Introduction

This tutorial will guide you through the configuration of custo diagnostic for using LDAP / Active Directory for user synchronization and Kerberos for Single Sign On.

Active Directory is the LDAP implementation and Kerberos is a protocol that let you identify to other services with your windows logon. Having configured both you can achieve Single Sign On which means, that custo diagnostic will automatically use the user that is logged on to Windows for authentication and the user does not need to enter any passwords.

Prerequisites

  • custo diagnostic 5.1 or up
  • Windows Domain with Windows Server 2008 R2 or up
  • You must be Windows Domain Administrator
  • Basic understanding of LDAP
  • Basic understanding on Kerberos configuration

Configuring custo diagnostic for LDAP

Open custo service center and navigate to Login→LDAP. This will open up a page that contains all configuration entries regarding the connection and mapping to the LDAP server.


 

Fill out the fields on the top of the page to have a basic setup. The page is more or less self-explanatory. Here is an example for a Windows Server Domain:


Note that filter filter for valid users can be appended if you activate "Import only users with valid profile mapping". The corresponding filter will be provided below for your information.

If you have trouble figuring out the correct filter settings, we recommend using a tool like LDAP Admin (http://www.ldapadmin.org/). This will let you figure out the correct configuration for your system more easily.

After you have finished, click on "Save Settings And Test". This will enforce the LDAP settings on the server. In order to check for errors, look at the log output at the end of the page:


Also check the imported users on the Administration → User page.

Mapping of users

As users are automatically imported into custo diagnostic from LDAP, mapping provides you a way to configure the users automatically with the correct settings, correct tenant and correct doctor information.
The first and most important mapping is the profile mapping. This will let you provide map profiles to LDAP user groups. In custo diagnostic, this includes user permissions that are configured for the profiles.

We recommend to use the Mapping Option "PROFILE".


To add a mapping, click "Add Entry" (1) and some dialogs will open that will let you choouse the LDAP Group, Profile and mapping behaviour. Note that you cannot edit such a configured mapping but you can delete it (2) and add it again.
After you finished the mapping click on 3 to save the mapping.

The same workflow can be used to map users to doctors. This is normally used to give users different address print-outs on prints and PDFs.


Last step is to do the same with tenants, if you use a tenant system:



After this your configuration is nearly complete. Hit the button "Synchronize Users" and check in Administration → User if the users are correctly imported and have the correct profile, doctor and tenant mapping.

Login Options

The last step in this process is to activate LDAP login. Go to the Login page (1) and change Login Method to LDAP (2):


If you use Kerberos we will later change the Login Method to "Remote User". Now please check if the LDAP users can authenticate with the custo manager.

  • No labels

1 Comment

  1. In my test test setup I had to enter the full UPN name (user name@domain name). Before I had done so I always got an error like: acceptSecurityContentError. 

    The setup in your screen shots looks more logical, but the facts in my installation have shown something else...