Group Synchronization using Windows Authentication Connector
Administrators can configure group synchronization via the Windows Auth connector. (Requires connector to run on the Windows platform.)
In order to use Windows Authentication, Seeq must run as a service, running as the user we created specifically for Seeq. The default "Network Service" account will not work.
Overview
Seeq has supported authentication and authorization via the Windows Authentication for several releases. For more information on authentication and authorization see Windows Authentication KB article.
Windows Authentication connector provides the ability to synchronize some of the groups (specified in the configuration file) from Active Directory into Seeq.
When Identity (group) Synchronization is enabled, Seeq users may use Active Directory groups for setting the permissions on items (e.g. on signals, assets, workbooks, etc).
Configuration
Before configuring the Identity (group) Synchronization it is recommended to have the Windows Auth Connector already configured for authentication and authorization.
When it starts, Seeq adds to every connection defined in Windows Auth Connector.json:
"Indexing" : {
"Frequency" : "1w",
"OnStartupAndConfigChange" : true,
"Next" : "2019-06-10T17:03:17.929Z[UTC]"
},
"Transforms" : null,
"IdentitySynchronization" : {
"Enabled" : false,
"GroupsToSync" : null
}
For enabling the group synchronization the administrator needs to:
Set "IdentitySynchronization > Enabled" to true in the JSON configuration
Set "IdentitySynchronization > GroupsToSync" to the list of Active Directory groups which should be synchronized to Seeq. Note: It is recommended to write the group names without the domain so that on save the connector will resolve them and replace them in the configuration file with the fully qualified names (FQN). The groups remaining without the domain were not resolvable by the connector.
Optionally transforms may be configured to update properties (Name, Description, etc) for the user groups. See Connector Property Transforms for more information.
By default, the groups are synchronized weekly but the interval can be changed by using "Indexing > Frequency" as for any other connector.
When GroupsToSync is not set and VerboseLogging is true the connector will dump all found Active Directory groups into the jvm-link log.
Active Directory distribution lists may not be used in AllowGroups and GroupsToSync, only security groups being supported.
Configuration Examples
Example: Allow all members of group "Seeq" to login; Synchronize groups "Seeq-Developers", "Seeq-Admins", "Seeq-Support" to Seeq
This configuration allows all users of group "Seeq" from Active Directory to enter Seeq. The connector will synchronize the groups "Seeq-Developers", "Seeq-Admins" and "Seeq-Support" enabling different set of permissions on items for the three groups within Seeq.
{
"Version" : "com.seeq.link.connectors.windowsauth.config.WindowsAuthConnectorConfigV1",
"Connections" : [ {
"Name" : "Windows Auth: Specific Groups",
"Id" : "87fa5067-8b38-4788-8605-7e880d3846b5",
"Enabled" : true,
"VerboseLogging" : false,
"AllowGroups" : [ "Seeq" ],
"IdentitySynchronization" : {
"Enabled" : true,
"GroupsToSync" : [ "Seeq-Developers", "Seeq-Admins", "Seeq-Support" ]
}
} ],
"Help" : "For examples and documentation, see https://seeq12.atlassian.net/wiki/spaces/KB/pages/420053401"
}