Connecting to a user directory
Overview
Linking AppsAnywhere to a user directory is the first step to configuring your service. This section will cover all aspects of managing your directory connection.
AppsAnywhere relies on an external directory for all user authentication and can link to any LDAP enabled directory service. The primary directory service supported by AppsAnywhere is Microsoft's Active Directory but we also strive to support any OpenLDAP directory service and SAML Attribute Mapping .
SAML can be used in conjunction or without an LDAP connection
This section will take you through all the functionality relating to linking AppsAnywhere with an LDAP directory service.
LDAP Interactions
There are two main ways in which AppsAnywhere will interact with your directory:
User Authentication
Whenever a user attempts to log into AppsAnywhere, AppsAnywhere will attempt a bind against your directory, using the credentials the user provided, in order to determine whether or not they can be authenticated and allowed to access the service. If the bind is successful, AppsAnywhere will note some basic information about the user from the data returned, such as display name and user object ID, and permit them access. Any error messages returned from the bind will result in the user being denied access.
AppsAnywhere does not store any user passwords. Once a bind has been attempted, all password information is discarded.
User Group Lookup
Once a user has successfully logged into AppsAnywhere, AppsAnywhere will query your directory to discover the groups to which that user is a member in order to determine which provisions they will be permitted to access. This search includes a recursive search of all their member groups for any groups they are linked to through association. This query is done using the service user account that is given to AppsAnywhere when connecting it to your directory (See Adding an LDAP connection)
Machine Group Lookup
Following a successful validation of a user session, AppsAnywhere will query your directory and attempt to locate a machine object that represents the device on which the user is currently logged in. If AppsAnywhere manages to find the device in your directory, it will then query for any groups to which that device is a member, both directly and through association. This allows AppsAnywhere to determine if there are any provisions linked to the device to which the user should be permitted access.