Comment on page
Remote Active Directory
Authentication Against a Remote Active Directory services
Thinfinity® Remote AD Services will allow the same access security all around, allowing the client to manage users and groups in their own environment.
Thinfinity® Remote AD Services will connect to the client’s Active Directory through a restricted user account. It will query only for the information needed to manage the login and end-user’s permissions to access the remote apps.
Thinfinity® Workspace will validate end-users against their own AD and will map with a user account on the app-side AD to create the remote windows session.
Validation and encrypted data will be all still handled by the client’s AD and according to their environment’s policies. The primary broker exchanges information with the Remote AD service on-demand as shown in the following flow:
Login process:
Thinfinity® Workspace landing page requests your user’s login credentials and validates them against the clients’ AD. If validated correctly, the end-user will access the Thinfinity® Workspace main page, which will allow them to select the app they need to run. By using this method of authentication we can guarantee transparency for your users as well as a secure access method in line with your current security policies.
Validating user permissions:
Each app or desktop link to be presented to the end-user must be validated against the AD according to the configured permissions of the profile. Thinfinity® Workspace will validate the current logged on user against the users and groups associated to the profile. To do this it will query remotely to the clients’ AD to verify membership. Only true or false is returned on the query, thus no information can be cached.
Configuring Thinfinity® Workspace permissions:
Thinfinity® Workspace needs to access the remote AD to list users and groups (only IDs) to associate them to each profile that requires access permissions. Only IDs are retrieved and restricted to the groups that Thinfinity® Remote AD Services is allowed to based on the Windows Service user account configured.