NAV

Authentication Guide

This guide provides additional details about how to configure different SimpleHelp authentication schemes. It covers more advanced configuration options such as OpenID Connect, LDAP / Active Directory integration, RADIUS support and multi-tier authentication.

OpenID Connect (Azure AD and others)

SimpleHelp 5.5 allows technicians to authenticate using credentials that are verified by an Authentication Provider. The Authentication Provider is a third party service that is responsible for authenticating technicians, notifying SimpleHelp of a valid login, and providing technician profile details that will be used in SimpleHelp.

Using an OpenID Connect authentication scheme allows technicians to authenticate and login using credentials controlled by the Authentication Provider. SimpleHelp will not request or handle any user authentication credentials. When configuring OpenID Connect, an administrator will need to configure the authentication provider to allow SimpleHelp to connect.

In the SimpleHelp Administration tab, an administrator can add a new Authentication Service. The following list will appear:

Authentication Provider Screenshot

If you are configuring OpenID Connect to Azure AD then select the Azure option. For all other Authentication Providers choose the OpenID Connect option.

Azure AD

An Azure AD Authentication Service shows the following configuration options:

Azure AD Provider Configuration Screenshot

The configuration options are as follows:

X X
Display Name The name that will be shown to Technicians on the Login Dialog.
Client ID An automatically generated ID in Azure, also known as the Application ID. This references the unique ID of the app created in Azure to process SimpleHelp authentications.
Client Secret The Client Secret for the configured Azure app.
Tenant ID An automatically generated ID in Azure to reference the specific directory that the app in Azure is created under.

When configuring your app in Azure you will be asked to provide a redirect URL that is used when users are forwarded from the login page back to the SimpleHelp server. This URL is based on the public hostname that is configured in the Administration tab's Network Settings section.

See the Azure AD Guide for details about how to configure an authentication app in Azure AD.

Other OpenID Connect Providers

An OpenID Connect Authentication Service shows the following configuration options:

OpenID Connect Provider Configuration Screenshot

The configuration options are as follows:

X X
Display Name The name that will be shown to Technicians on the Login Dialog.
Client ID An ID automatically generated by your Provider. This references the unique ID of the app created in the Provider to process SimpleHelp authentications.
Client Secret The Client Secret for the configured app.
Discovery URL A URL supplied by the identity provider that can be queried to retrieve connection data for the OpenID service.

When configuring your app in your OpenID Connect provider you will be asked to provide a redirect URL that is used when users are forwarded from the login page back to the SimpleHelp server. This URL is based on the public hostname that is configured in the Administration tab's Network Settings section.

Active Directory / LDAP Authentication

SimpleHelp can be configured to authenticate incoming technician logins with an LDAP directory server, such as Active Directory. LDAP authentication must be configured in two stages:

  • The LDAP server connection must be specified first, which is the connection that SimpleHelp will establish in order to validate a login attempt.
  • Each technician group must opt into LDAP authentication for its members. This allows each technician group to specify a different, group-specific search filter in order to pick our appropriate users during a login attempt.

Configuring the LDAP Server Connection

The LDAP server connection is specified in the Administration tab of the Technician Console. In order to set an LDAP server to use follow these steps:

  • Log in as the SimpleHelpAdmin user.
  • Switch to the Administration tab, and choose the Authentication Services section.
  • Enable the LDAP checkbox.

You will see the following configuration options:

LDAP Authentication Screenshot

The configuration options are as follows:

X X
LDAP Server Hostname / Port The LDAP server's hostname or IP address, and the port to connect on. The default LDAP directory ports is 386, and 686 for SSL access.
Username / Password The username and password for an LDAP server user who has appropriate rights to search the directory.
Authentication Mechanism The authentication mechanism to use. Usually simple should be used.
Enable LDAP over SSL Check if you wish to access the LDAP server over SSL. If your LDAP server uses a self-signed certificate you can add the root certificate to the trusted store by pressing the Manage Trusted Certificates button.
This is a Active Directory server Specify whether the LDAP server is an Active Directory server or not. If not, specify the following three attributes that are utilised by your LDAP server implementation. SimpleHelp uses these attributes to search for technicians and groups within the LDAP server.
Group Object Class The class name that is used to identify a group within the server.
User Login Attribute The attribute in the LDAP server that should match the technician's supplied login name.
User Group Member Attribute The attribute within the LDAP server that details which groups a technician belongs in.
Automatically Assign Technician Groups An advanced option to automatically assign Technician Group membership to group-authenticated technicians. If enabled the SimpleHelp server will query the LDAP server for every Technician Group in the server to determine whether the logging in technician is a member of the group. Changes in membership on the LDAP server will then be reflected in the SimpleHelp server.

Configuring Technician Groups for LDAP Authentication

Technician Groups can be configured to authenticate over LDAP once an LDAP connection has been set up. To configure a Technician Group follow these steps:

  • In the Administration tab select the Technician Groups section.
  • Pick a group to configure.
  • Switch to the Authentication tab and enable the LDAP authentication check box.

Begin by specifying the Base DN to be used when searching the directory. This is typically the domain name in the following format: dc=domain, dc=simple-help, dc=com.

You can then choose between Group Configuration or Advanced Configuration:

LDAP Screenshot

Group Configuration is recommended if you wish to authenticate technicians in a particular LDAP group. SimpleHelp will use the attributes specified when the LDAP connection was configured to identify groups within the LDAP server, and to authenticate just users within those groups. To select the groups to use press the Select Groups button.

Advanced Configuration allows you to specify the exact search filter to be used when searching the LDAP directory for users. Use the ${Username} variable to substitute in the technician's username provided during login. It is recommended to always use the ${Username} variable in your query. Below are two Active Directory filters that are commonly used:

(sAMAccountName=${Username})

The above filter will match any LDAP user whose sAMAccountName attribute matches the technician's supplied username. To only accept a subset of users you can filter by group membership:

(&(memberOf=CN=GroupName,DC=domain,DC=simple-help,DC=com)(sAMAccountName=${Username}))

Here, the technician's login username must match the LDAP user's sAMAccountName attribute and the technician must be a member of the group: CN=GroupName,DC=domain,DC=simple-help,DC=com

Multi-Tier Authentication

SimpleHelp offers email-based and app-based multi-tier authentication schemes built into the SimpleHelp server. There is no requirement for you to run an additional authentication server in order to equip your technicians with secure login mechanisms. Note that multi-tier authentication is a second (or third) authentication mechanism required in conjunction with the technician's username and password.

Multi-tier authentication can be configured as follows depending on the user:

  • Technicians - multi-tier authentication for technicians is configured within the Authentication tab of the Technician Group that the technicians are a member of.
  • SimpleHelpAdmin - Prior to SimpleHelp v5.2.12, multi-tier authentication for the SimpleHelpAdmin user is configured in the Login Security section of the Administration tab. From v5.2.12 onwards, it is configured in the Primary Administrator Technician Group.

Multi-tier authentication is configured within the Authentication tab of the Technician Group configuration:

Technician Group Authentication

Multi Factor Screenshot

App-Based Authentication

App-based authentication requires technicians to run an authentication application on their desktop or mobile devices. Once configured, the authentication application will produce one time codes that can be used during login. Examples or authentication applications includes Google Authenticator, Microsoft Authenticator and DUO Mobile.

Check the Require a one time code produced by an authentication app box to force technicians in a group to require the use of an app-based second factor authentication. On their next Technician Console login the user will be prompted to configure their authentication app:

App Based Authentication Screenshot

Subsequently, after each login, the technician will be prompted to enter the current code produced by their authentication application. In order to reset the configured authentication key for the technician the SimpleHelpAdmin user can follow these steps:

  • In the Technicians section of the Administration tab, select the technician whose key should be reset.
  • In the Technician Properties tab push the Reset App Authentication button to reset the key.

On a subsequent login the technician will be required to reconfigure their authentication app.

Email-Based Authentication

Email-based multi-tier authentication requires technicians to enter a code in during login, that is sent in an email by the SimpleHelp server. In order to use email-based authentication an SMTP server must be configured for SimpleHelp to use.

Enable email-based authentication by checking the Require a one time passcode sent to the technician via email box. Additional configuration options will be shown below allowing you to further configure the codes and email sent out by the SimpleHelp server:

Email MFA Screenshot

X X
Authentication Code Length The length of the passcode that will be sent to technicians. Passcodes are alphanumeric, but exclude commonly confused characters and numbers such as O, 0, l, 1, I.
Email Subject The subject of the email sent to technicians.
Email Content The body of the email sent to technicians. Use the variables ${Technician} and ${AuthenticationCode} and the server will substitute in the technician's name and passcode respectively.

Logins from New Machines

In order to avoid technicians continually having to re-enter a passcode SimpleHelp can be configured to only require passcodes when logins are attempted from new computers which have not logged in previously. Technicians will be prompted for a passcode the first time a login occurs, but subsequently SimpleHelp will trust logins from the same machine and a new passcode will not be required.

You can manage the keys for each machine used to log in by pressing the Manage Keys button.

Configuring Multifactor Authentication for the SimpleHelpAdmin User

The same multifactor authentication settings that are available for Technicians are also available for the SimpleHelpAdmin user. These controls can be found in the following location depending on your SimpleHelp version:

  • v5.2.12 or later - configured via the Primary Administrators Technician Group.
  • v5.2.11 or earlier - configured in the Login Security section of the Administration tab.

RADIUS Authentication

SimpleHelp supports RADIUS-based technician authentication. Configuring RADIUS authentication requires two steps, as with LDAP authentication. First, the connection to the RADIUS server must be specified, and secondly any Technician Groups that are to authenticate via RADIUS must be configured accordingly.

Configuring the RADIUS Server Connections

SimpleHelp supports up to ten RADIUS servers that can all be used for authentication purposes. To configure a RADIUS server follow these steps:

  • Log in as the SimpleHelpAdmin administrative user.
  • Select the Administration tab, and pick the Login Security section.
  • Check the box to enable RADIUS authentication.
  • Create a new RADIUS server configuration, and complete the following configuration.

RADIUS Screenshot

RADIUS servers are queried sequentially, in a staggered process. Servers are allowed a second to respond before a query is performed against the next server. If any server responds then the first response is used to determine technician access.

SimpleHelp supports RADIUS challenges for the pap authentication protocol. If a challenge is requested then the challenge is forwarded to the technician, after which a response is sent back to the RADIUS server for verification.

Technician Group RADIUS Settings

To enable RADIUS configuration for a Technician Group, log in as the SimpleHelpAdmin user, select Administration tab and pick the group in the Technician Groups section. Under the Authentication tab check the RADIUS box to allow RADIUS-based authentication for this group.