We are beginning to implement Sitecore for our website at my company. We are in the midst of the discovery phase and evaluating Active Directory module. We have 40-50 users who will be using Sitecore and over a 100 users who will be using some customized applications on top of Sitecore.
The consultancy we hired are asking us to not go with Active Directory since only 40-50 users will be using it. I on the other hand think that using the Active Directory module would be useful in the long run.
Do you guys have any input? What is the recommended practice?
Thanks
It really comes down to how you want to govern your CMS users. The AD module bubbles up those users into the CMS as users and thus exposes them for login. You can even do the same with groups/units. The advantage here is that if a new person joins your org, if you add them to the OU or assign then to a group that has Sitecore access then they gain access to Sitecore.
On the flip side, if you want Sitecore to be it's own entity with its own user profiles and logins, it can do that in a silo without the AD connection
To the CMS, there is no difference where the users are actually authenticated because the provider you select is low level. So the ultimate decision would be more of a governance / IT / process decision as there's really no functional difference.
My recommendation for you is to come up with scenarios or use cases and think through each in both scenarios. Eg you hire 10 people that need author access. With the AD module you just assign them to the OU or group that inherits te author roles in Sitecore and you're done.
I have implemented the Active Directory module a few times now and it works really well when you want to have users to be able to SSO into the authoring interface and manage your security access within Active Directory. You can also use it well for doing end-user SSO if you are building something like an Intranet application on Sitecore.
From a security management perspective, it becomes easier for the organization and also allows you to not worry about having to duplicate users between different environments (Dev, Test, Prod).
That being said, there is a performance overhead with using the Active Directory module that is not present if you use only the native Sitecore security provider. With your number of users, you probably won't see any difference, but with extremely large AD directories with complex group memberships you may run into performance issues if you are using indirect membership (i.e. groups within groups).
An example scenario:
Content item in Sitecore is secured to the role MyDomain\SuperAuthor
User A is directly a member of MyDomain\SuperAuthor
User B is a member of MyDomain\SuperUser
MyDomain\SuperUser group is a member of MyDomain\SuperAuthor
If you use the Sitecore security provider, resolving User B's access is very efficient. Sitecore is able to check the indirect membership quickly using the roles within the system.
If you use the Active Directory module, the indirect membership is disabled by default. Only User A would have access. If you change the configuration setting to enable indirect membership, the module will then allow User B to have access, however you will begin to see a slower performance for that scenario.
As I mentioned before, however, if Active Directory is not very complex as to what is being pulled into Sitecore, you should be fine and probably won't notice these performance impacts.
I don't think number of users should be the sole reason to decide on whether or not to integrate AD nor should it be because you may or may not need it in the long run. I would say integrate with AD because of its most obvious benefits
Single user name and password
Better security
Ease of maintenance
Although number of users becomes and important deciding factor when you need to create several thousand users and setup authorization for them.
The most common reason users are manually created and maintained in sitecore is when you need to create a handful of authors and approver accounts mostly for the marketing team. But if you foresee implementing membership or need to provide access and authorization based on an existing user and group policy then go for AD integration.
Related
I have a new requirement in the project.
We have an MVC application and now we need to import users from active directory. We are not doing any kind of authentication with AD (I understand the AD should be used for authentication), but just importing user information into our application.
We have multiple client who can configure their respective Active Directory settings.
Whenever there are changes in the AD we need sync back into our application (this is just one way).
Now the question comes, is it a good idea to have a service installed on client end to get the users from AD and send it to our application ??
I know that no client will give the LDAP credentials. But still want to know if this is a good design or not ?
Because searches against Active Directory require CPU and memory
resources, searches should be performed in ways that minimize their
performance impact on domain controllers. You can use several
techniques to reduce the impact of directory searches on domain
controllers... [Source]
In other words, consider a bulk import service in case of regular heavy search operations with hundreds or thousands of objects, wildcard search, nested structures and multiple domains. For example, you could design a MVC controller or batch job that runs every night and imports required data from AD to your database from where the data can be more easily queried and processed. This should drastically increase your performance and reduce the impact on AD. Use the WhenChanged attribute to import only updated objects.
On another hand, if your queries to AD are rare, point to a single object (e.g. user attributes, such as name/email/phone) and processed quickly, then an import could be an overkill because the same could be done using direct calls to AD.
I create a CMS from scratch and decided to use CouchDB as my database solution. For my CMS I need various accounts and of course different user roles (admin, author, unregistered user, etc.).
First I thought I would program authorization within my CMS myself, but CouchDB has stuff like this build in, so I want to ask:
What is the best practice creating a multiuser app with CouchDB?
Create only one admin for CouchDB and manage restrictions, roles and accounts by yourself?
Use build-in functionality of CouchDB for all this? (Say create a CouchDB admin user for every admin of the CMS?)
What if I want to add other 3rd-party authorization later? Say I want users to login via Twitter/Facebook/Google?
Greetings,
Pipo
The critical question is whether you want to expose CouchDB to the public or not.
If you want to build your CMS as a classical 3-tier architecture where CouchDB is exclusively accessed from a privileged scripting layer, e.g. PHP, then I would recommend you to roll your own authorization system. This will give you better control over the authorization logic. Particularly, you can realize document based read access control (not available in the CouchDB security system).
If instead you want to expose CouchDB to the public, things are different. You cannot actually write server side logic (except for separate asynchronous listeners via the changes feed) so you will have to use CouchDB's built in authentication/authorization system. That limits you to read access controlled on a database level (not document level!). Write access can be controlled with validation functions. CouchDB admins should not be equivalent to application admins as a CouchDB admin is rather comparable to a server admin in a traditional setting. A database admin in CouchDB would be a better fit (can change design documents and therefore make modifications to the CMS installation like adding plugins). All other users with write access can be realized as database members.
I would prefer the second approach, because this will give you the possibility to leverage all the nice features of CouchDB like replication and the changes feed. However, you will have to do some filtered replication between databases with different members if you need fine grained read access control.
If you want to use other authentication mechanisms than those offered by CouchDB, you will eventually have to modify the installation (which can be an issue if you want to use a hosted CouchDB). For a facebook plugin see e.g. https://github.com/ocastalabs/CouchDB-Facebook-Authentication.
Imagine you're writing a web app that will have 1 million users (they all grow that big, right!)
How would you handle user accounts? I can imagine a few scenarios:
Roll your own (database tables, salted/hashed passwords stored in a user profile table)
If written with ASP.NET, use the login/role provider (which falls back to the database)
Use Active Directory if in a Windows environment
Use some other LDAP server
A 3rd party provider like OpenID or .NET Passport
Stability and scalability are of course important.
I guess this is really a question of whether Active Directory and other LDAP servers scale well and easily. What do Facebook, Twitter and Gmail use as their backend account provider?
What got me thinking about this is the Google App Engine. Really cool looking. But users would need to get a Google Account if I used the built-in authentication stuff. Or with #5 above, users would need to go get an OpenID. I'm trying to make it so they can just do a simple sign up with my site without needing to visit other sites -- for the non-geeks of the world :)
I would ask someone who had actually worked on a system which caters for that many users.
I'd find out about other systems like this, and look at case studies that have been written about them. (Ask Microsoft, Oracle, IBM etc.).
But, for usability you either need to implement a single sign on solution, so users don't need to know their login details. (Perfect for the corporate world.)
or
You have to go with what users know, which is an email address/username, and password.
OpenID or similiar systems are horrible for non technical users.
(Note, anyone looking at this is a technical user.).
OpenID.
If you must give the users a choice to create an account on your site, become an OP.
Yesterday I got a call from a Microsoft representative asking if we supply "hosted solutions", presumably as part of the big Windows Azure push. As soon as I got off that call, our marketing director came into my office and said the majority of our customers are demanding Active Directory integration in the next version. Then it occurred to me: how does one use Active Directory in a "hosted solution" if the application does not live on the customer's network?
As a more general question about Active Directory integration, what kind of functional changes does that usually imply for an app? Does it mean a user is signed into the app just by authenticating to Active Directory or does it mean the app gets its list of users from Active Directory or does the creation of new users or groups in the app create new users or groups in Active Directory?
Am I just caught in the crossfire of a war of buzzwords?
You're not. Active Directory can be run across the public Internet, though this complicates the security and setup of the network rather considerably.
Generally, authenticating an app against Active Directory means that your membership provider (for example) would call into Active Directory to do the authentication and, after that, the user is simply logged in; you don't keep active credentials, etc, in your own database. However I would consider it smart to cache that information as well, and be prepared to authenticate against that cache in addition to the directory, in case the domain controller is unavailable for authentication (an especially large risk if you're running the directory across the Internet).
You can use Active Directory Federated Services to enable authentication using AD over the internet between two organizations. See: http://technet.microsoft.com/en-us/library/cc786469.aspx
I've never used it only read about it. Hope it helps.
The accepted answer explains the role of Active Directory and I agree that caching basic user information may be useful in many instances.
Active Directory can be expanded outside of a corporate network, to the internet and connected web services. As another user mentioned, this is achieved through ADFS (Active Directory Federation Services) which allows "trusted" connections to be set up between separate authentication services. There were a number of scenarios explained as part of the "Office 365 Jump Start" webinars:
http://technet.microsoft.com/en-us/edge/office-365-jump-start-04-microsoft-office-365-identity-and-access-solutions
After viewing these, I immediately thought that a "hosted" AD and ADFS service would be useful, where a customer doesn't want to maintain the AD servers internally (Microsoft don't recommend running less than 5 seperate servers if you're doing this!) Recently, Microsoft have also launched their Azure cloud platform. One of the services they provide is labelled "Identity" which you can see here:
http://www.windowsazure.com/en-us/services/identity/
This is Microsoft's own solution to hosted AD services. In fact, they even mention using their "Identity" hosted service as a solution for SSO (Single Sign-On) for Office 356 and even Google web apps.
I am still learning about AD and Microsoft's cloud offerings, but I hope this points you in the right direction.
There's an article here: http://www.developerfusion.com/article/121561/integrating-active-directory-into-azure/ which describes in-depth how to integrate Active Directory with Azure - hope that helps.
Active Directory can be run across the public internet but you will experience lag times which may cause your app to time out or crash depending on your bandwidth. In the past, I have setup accounts with another company called ultradns.com who specializes in these types of scenarios. hope that helps.
You'd be best off going with a true hosting framework if you would like any support from MS.
I'm sure you'd like some links so:
HMC (Hosted Messaging and Collaboration)
The ONLY true blog I know about on the framework is from Kip Ng
The ASP.NET forums are a good resource for questions on the Framework as well.
An example of the work that goes into configuring AD for Exchange multitenancy is here, though it is based on an older version of the framework a lot of the same principles apply.
Also, try searching on the keyword multitenancy for some articles.
I am developing a web based intranet for my company. I just want to know is it a good thing for users to login the application using the active directory login details or shall i create a login together with the application db.
If there is anything better that this please suggest. This is my first application development so need help from experienced people.
Generally it's a good idea to try and minimize the number of accounts people need to have.
So I'd definately try and use their active directory login.
Also if desireable, you can automatically log people into your application using various single sign on methods. (Either integrated into IIS, or other.).
This makes for a very usable application, as people always forget login details, and hate to login again to other systems.
Only use Active directory for your intranet, if you infrastructure supports it.
You question is phrased as if you think the user to type there password in again to login to the intranet site - they should not do this! have windows pass on the credentials automatically. This is pretty much built in to dotnet/iis/etc.
Also AD will add group management a privledges so you can restrict areas of you intranet to members of certain groups.
And you support team already have the tools to manage all this.
PS you can enable FireFox to auto log on via NTLM and it is one of the most requested features for Chrome too so don't let browser issues put you off
There are several pros using Active Directory authentication in the intranet.
Thoses are the main ones:
You want to to keep authentication stores number as low as possible
Using Active Directory, users who have their desktop in the domain (as they should) will be able to use Integrated Windows Authentication. They will be able to log in without having to type their password.
An Active Directory authentication mechanism probably exists for your language
More information:
http://msdn.microsoft.com/en-us/library/ms998358.aspx
If you create a separate login system, then your users have to remember 2 different logins. Why bother, when their "real" login is right at hand?
Less code for you to write and better integration into the wider system. And, who doesn't want FEWER passwords to remember.
Definitely go for the Active Directory option, or use Active Directory as an LDAP server if whatever language you're using doesn't directly support AD. Active Directory actually makes a pretty good LDAP server.
If there is anything better that this please suggest.
OpenID?...