Skip Navigation

Assign authentication methods to applications

In the User Authentication section, the items available in the Authentication Method list are determined by the options selected in the Enabled Authentication Methods section.
  • LDAP Attribute
    Select
    LDAP Attribute
    from the
    Authentication Method
    list to enable the desktop app to authenticate with an Active Directory attribute.
    1. Enter an Active Directory attribute in the
      Attribute
      field. The desktop app queries this attribute directly from the signed-in user's directory profile and sends it to the server. This option allows the desktop app to operate while sending less user information to the server. When this option is selected, the desktop app does not send Windows user names or domain names in sign on or check update query strings.
    2. Optionally, enter a valid LDAP URL in the
      Custom LDAP URL
      field. When a custom LDAP URL is specified, it overwrites the USERDOMAIN value from the local LDAP directory. Format the custom domain name using a regex to accept only URLs such as LDAP://<DOMAINNAME>.<TOP-LEVELDOMAIN>:<(Optional) PORT#>. Sample valid URLs:
      • LDAP://DC=examplewebsite,DC=com
      • LDAP://examplewebsite.com
      • LDAP://DC=examplewebsite,DC=com,DC=org
      • LDAP://examplewebsite.ca
    3. Optionally, select
      Fallback to Windows Authentication
      to configure the desktop app to authenticate with Windows Authentication if authentication with LDAP fails. This option appears only if
      Windows Authentication
      is selected in the
      Enable Authentication Methods
      section.
    4. Optionally, select
      Create new user if an account is not found
      to configure the desktop app to create a user at SO if the user does not already exist.
  • Smart Card
    Select
    Smart Card
    from the
    Authentication Method
    list to enable smart card authentication.
    1. Select the number of client certificates to collect from the
      Number of Certificates
      pull-down list. The recommended value is 3.
    2. Optionally, in the
      Regular Expression
      field, enter a regular expression in the following format:
      UID=(? <edipi>\d{8,10})
      . Contact
      BlackBerry AtHoc
      customer support to configure this field.
    3. Optionally, in the
      Client Regular Expression
      field, enter a client regular expression in the following format:
      .*?(^)(?:(?!\s-[A||E||S]).)*
      . This format extracts information from the client certificate subject name to find the identical certificates for authentication. The regular expression provided in the UI is a sample expression that may not be suitable for your environment. You can build you own regular expression or contact
      BlackBerry AtHoc
      customer support to configure this field.
    4. Optionally, in the
      Custom Attributes
      field, add custom attributes to the CAC certificate. Add multiple attributes separated by a comma. There is a 100 character limit. The special characters < and > are not supported.
    5. Optionally, select
      Create new user if an account is not found
      to configure the desktop app to create a user at SO if the user does not already exist.
  • Defer to Self Service
    Select
    Defer to Self Service
    from the
    Authentication Method
    list to configure the desktop app to use the user authentication method selected for Self Service. When this method is selected, end users will see a login window. When the user clicks
    Log In
    , they are redirected to Self Service to complete the sign in process. This process depends on the authentication method selected by the administrator.
    If the Self Service authentication method is set to Username and Password, the users sees a registration window and must provide their first name, last name, username, password, confirm their password, and fill in a captcha. The user has the option to register as a new user or to sign in with their existing user credentials.
    If the Self Service authentication method is set to Smart Card, the user sees a certificate selection screen and must pick a certificate. They may also be required to enter a PIN.
    If the Self Service authentication type is set to Windows Authentication, the user sees a Windows credentials screen and must provide their username and password.
    If the Self Service authentication method is set to Single Sign-On, the user is sent to the SSO URL.
  • Windows Authentication
    Select
    Windows Authentication
    from the
    Authentication Method
    list to configure the desktop app to use only the user's Windows username or Windows username and domain. The Windows username is passed in parameter 05 during SO. See Appendix B: Desktop client URL parameters for more information about SO parameters.
    Optionally, select the
    Create new user if an account is not found
    check box to configure the desktop app to create a user at SO if the user does not already exist. New users are created with their Windows username as their username. If the Domain and Username option is selected in the Enabled Authentication Methods section, the user is created with “DOMAIN\username” as Username, Mapping ID, First Name, Last Name, and Display Name.