Authentication Options

 

Overview

Campus Suite offers multiple authentication options for users to login to your website. These options include using standard email/password combinations stored within the system itself or linking to a private LDAP server that you maintain.

While multiple authentication options currently exist for Campus Suite, a site can only use one of these types of authentication at a time.  A site must use either the basic email/password logins or LDAP logins, and cannot use both simultaneously. For example, if you choose the LDAP option, any user requiring access to the system must have an account made for them on your LDAP server (typically Active Directory) as well as an account within Campus Suite that references their account on the LDAP server.

 

Basic Authentication

Out-of-the-box, Campus Suite supports user logins by way of email and password combinations. This information is stored within Campus Suite itself and the system provides the authentication mechanism for these types of logins. More information about managing users can be found here.

 

OpenID Integration

When using the Basic authentication option, individual users may also opt to use OpenID authentication as an alternative to their normal email/password login. Due to the newer OpenID standards, users must still have a working email/password login and must go through a registration process to properly link their third party OpenID account with Campus Suite; it is not possible for an Admin to associate an OpenID account to a user other than themselves or for OpenID accounts to be linked during a user import.

OpenID authentication is an alternate method to gain access to Campus Suite. Even with an OpenID account registered, their basic email/password login will still function.

A user can also only register one OpenID account to their Campus Suite profile at a time. If they wish to use another OpenID account for their login, they would first need to un-register their current association and perform the registration process again for their other OpenID account.

Since an OpenID account is used to authenticate a user in the system, only one Campus Suite user in a site can be registered to a single OpenID account at a time.

 

Registering OpenID

To register an OpenID account for use within Campus Suite:

  1. Login to Campus Suite using your basic email/password credentials.
  2. Upon a successful login, you will be brought to the main dashboard. Click the "Edit" link in your Profile box.
  3. In the popup, click the "Click here to register an OpenID" link. This will initiate the OpenID registration process; you will be redirected away from your site and to the Campus Suite login server.
  4. The first step of the OpenID registration process is to verify your site information and to re-enter your login credentials for security purposes.
  5. Next, you will need to select an OpenID provider from the given list. If your provider is not on this list, it is currently not supported. Some providers may require you to also give a "Username"; you should be prompted for this if it is needed.
  6. After you select your provider, different actions may happen:
    1. If you are currently not logged into your OpenID provider, you will be asked to do so now.  If your provider allows you to be signed into more than one user at a time (such as Google) and you are currently logged into multiple accounts, you should be prompted as to which one to use.
    2. Once logged in to your provider, if this is your first time registering the OpenID account with Campus Suite, your provider should ask you for permission for Campus Suite to access you OpenID account details. In order to proceed, you must agree with these terms.
    3. Once you have been logged into your provider and have accepted the terms, you will be redirected back to the Campus Suite login server.
  7. If no errors occurred during this process, you should see a success message and be provided a link to return back to the Campus Suite dashboard. If an error did occur, you should be notified of this and should retry the registration process. If you receive consistent errors during this process, please contact Campus Suite support for help. Many factors could result in errors, and it may be impossible to link an OpenID account to Campus Suite due to settings at your provider.
  8. If the process was successful, the next time you log into Campus Suite you should be able to do so using your OpenID credentials.

 

Logging In with OpenID

To login with OpenID:

  1. Access the Campus Suite login screen as you normally would.
  2. Switch to the OpenID tab on the screen.
  3. Choose your OpenID provider from the given list. If your provider requires a username, you will be prompted to enter it. Click the "Sign In" button.
  4. At this stage, different actions may happen:
    1. If you are currently not logged into your provider, you will be asked to do so now.
    2. If your provider allows you to be signed into more than one user at a time (such as Google) and you are currently logged into multiple accounts, you should be prompted as to which one to use.
    3. If you are already logged into only one account with your provider, you will be authenticated against that account; you will not be prompted for anything.
  5. Assuming the authentication was successful, you will be logged into your Campus Suite account.

 

Unregistering OpenID

To unregister and OpenID account:

  1. Login to Campus Suite using either your basic email/password credentials or your OpenID account.
  2. Upon a successful login, you will be brought to the main dashboard. Click the "Edit" link in your Profile box.
  3. Click the "Click here to unregister your OpenID" link. This will immediately remove the association within Campus Suite to your OpenID account. The page will refresh. If you would navigate to this area again, you should see the "Click here to register an OpenID" link instead.

 

LDAP Authentication

Campus Suite can link to and authenticate users against your own LDAP server (typically an Active Directory server).

If you choose to use this mode of authentication, basic authentication will be disabled for your site. Currently, it is only possible to use one form of authentication, Basic or LDAP, with Campus Suite. OpenID authentication is also not available for customers using LDAP.

Campus Suite can only connect to one LDAP server; the system currently does not support multiple LDAP servers or fallback servers.

While Campus Suite can use your LDAP server to authenticate users against, your users are still required to have a Campus Suite account. This provides their user access level in the system as well as their Campus Suite user profile.

Deleting a user from Campus Suite will have no affect on the LDAP server. However, deleting a user from your LDAP server will prevent them from being able to log into Campus Suite.

Since LDAP authentication is done via a separate server, that server must be functioning properly in order for users to gain access to Campus Suite; if your LDAP server is down your users will not be able to access Campus Suite. Since Innersync does not control these third party servers, we cannot be responsible for their outages.

 

Setup

A Campus Suite support representative will need to enable LDAP authentication for your site. This is best done when you site is first created, as doing so after this would more than likely result in access issues for users.

If your LDAP server is protected by a firewall, you will need to allow connections through from the Campus Suite login server; a support representative will be able to give you the IP addresses needed for this.

In order to setup LDAP for your site, we will need the following details:

  • Server: Either the IP address or the DNS name of your LDAP server.
  • Port: The port the LDAP server listens for connections on.
  • Username Scheme: The scheme for the usernames in the system. This is usually either something like "Domain\username" or what may look like an email address.
  • Start Filter: The LDAP lookup for where to start looking for users.  This is usually something like "dc=ldap,dc=mysite,dc=org".
  • Test Account: Innersync will need access to an account that can be used for testing the LDAP setup (both a username and a password).  It is suggested that this be a limited account and one that can be deleted once the LDAP integration has been tested and is working.