PMWeb has two toolkit items for Active Directory integration:
- LDAP
- SAML
LDAP
PMWeb's LDAP toolkit item is required. PMWeb uses an Active Directory Server Account to connect to AD and obtain a list of users:
Once connected, you can see the list of the AD users. Once the relevant users are selected and Licence Type and Group Name chosen, the users can be imported to PMWeb. They will then appear under "Define User" in Security section.
The imported users are stored in the PMWeb database. A "placeholder account" is imported, stored in the database and used for setting up permissions, security, workflow, etc.
Once the AD/LDAP user is assigned to a security group and subsequently this user tries to login to PMWeb, they are authenticated against AD/LDAP every time they try to login. The User information and the User's password are not stored in PMWeb.
There is currently no automatic syncing between PMWeb and the source AD system - however, due to the real-time authentication, if a user is removed or disabled from AD/LDAP, that user cannot log in and will receive an error message saying 'Invalid Login'.
Note that In the setup screen for LDAP user imports, a user id and password (admin) are required to “import” the users. This is only used to connect to LDAP and bring in the users and metadata to fill the grid. The user must be a registered Admin user and the information is only used once.
SAML
PMWeb’s SAML implementation is compatible with ADFS 2.0 , 3.0 and Shibboleth Identity Providers
using SHA-1 (ADFS is recommended)