User Authentication

User Authentication is the second critical function performed by Eko AD Sync, enabling employees to log into the cloud-hosted Eko application using the credentials stored within your organization's internal directory (Active Directory or other LDAP-compatible system).

This process is facilitated by the Eko Active Directory Connector (EkoADC), which acts as the localized agent that communicates with your Active Directory (AD).

1. The Standard Authentication Flow

When a user attempts to log in using the Eko Application, a secure, defined sequence of actions occurs involving EkoADC, Eko Identity Management API (EkoIDMAPI), and the on-premises Active Directory.

  1. Request Initiation: The user logs in through the Eko Application.

  2. Credential Transmission: The user account information (username and password) is securely passed from the EkoIDMAPI to the deployed EkoADC via HTTPS.

  3. Local Verification: Upon receiving the account details, the EkoADC performs LDAP binding with the customer's Active Directory (AD) for authentication.

  4. Result Reporting: If the user is authenticated successfully by the AD, EkoADC sends the positive result back to the EkoIDMAPI.

2. System Architecture and Redundancy

User authentication requires the presence of EkoADC deployed at the customer side. In scenarios where high availability is necessary, EkoADC deployments can include redundant servers. This redundancy may utilize methods like DNS round-robin for routing user authentication requests across multiple servers (e.g., ADC01 and ADC02) in an Active/Active configuration to maintain reliability.

3. Alternative Authentication Methods

While authentication against Active Directory is the primary use case, EkoADC/IDMAPI also supports alternative scenarios for user authentication:

  • Local Authentication (Stored Password): In some cases, the user's password may be mapped to Eko and stored in the Eko Database (DB), allowing for local authentication. This occurs, for example, when users are provisioned from an HR or DB file, and EkoADC is deployed on the cloud.

  • External Authentication: EkoADC/IDMAPI supports other methods of external authentication.

  • Mixed Authentication: Architectures exist that support provisioning users from Active Directory while separating authentication by user type, allowing for both AD authentication and local authentication options.

Keep in mind that alternative methods require additional design and effort to deliver, depending on your specific requirements.

PreviousUser Synchronization (Provisioning)NextDomain Priority (Handling Duplicate Users)

Last updated