups within the LDAP server, and to authenticate just users within those groups. To select the groups to use press the Select Groups button.
Advanced Configuration allows you to specify the exact search filter to be used when searching the LDAP directory for users. Use the ${Username}
variable to substitute in the technician's username provided during login. It is recommended to always use the ${Username}
variable in your query. Below are two Active Directory filters that are commonly used:
(sAMAccountName=${Username})
The above filter will match any LDAP user whose sAMAccountName
attribute matches the technician's supplied username. To only accept a subset of users you can filter by group membership:
(&(memberOf=CN=GroupName,DC=domain,DC=simple-help,DC=com)(sAMAccountName=${Username}))
Here, the technician's login username must match the LDAP user's sAMAccountName attribute and the technician must be a member of the group: CN=GroupName,DC=domain,DC=simple-help,DC=com
Multi-Tier Authentication
SimpleHelp offers email-based and app-based multi-tier authentication schemes built into the SimpleHelp server. There is no requirement for you to run an additional authentication server in order to equip your technicians with secure login mechanisms. Note that multi-tier authentication is a second (or third) authentication mechanism required in conjunction with the technician's username and password.
Multi-tier authentication can be configured as follows depending on the user:
- Technicians - multi-tier authentication for technicians is configured within the Authentication tab of the Technician Group that the technicians are a member of.
- SimpleHelpAdmin - Prior to SimpleHelp v5.2.12, multi-tier authentication for the SimpleHelpAdmin user is configured in the Login Security section of the Administration tab. From v5.2.12 onwards, it is configured in the Primary Administrator Technician Group.
Multi-tier authentication is configured within the Authentication tab of the Technician Group configuration:
Technician Group Authentication
App-Based Authentication
App-based authentication requires technicians to run an authentication application on their desktop or mobile devices. Once configured, the authentication application will produce one time codes that can be used during login. Examples or authentication applications includes Google Authenticator, Microsoft Authenticator and DUO Mobile.
Check the Require a one time code produced by an authentication app box to force technicians in a group to require the use of an app-based second factor authentication. On their next Technician Console login the user will be prompted to configure their authentication app:
Subsequently, after each login, the technician will be prompted to enter the current code produced by their authentication application. In order to reset the configured authentication key for the technician the SimpleHelpAdmin user can follow these steps:
- In the Technicians section of the Administration tab, select the technician whose key should be reset.
- In the Technician Properties tab push the Reset App Authentication button to reset the key.
On a subsequent login the technician will be required to reconfigure their authentication app.
Email-Based Authentication
Email-based multi-tier authentication requires technicians to enter a code in during login, that is sent in an email by the SimpleHelp server. In order to use email-based authentication an SMTP server must be configured for SimpleHelp to use.
Enable email-based authentication by checking the Require a one time passcode sent to the technician via email box. Additional configuration options will be shown below allowing you to further configure the codes and email sent out by the SimpleHelp server:
X | X |
---|---|
Authentication Code Length | The length of the passcode that will be sent to technicians. Passcodes are alphanumeric, but exclude commonly confused characters and numbers such as O, 0, l, 1, I. |
Email Subject | The subject of the email sent to technicians. |
Email Content | The body of the email sent to technicians. Use the variables ${Technician} and ${AuthenticationCode} and the server will substitute in the technician's name and passcode respectively. |
Passcodes and Logins from New Machines
In order to avoid technicians continually having to re-enter a passcode SimpleHelp can be configured to only require passcodes when logins are attempted from new computers which have not logged in previously. Technicians will be prompted for a passcode the first time a login occurs, but subsequently SimpleHelp will trust logins from the same machine and a new passcode will not be required.
You can manage the keys for each machine used to log in by pressing the Manage Keys button.
Configuring Multifactor Authentication for the SimpleHelpAdmin User
The same multifactor authentication settings that are available for Technicians are also available for the SimpleHelpAdmin user. These controls can be found in the following location depending on your SimpleHelp version:
- v5.2.12 or later - configured via the Primary Administrators Technician Group.
- v5.2.11 or earlier - configured in the Login Security section of the Administration tab.
RADIUS Authentication
SimpleHelp supports RADIUS-based technician authentication. Configuring RADIUS authentication requires two steps, as with LDAP authentication. First, the connection to the RADIUS server must be specified, and secondly any Technician Groups that are to authenticate via RADIUS must be configured accordingly.
Configuring the RADIUS Server Connections
SimpleHelp supports up to ten RADIUS servers that can all be used for authentication purposes. To configure a RADIUS server follow these steps:
- Log in as the SimpleHelpAdmin administrative user.
- Select the Administration tab, and pick the Login Security section.
- Check the box to enable RADIUS authentication.
- Create a new RADIUS server configuration, and complete the following configuration.
RADIUS servers are queried sequentially, in a staggered process. Servers are allowed a second to respond before a query is performed against the next server. If any server responds then the first response is used to determine technician access.
SimpleHelp supports RADIUS challenges for the pap authentication protocol. If a challenge is requested then the challenge is forwarded to the technician, after which a response is sent back to the RADIUS server for verification.
Technician Group RADIUS Settings
To enable RADIUS configuration for a Technician Group, log in as the SimpleHelpAdmin user, select Administration tab and pick the group in the Technician Groups section. Under the Authentication tab check the RADIUS box to allow RADIUS-based authentication for this group.