Security: GreenOrbit (GO) Authentication Options
GreenOrbit allows FOUR different authentication modes for accessing your site.
- Login On Demand
- Active Directory
- Login Using SAML
All users must enter login details via a web-based form before they can access the website. Users must be added as Website Users in the Admin of GreenOrbit by an Administrator. No anonymous access will be available in this security mode.
When the web server is part of a Windows domain, domain user credentials are automatically passed to GreenOrbit for each new browsing session. Users may be part of the same domain or domains within the same 'forest'. Security can then be assigned to areas of the website based on AD users, groups, and domains. Users that are not part of the domain will be prompted to login (via a popup login prompt) and subsequently, users that are unable to login will be assigned 'anonymous' access.
(Note: The Active Directory option is only available if the server is a member of a Microsoft Active Directory domain)
Login Using SAML
When attempting to first access GO, Website Users will be redirected to the external site of the chosen Identity Provider (e.g. OneLogin, Okta etc.). After logging into the Identity Provider, the Website User will be redirected to the intranet. Instructions for configuring this option are provided below.
Setting the Authentication Mode
This process is conducted through The Admin console of GO and can only be performed by an Admin user with Superuser permission level.
The Frontend Security Type controls the way website users login to your intranet, follow the instructions below to set your Frontend Security mode.
- Select Config Settings from the Utilities menu
- Search for and select Frontend Security Type
- Use the drop-down list to select the applicable security type; Login, ActiveDirectory, LoginUsingSAML
- If you have selected LoginUsingSAML there are further steps to complete this process, please see below
- Once selected, click the Update button to save changes
Login Using SAML
In order to set up Login Using SAML, in addition to the previous steps, there are two other configuration settings to complete:
- SAML Identity Provider SSO Target URL
The remote identity provider SSO URL that users will be redirected to in order to verify their identity
- SAML Identity Provider Certificate
The certificate from the remote identity provider that is used to validate the SAML response received from them
Both these values can be taken from your Identity Provider, assistance provided below.
- Go to the iD Admin> Utilities> Config Settings
- In the Config Settings search for 'SAML Identity Provider SSO Target URL'
- From your Identity Provider, copy the 'SAML Endpoint' URL as provided
- Insert the SAML Endpoint URL into the Config Setting field
- Select Update
- Still in GO Admin> Utilities> Config Settings
- In the Config Settings, search for SAML Identity Provider Certificate
- From your Identity Provider, copy the X.509 Certificate as provided
- Insert the X.509 Certificate text into the Config Setting field
- Select Update
Once these configuration settings are completed, attempting to access the intranet URL will launch the Identity Provider login page. Once logged in, the user will be redirected to the intranet.
For steps on configuring specific SAML providers, see our SAML Configuration Guides
Can GreenOrbit Run in Multiple Authentication Modes?
There is the ability to run more than one authentication mode at a time within a GreenOrbit installation. This is based on the IP Address (or a defined IP range) of the workstation that the user is accessing the site from.
For example, if extranet access is required to the site then the installation can be set to run in ActiveDirectory mode for internal requests and Login mode for external requests