LabStats allows users to enable single sign-on through integration with Active Directory. Users can sync to the organization’s Active Directory and then use those credentials to log in to LabStats. Once linked, user permissions and account access can all be controlled within Active Directory. This way, LabStats’ data will be accessed securely and by the correct individuals.
Single sign-on is achieved by securely syncing the on-premises Active Directory with Microsoft Azure Active Directory, then linking it to LabStats. Azure Active Directory is a free service that many organizations are already using. LabStats does not receive direct access to the Active Directory, its users, or passwords. The authentication at login is performed entirely by Microsoft on behalf of LabStats, and only those users who are permitted by the organization can proceed to the LabStats Portal. At that time, LabStats receives the user’s email address and full name in order to fulfill the requirements of a LabStats user account.
Step 1 – Link Azure Active Directory to On-Premises Active Directory
Syncing the on-premises Active Directory with Azure Active Directory is performed by Azure AD Connect, a service built by Microsoft that runs on the on-premises Active Directory server. Once set up, the service runs in the background and automatically keeps the two systems in sync. To learn more about Azure Active Directory Connect, visit: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-whatis.
- If the organization does not already have a Microsoft Azure account, please create one at: https://azure.microsoft.com/. Registration is free.
- We recommend registering with an email address that will not be used to login to LabStats for a more seamless experience.
- Before installing Azure Active Directory Connect, we highly recommend adding the organization’s domain name to the Azure account.
- Adding a DNS record to the domain is required to prove ownership, so the organization’s webmaster may need to do this. To learn more, visit: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-add-domain. This is recommended so users can sign into LabStats with their email address. If this step is not completed, for example, the user “email@example.com” would need to sign in using an address similar to “firstname.lastname@example.org”, which is not ideal.
- Download and review the system requirements of Azure Active Directory Connect here: https://www.microsoft.com/en-us/download/details.aspx?id=47594.
- Install Azure Active Directory. For installation and configuration instructions for Azure Active Directory Connect, visit: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect.
- In order to complete installation of Active Directory Connect, enter credentials for the Azure account (a user in the Global Administrator role), then enter credentials for the on-premises Active Directory Administrator account.
Step 2 – Link to Azure Active Directory to LabStats
- *For LabStats On-Premises Customers Only* Call the LabStats Support Team (1 208-473-2222) and provide the URL of the on-premises LabStats Portal (i.e. http://labstats.example.edu). This is a security measure which helps protect the Active Directory.
- Navigate to the LabStats Portal.
- Login to the LabStats Portal with an admin account.
- At the top-right of the LabStats menu, navigate to Admin, then click External Systems.
- Click Single Sign-on (SSO) (bottom of the list).
- Check the box to Enable single sign-on for my organization.
- A page hosted by Microsoft (login.microsoftonline.com) will appear. Authorize and link the Azure Active Directory to LabStats.
- Enter the login credentials for a user account with the Global Administrator role within Azure (usually the original Azure account user).
- Grant permission to Read Directory Data to LabStats.
- Once permission has been granted to LabStats, the page will redirect back to LabStats, and the organization’s Tenant Id will be displayed. This confirms that the link was successful.
Step 3 – Set Permissions in Active Directory
Users must be granted permissions to login to the LabStats Portal using their organization-issued credentials. Permissions are granted through Group Membership in the on-premises Active Directory.
- Create four new groups in the on-premises Active Directory, including:
- LabStatsGlobalAdmin (Admin permissions in the LabStats Portal)
- LabStatsGlobalViewer (Read-only permissions in the LabStats Portal)
- LabStatsGroupAdmin (Admin permissions for assigned groups)
- LabStatsGroupViewer (Read-only permissions for assigned groups)
- In Group Settings, choose the Global group scope and Security group type.
- To grant a user access to particular groups via active directory, add them to a group.
- Have them attempt to log in.
- They will receive a message indicating group membership needs to be granted first.
- At this point, the admin can give them access to specific groups in LabStats.