(v1.5) Types of users and their login process
The user accounts in the application can be of two basic types:
local user - created locally by the application administrator, see Settings - Users
remote user - user from remote directory, which is either:
Active Directory (AD) - see Settings - Active Directory
Active Directory Federation Services (ADFS) - see Settings - ADFS
Local users
Local users log in to the application by using the standard login form directly in the application. All their data are stored only locally in the application. The verification of their login credentials is also only local, against the built in application database.
Remote users
Remote users can log in to the application, only if the administrator correctly configured either Active Directory or ADFS integration. In this case the user credentials are not verified locally in the application, but remotely in the appropriate remote directory.
Right after first successful login of a remote user, this user is also created in the application and visible in the list of application users. So this list only shows the users, which at least once logged into the application. And only these users (plus local users) count towards the license limit, see Settings - Configuration - License. So the user licences are not used by all existing AD/ADFS users, unless they use the application.
If a remote application user was deleted in the remote AD/ADFS directory, than this is not automatically reflected in the application. The user’s account stays in the application as it existed during his last successful login. If the administrator wants to delete such a user even in the SOFiE application, he has to delete him manually in Settings - Users.
For details about the login process for each of the remote directory services, see below:
Active Directory
The users log into the application using the same login form as the local users. The difference is, their credentials are not verified locally, but are passed to the appropriate AD server, which performs their authentication and returns the result to the application. According to this received authentication result, the application either allows the user to log in, or denies the attempt.
ADFS
When using the ADFS, the users do not log into the application using the login form in the application, but they log in using the login page of the ADFS server. They are therefore redirected from the SOFiE application to the ADFS server’s login page. There they log in, and if successful, the ADFS server redirects them back to the SOFiE application and also passes along signed information about the logged in user. The application then logs the users in automatically, using this received information.
The ADFS server typically remembers the logged in user for some time. So if the user used the ADFS login recently, it can log him in automatically, without the need for the user to enter his credentials again. This process is then very comfortable for the users and also safe.
If there is a choice and the administrator can configure both of these methods, we recommend to use the ADFS instead of the AD integration.