Reusing Windows Accounts and Integrating with Active Directory

You need authentication and authorization features in PowerBuilder applications. Your organization already manages Active Directory Accounts.

Why not reuse Windows Accounts?

You will save the time of creating a whole new user list. You can manage a single user list in Active Directory and implement Single Sign-on (SSO) authentication in your PB applications.

SSO & AD can be a winning combination if:

  • All users have a Windows account
  • The security level provided by Windows authentication complies with the security requirements. For highly confidential applications, Windows authentication might need to be complemented by a second type of authentication (smartcard, biometric…).

Visual Guard PB also offers a ready-to-use Single Sign-on solution. For more on the advantages of SSO, read the white paper
As Visual Guard supports ADFS, Windows accounts defined in different forests, can be used to access an application secured with Visual Guard. Read more about Identity Federation.

How does Visual Guard work with Single Sign-on?

With Windows Accounts

  • Windows accounts are created in Active Directory for each user by the Windows Administrator.
  • These accounts are then imported into Visual Guard.
  • Roles are created in Visual Guard, with permissions reflecting appropriate levels of access rights.
  • Each account is assigned roles corresponding to their authorization.
  • Users start Windows sessions as usual, using their Windows Login and password.
  • When they launch the application, Visual Guard gets the ID of the Windows account and verifies that this account can access the application.
  • If so, Visual Guard loads and applies the permissions granted to the account.
  • As a result, the user only needs to log in when they open a Windows session and will have a seamless experience, opening all authorized applications without providing their credentials repeatedly.

With Windows Groups

  • Windows accounts are created in Active Directory for each user by the Windows Administrator.
  • These accounts are then related to Windows Groups by the Windows Administrator.
  • Windows Groups are imported into Visual Guard.
  • Each Windows Group is assigned roles with permissions corresponding to their authorization.
  • Users start a Windows session as usual, using their Windows Login and password.
  • When they launch the application, Visual Guard gets the ID of the Windows account and queries Active Directory to get the Windows Groups this account belongs to.
  • Visual Guard then verifies that one of these Groups can access the application.
  • If allowed, Visual Guard loads and applies the granted permissions.
  • As a result, not only does the user have a seamless experience, but developers no longer manage individual user accounts, only groups, which are more stable. In other words, daily user account provisioning and maintenance is only done in Active Directory

Notes

  • Visual Guard also allows the use of a combination of Windows Accounts and Groups, if this makes it easier to implement your access policies.
  • Integration with Active Directory and implementation of SSO is an extremely light process.

For more on how to integrate Active Directory with Visual Guard, click here