Understanding the process after you click on Continue with Microsoft
- Windows NTLM (On-Premises only)
- Microsoft Active Directory Federation Services
- Microsoft Azure Active Directory
- Related KBAs
All these methods require an individual configuration outside of DocuWare because these login methods communicate with services not part of the DocuWare installation.
To understand this process, we have prepared an overview for you.
You might want to read this Paragraph first to understand why the Application needs to know which user is asking for access: Why is a login required anyways?
NTLM:
When clicking on Continue with Microsoft, the client PC negotiates access with the server.
Only when the server responds to this request with the status 200 it allows you to access the resource.
This process is entirely independent of DocuWare because this negotiation is performed via the Windows protocol NTLM.
DocuWare only needs the information on which user should be logged in and compares this information with the network ID of the DocuWare user.
If a user with the same ID is found, this user is logged in.
During Setup, the Subpages of DocuWare are already created with the basic configuration and can be further configured according to your requirements.
To ensure a smooth NTLM process, configurations must be made in the DocuWare configuration, on the client, and on the server.
If you have chosen NTLM as your login method, you can proceed with this basic troubleshooting guide: Troubleshooting NTLM.
If necessary, further security measures must be taken by your system administrator.
Microsoft Active Directory Federation Services and Microsoft Azure Active Directory
When clicking on Continue with Microsoft, the website visitor is redirected to the login page (URL defined in Issuer URL) of your ADFS or AAD. In case of a successful login, the visitor is redirected back from your Identity Provider to the identity service (URL defined in Callback URL) of DocuWare. This Login status and user information are transferred to DouWare via OpenID Connect. https://help.docuware.com/#/home/85703/2/2
- To let DocuWare know where to transfer the visitor, insert the correct Issuer URL in the DocuWare Configuration.
- To let your Identity Provider know where to transfer the visitor back in case of a successful login, you have to insert the correct Callback URL in your ADFS or AAD configuration.
- ADFS and AAD related KBAs can be found here: Related KBAs
Multi-Factor Authentication:
For ADFS and AAD, you might want to configure MFA.
In DocuWare, only the single sign-on connection must be configured, as the MFA process is performed within ADFS or AAD. If the MFA process is successful, the login status and information are transferred back to DocuWare via OpenID Connect.
When clicking on Continue with Microsoft, the website visitor is transferred to the login page of your ADFS. In case of a successful login, the visitor is transferred back to the identity service of DocuWare. This Login is handled via OpenID Connect. https://help.docuware.com/#/home/85703/2/2
Why is a Login needed anyways?
A Login method can be compared to folder and file permissions on your PC.
The same principle applies to a website.
Which user wants access to the web page, and what is this user allowed to see from this web page. In the case of DocuWare: Is the user created in DocuWare, and what rights does he have in DocuWare.
These informations are important for this process:
What resource is being requested (Defined by calling the web page).
Which user is requesting access (Supplied by the respective login method).
Does this user have a license to log in (Defined by DocuWare).
What permission does the user have. (Permission assignment indirectly via group membership if group is member of a role, group membership can be provided by AD).