Multi-Admin Support
Once Anyware Manager is installed, a local adminUser user is created to manage Anyware Manager. Optionally, Active Directory or SAML integration can be configured to support additional admin users. If you don't configure either of these integrations, adminUser will be the only admin user.
Active Directory Integration¶
The Active Directory used to enable multi-admin in Anyware Manager does not need to be the same Actve Directory that was used by the Connector to manage the users for the remote workstation.
The Active Directory Domain Controller machine must be accessible from the target machine that Anyware Manager is installed on over the LDAPS port (TCP 636). Typically, this is only the case if both machines are on the same LAN.
To enable multiple users to manage Anyware Manager, an Active Directory LDAPS configuration must be added in the Active Directory as outlined here.
Anyware Manager Integration
The following steps are applicable for configuring an Active Directory with Anyware Manager only. They are not applicable to integrating with Anyware Manager as a Service.
Active Directory Configuration Permissions
Only the adminUser has the permissions to configure the Active Directory with Anyware Manager from the Anyware Manager Admin Console.
DNS and Name Resolution
You must ensure that you can resolve your AD domain and controller. For information on how to install and edit resolve.conf, and configure DNS name resolution, see Configuring DNS Name Resolution.
The following steps outline how to configure Active Directory integration in the Anyware Manager Admin Console:
- Go to the Anyware Manager Admin Console and log-in using your Anyware Manager admin credentials.
- Click on adminUser from the user account tab and then click on Multi-Admin Settings.
- Click on the Active Directory Configuration tab.
- Enter the Active Directory configuration information:
- Domain Controller URL: This is the URL where your domain controller is hosted, for example ldaps://dc.example.com.
- Admin Connection DN: This is the distinguished name (DN) of a user within your AD that is able to search for users. Microsoft AD supports using UPN format for logging in. For example cn=casm_admin,cn=Users,dc=example,dc=com or casm_admin@example.com.
- Admin Password: This is the password for the admin user defined by "Admin connection DN".
- CASM group DN: This is the DN of a group in your AD. Only users that belong to this group will be able to authenticate to Anyware Manager. For example, cn=CASM Admins,cn=Users,dc=example,dc=com.
- Search Base DN: This is the DN of the container in your AD where we will search for user's to authenticate. For example, cn=Users,dc=example,dc=com
- Click SAVE to save the configuration.
User's from the Active Directory belonging to the CASM group will now be able to navigate to the Cloud Acces Manager Admin Console login page and authenticate using their Active Directory credentials.
SAML Integration¶
If the Active Directory Domain Controller cannot be accessed, you can alternatively enable Active Directory users to login by enabling the Admin Console's SAML integration.
The following steps outline how to enable SAML integration and configuration of IDP settings, admins and groups access and general configuration information:
- Go to the Admin Console.
- Log-in using your Anyware Manager admin credentials.
- After logging into the Admin Console click on adminUser from the user account tab and then click on Multi Admin settings to open the preferences page.
- Click on the SAML tab.
-
Enter the SAML configuration information:
- The first section contains auto-generated information about the login URLs and IDP:
- Anyware Manager login page: A link to the page for multi-administrator login to the Admin Console
- Direct login via identity provider: An endpoint to which multi-admin sign-in requests can be sent
- Assertion Consumer Service URL: The callback URL provided to the IDP to which user information is sent once the IDP has authorized the user
- Audience URL: The entity ID that the IDP can use to identify the Admin Console
- The second section contains IDP settings that can be updated to manage the SAML configuration within the Anyware Manager:
- Identity Provider Login URL: The IDP endpoint to which SAML authentication requests are sent
- Identity Provider Certificate: The public certificate of the IDP used to verify the signature of the IDP. You can also upload a .xml file that contains your IDP information.
- The third section enables you to add new admins as well as displaying all existing admins that are allowed to login via an IDP. To enable the access for a single user, visit the Allowed admins tab, enter their e-mail, and click the Add Admin button.
- The fourth section enables you to add new groups as well as displaying all existing groups that are allowed to login via an IDP. To enable the access for a group of users, visit the Allowed groups tab, enter the claim type and group claim and click Add Group. The claim type informs Anyware Manager how the group is returned in the SAML assertion by your IDP. The group claim matches against the group either in the Group Name claim or in the Group ID claim returned in the SAML assertion for a user based on the claim type defined for the group.
A user's access via SAML can be enabled or disabled on either the Allowed admins or Allowed groups tabs.
- The first section contains auto-generated information about the login URLs and IDP: