Users and Authentication

User authentication - allowing access to your site

The authentication method used by your site impacts how you can manage your users.

 

What is authentication?

A user's identity must be checked and approved before they can access a SMLWRLD intranet. This validation process is known as "authentication", and requires the user to enter a username and password. 

  User action required to gain access to site
Authentication Method User is physically in the office on an organisation PC User is physically outside the office network
Active Directory (AD) Login to organisation's network with AD username and password by logging in to an office PC. User can then access the site without logging in again. Login to organisation's network with AD username and password by using remote desktop / VPN. User can then access the site without logging in again.
Active Directory Federation Services (ADFS) and Azure AD
Login to site via web page with AD username and password.
Native Login to site via web page with site-specific login details.

Authentication methods and key characteristics

  Authentication Method 
Characteristics Active Directory (not supported by SMLWRLD) Azure AD ADFS Native
Admins can change user types / manage permissions
Admins can reset user passwords
Users can register for access
System creates user accounts automatically on first login
System deletes user accounts automatically after removal from AD
Users can access intranet outside organisation's network (without VPN)
Users can access intranet via mobile
Users are automatically logged in to intranet once logged in to organisation's network
Users not on AD (such as external agencies) can access the site if needed

Authentication methods overview

Active Directory authentication

When a site uses Active Directory (or "AD") authentication, once a user is logged into their organisation's network, they are automatically logged in to the intranet. They do not need to enter a separate site login.

However, if a user is outside the organisation's network (e.g. a staff member working from home) they must use a VPN to access the network. 

With AD authentication users are not created or deleted within the site; this is all managed via AD. Generally an organisation's IT Team are responsible for adding or deleting users in AD and managing AD passwords and password resets.

As AD authentication effectively prevents staff from accessing their intranet via a mobile or outside the office network, SMLWRLD do not support this method.

 

ADFS and Azure AD authentication

For Active Directory Federation Services (or "ADFS") and Azure AD, just the same as AD Authentication, once a user is logged into their organisation's network, they are automatically logged in to the intranet. They do not need to enter a separate site login.

However, if a user is outside the organisation's network (e.g. a staff member working from home) they can easily login to the site via their browser using their AD details.

Like AD Authentication, users are not created within the site and are managed via the organisation's AD. However, for ADFS users must still be deleted from the site manually. This should be included in an organisation's process for managing staff leavers.

Native authentication

With native authentication users' login details are managed within the site; user names and encrypted passwords are stored in the site database.  To access the site, users have to enter a username (normally an email address) and password into the site's login page. 

Administrators are responsible for adding and deleting users and resetting users' passwords. 

If an intranet has a lot of external users (such as suppliers and external agencies) then native authentication may be the best method.