Configure a Vocera LDAP Adapter to enable the customer to use single sign on authentication in the system.
Adapters send information to and receive information from the Vocera Platform, as well as monitor and collect data. Each adapter is configured to allow Vocera Platform to communicate with a specific type of resource and any devices that resource may control. For example, the Vocera LDAP Adapter connects to an LDAP server to provide authentication, and to retrieve and map LDAP users to Vocera Platform users.
Vocera Platform provides the ability to connect to a Lightweight Directory Access Protocol (LDAP) server, allowing users to authenticate with the same set of credentials they use elsewhere in their organization. The Vocera LDAP Adapter configuration settings allow facility administrators to use the organization's existing security configurations, rather than create unique users, groups, or security policies to access the Vocera Platform. Vocera Platform allows connection to only one LDAP server per unique instance of Active Directory.
A new LDAP user account is not visible in Vocera Platform until the new user logs into the system. If an organization uses PIN authorization security for devices, such as a Smartphone, the user will be prompted to create the PIN when they first log into the Vocera Platform platform. Vocera Platform will not retrieve a user's PIN from the organization's LDAP server.
Vocera Platform leverages the organization's existing LDAP user and group configurations to manage access securely. The organization's groups can be assigned to membership in Vocera Platform groups. Retrieved LDAP groups are assigned membership in Vocera Platform roles and groups to manage system access.
The Vocera Platform appliance must be connected to the organization's LDAP server to retrieve available attributes and groups. Once collected, you can edit the mappings that pair the data stored in the organization's LDAP server with system attributes in order to allow users to authenticate in Vocera Platform. Vocera Platform supports most LDAP servers, including Microsoft Active Directory (AD).
LDAP servers and clients communicate by defining a directory service and access to the service. A directory service information tree (DIT) is composed of entries that have a set of named components called attributes to hold the data for that entry. An attribute consists of its name, a type, and the value for the attribute. A schema specifies the attributes for the entries in an LDAP server by defining the rules for which attributes may be used in an entry, the kinds of values that those attributes may have, and how clients may interact with those values. These directory entries are arranged in a hierarchical structure, starting at a base entry, and then branching down into individual entries.
Each entry in a directory tree can be located by its distinguished name (DN). The DN consists of a string of relative distinguished names (RDNs). An RDN is composed of one or more attribute name and value pairs. For example, the RDN for the entry cn=John Smith contains the attribute name of cn (common name) and the value of John Smith. A DN is composed of an entry’s RDN followed by all of the RDNs (separated by commas or semicolons) found while moving up the tree toward the base entry.
Users in LDAP need to be assigned to groups inside of Active Directory, other than the Domain Users group, for LDAP to work properly with Vocera Platform. Domain Users is the primary group for users in Active Directory and this group's memberships are not visible via LDAP as a "memberOf" user attribute. LDAP users have to be a member of a group created on the LDAP server for Vocera Platform to use in mappings, not the default Domain Users.
