Short Summary: This article will detail how RiskVision's authentication connector can be configured to authenticate users across trusted domains.
Full Detail: RiskVision currently supports one authentication connector per installation. Typically, an enterprise will have all user accounts stored in one primary AD or LDAP top-level domain or forest. User accounts may be dispersed into many organizational units under the domain.
In a large enterprise, especially those with global reach, users interfacing with RiskVision may be located in multiple AD domains with trusted relationships. In this instance, connecting to one AD domain may not be sufficient for importing all necessary users. When this situation arises, our customers have found success by pointing the authentication connector to the enterprise's global catalog. To facilitate this scenario, the RiskVision administrator should use these settings when configuring the connector: Protocol: LDAP Hostname/IP: IP and hostname of a global catalog server Port: 3268 (standard) Base DN: top-level domain shared by all trusted domains Uid Key: sAMAccountName Default Domain: any existing domain will suffice. If this is defined, then users within that domain will not need to specify their domain when authenticating. User Search Configuration will require a valid ID with reading access to the directory. The search base does not have to be completed here. When the RiskVision administrator begins to import users from AD or LDAP, the search base field can be populated with any additional domain or OU details. Once a user has been added, if they are not in the default domain, then the user should log into RiskVision by specifying their domain and login (e.g., "DOMAINaccount"). Administrators should note that the RiskVision implementation currently does not support the situation where multiple identical accounts are defined in different domains. All accounts that are to be imported into the application must be unique across domains. Also, in order to properly import, the following attributes must be defined within LDAP or AD: email address, first name, last name, and user ID.