Understanding Authentication Types
One of the most important areas to user understand is the difference between internal Chorus accounts, and externally authenticated user accounts (for example, SAML2 or LDAP accounts). Chorus allows both types to exist at the same time.
Chorus uses the following icons to differentiate between accounts using different authentication schemes:
| User type | Icon |
|---|---|
| Internal Chorus user |
|
| SAML2 or LDAP user |
|
You will need to decide which authentication scheme is appropriate for each user account on your Chorus system.
You might want to use external authentication for users within your office LAN but keep internally authenticated accounts for users who are external to your organisation, for example.
It is especially important to keep at least one Site Administration account that is internally authenticated, to avoid locking yourself out of Chorus should there be a problem on the external authentication service.
Create an System Administrator Account
Your IT team will need to be given a Site Admin account so that they can reach the configuration pages (and have a backup method for logging into your Chorus site). To create an administrator account for the IT team, you will need to use an existing administrator account unlock the site menu (see D2. Elevate and sign in as a site admin). Then, open Admin > Teams > Users menu, and click the 'Create new user' button.
When you are creating the user, keep in mind that the email address for the recipient must be deliverable, as this is where the initial password and invitation to login will be sent.
Ensure that you check the box labelled "Administrate Site":
Click Save to finish adding the account.
IT Team tasks
Please ensure you read through the documentation for your chosen authentication solution. Third Light Support can't offer advice on the specifics of non-Third Light products. However, we have produced a number of example setup guides:
Notes on User Identifiers
In Chorus, user identifiers must be unique. Email addresses are not necessarily unique, so Chorus instead looks for the following:
SAML: NameID
LDAP: User-Principle-Name
When you use an external authentication system, please ensure that the unique identifiers of user accounts are not going to change or overlap with internal Chorus users that you have already created. Chorus uses these identifiers to establish if a user account has logged in before, so changing the identifier will result in duplicate accounts being created (e.g. 'username' and 'username2').
This is the process when a user logs into Chorus:
- User clicks the Single Sign On login button and enters credentials into the login page of the external Identity Provider (IdP).
- If the credentials are correct, the IdP sends a list of attributes about the user back to Chorus.
- Based on the attribute information, Chorus now needs to decide which of its own user accounts is associated with this login attempt. It does this by looking for an attribute that uniquely identifies the account.
If this attribute has not been seen before, a new Chorus user account is created.
If the attribute is registered to an existing Chorus user account that has been configured to use external authentication, that is the account that will be picked.
If the unique identifier for an external user account provided by the IdP changes, Chorus will not be able to tell if this user has logged in before and a new account will be created (suffixed with a '2').
Enabling external authentication after already creating internal user accounts will generally create duplicate accounts. It is advisable to plan to enable any external authentication you know your organization will be using, as early as possible after you begin using Chorus.
Changing authentication type for a user
Chorus allows you to convert your chosen accounts from internal authentication to external. This is a manual task which you must perform. For example, if you enable external authentication and a user already has an internally authenticated account, it won't be automatically converted. Instead, Chorus will add a numerical suffix and create a separate account (e.g. username2).
However, a user will be given a new, internal Chorus user account if they have never used their external user account, because Chorus provisions user accounts on their first use.
To change a user's authentication type, open the user's account by clicking on their avatar in their Space, or by opening the Site > Teams > Users menu. A drop-down box for Authentication Mode is provided, if the Authentication Module is enabled:
The available choices are as follows:
| Authentication type | Notes and comments |
|---|---|
Internal Chorus Password | An internal user account with a password stored in Chorus' own database is used. It is essential to have at least one user account (with administrator access) to Chorus of this sort. |
External API driven authentication | Requires the API Module. An internal user account which can only be used via the Chorus API. This account has no password and there is no way to interactively log into Chorus via the login form, for example. |
| External AD/LDAP password integration | An Active Directory account, which is authenticated via LDAP at each login. No record is kept in Chorus of the passwords used. |
| The account uses AD FS, Shibboleth or SAML2 federated logins. These services work by redirecting the user to an external site to authenticate. No record is kept in Chorus of the passwords used. |
Other tips
TLS security requirements
Chorus uses TLS v.1.2 by default, and blocks lower protocol versions. This is in accordance with security best practice. You may need to add support for TLS v1.2 to Windows Server, for example, so that metadata URLs can be fetched from Chorus. This is a very common area of problems and should be checked at the earliest possible stages.
FTP or SFTP requires an internal Chorus User
Chorus supports FTP and SFTP uploads, but external authentication can not be used with these. You will need to use Internal Chorus User accounts where FTP/SFTP is required.
Mapping Groups to Spaces
Groups that have been defined on an external authentication system can be mapped to Chorus spaces. For further details on how to use Group → Space mappings, please see D9.3 Connecting SAML2 groups to Chorus Spaces. It is normally best for a Chorus Administrator to discuss any mappings with their System Administrator or IT Staff, to decide what is appropriate and periodically review any decisions made.
More on external authentication:
You are here:
