Reusing Windows Accounts and Integrating with Active Directory
You need authentication and authorization features
in PowerBuilder applications. Your organization already manages Active
Directory Accounts.
Why not reuse Windows Accounts?
You will save the time of creating a whole new user list. You can manage
a single user list in Active Directory and implement Single Sign-on (SSO)
authentication in your PB applications.
SSO & AD can be a winning combination if:
- All users have a Windows account
- The security level provided by Windows authentication complies with
the security requirements. For highly confidential applications, Windows
authentication might need to be complemented by a second type of authentication
(smartcard, biometric…).
Visual Guard PB also offers a ready-to-use Single Sign-on solution. For
more on the advantages of SSO, read
the white paper
As Visual Guard supports ADFS, Windows accounts defined in different forests, can be used to access an application secured with Visual Guard. Read more about Identity Federation.
How does Visual Guard work with Single Sign-on?
With Windows Accounts
- Windows accounts are created in Active Directory for each user by
the Windows Administrator.
- These accounts are then imported into Visual Guard.
- Roles are created in Visual Guard, with permissions reflecting appropriate
levels of access rights.
- Each account is assigned roles corresponding to their authorization.
- Users start Windows sessions as usual, using their Windows Login
and password.
- When they launch the application, Visual Guard gets the ID of the
Windows account and verifies that this account can access the application.
- If so, Visual Guard loads and applies the permissions granted to
the account.
- As a result, the user only needs to log in when they open a Windows
session and will have a seamless experience, opening all authorized
applications without providing their credentials repeatedly.
With Windows Groups
- Windows accounts are created in Active Directory for each user by
the Windows Administrator.
- These accounts are then related to Windows Groups by the Windows
Administrator.
- Windows Groups are imported into Visual Guard.
- Each Windows Group is assigned roles with permissions corresponding
to their authorization.
- Users start a Windows session as usual, using their Windows Login
and password.
- When they launch the application, Visual Guard gets the ID of the
Windows account and queries Active Directory to get the Windows Groups
this account belongs to.
- Visual Guard then verifies that one of these Groups can access the
application.
- If allowed, Visual Guard loads and applies the granted permissions.
- As a result, not only does the user have a seamless experience, but
developers no longer manage individual user accounts, only groups, which
are more stable. In other words, daily user account provisioning and
maintenance is only done in Active Directory
Notes
- Visual Guard also allows the use of a combination of Windows Accounts
and Groups, if this makes it easier to implement your access policies.
- Integration with Active Directory and implementation of SSO is an
extremely light process.
For more on how to integrate
Active Directory with Visual Guard, click here