IVRDesigner Active Directory Authentication and Access Control

Active Directory based authentication can be configured for IVRDesigner with the steps described in this guide.

Configure Active Directory authentication during IVRDesigner install

When installing IVRDesigner for the first time, AD authentication can be configured in the installer with the following steps:

  • On the Basic Configuration Settings dialog select the 'I want to specify Active Dirrectory settings' checkbox and click the Next button.

  • On the next Active Directory Settings dialog, the following parameters needs to be set:

    • LDAP Path (required):

      It specifies the ADsPath to the LDAP provider. A standard LDAP binding string requires the following format: LDAP://HostName[:PortNumber][/DistinguishedName]. The HostName can be a computer name, an IP address, a domain name or a server name, e.g. cedemodc.domain.com. The PortNumber specifies the port to be used for the connection. If no port number is specified, the LDAP provider uses the default port number. The DistinguishedName (DN) sequence contains the distinguished name of a specific object, which is a comma separated list of relative distinguished names (RDN), e.g. /CN=DemoUser,OU=IVRDesignerAdmins,DC=domain,DC=com. Based on these, the full concatenated binding string will be the following: LDAP://cedemodc.domain.com/CN=DemoUser,OU=IVRDesignerAdmins,DC=domain,DC=com.

      Note

      For further information on distinguished names and RDN attribute types, see the following MSDN reference: HTTP://MSDN.MICROSOFT.COM/EN-US/LIBRARY/WINDOWS/DESKTOP/AA366101.ASPX.

      Important

      Follow the RFC 4514 standard when specifying the LDAP Path!

    • LDAP Additional Filter (optional):

      Additional LDAP filters can be defined in this property. It narrows down the users who can login to the IVRDesigner. For example a specific group filter can be defined in the following format: (memberof=CN=[GroupName],[OrganizationUnitOfTheGroup],[DistinguishedNameOfTheGroup]). The GroupName is the name of the group in which the users are members. The OrganizationUnitOfTheGroup (OU) is the organization unit of the group. The DistinguishedNameOfTheGroup (DN) sequence contains the distinguished name of the specified group, which is a comma separated list of relative distinguished names (RDN), e.g. (memberof=CN=MyGroup,OU=OrganizationUnitOfMyGroup,DC=domain,DC=com). Any additional LDAP search filter can be defined here.

    • Unlock Flow (optional):

      It defines a role which controls access to unlock flows. The property have to contain the name of an Active Directory group. All domain users in the specified group are going to have access to unlock flows in IVRDesigner. When the property is not defined, all users are going to have access to unlock flows in IVRDesigner.

    • Edit Announcement (optional):

      It defines a role which controls access to edit announcements. The property have to contain the name of an Active Directory group. All domain users in the specified group are going to have access to edit announcements in IVRDesigner. When the property is not defined, all users are going to have access to edit announcements in IVRDesigner.

Important

All AD users needs to have query permission for each objects (organization units, groups, users) defined in the AD configuration properties.

Important

The Write Flow and Read Flow roles are not supported in the IVRDesigner. These were deprecated from the IVRDesigner.

Configure Active Directory authentication after IVRDesigner install

Active Directory configuration can be configured any time when the IVRDesigner is already installed. To configure AD authentication, look the <appSettings> section in the Web.config configuration file of the IVRDesigner. LDAPPath, LDAPAdditionalFilter, UnlockFlow and EditAnnounce properties can be found here. Follow the instructions from the Configure Active Directory authentication during IVRDesigner install guide to set these values.

An example for the configuration:

<appSettings>

    <!--  LDAP path needs to be defined only if user wants to use AD authentication. Please follow the RFC 4514 standard! -->
    <add key="LDAPPath" value="LDAP://cedemodc.domain.com/CN=DemoUser,OU=IVRDesignerAdmins,DC=domain,DC=com" />
    <!-- Additional LDAP filters can be defined here. It is going to be added with AND condition to the user name (sANAccountName) filter. -->
    <!-- E.g.: '(memberof=CN=MySecurityGroup,OU=TheOrganizationUnitOfMyGroup,DC=domain,DC=com)' -->
    <add key="LDAPAdditionalFilter" value="(memberof=CN=MyGroup,OU=OrganizationUnitOfMyGroup,DC=domain,DC=com)" />
    <!-- AD user group for controlling access to the UnlockFlow rule. Use an empty string value to disable access control. -->
    <add key="UnlockFlow" value="IVRDesignerUnlockFlowPermissionGroup" />
    <!-- AD user group for controlling access to the EditAnnounce rule. Use an empty string value to disable access control. -->
    <add key="EditAnnounce" value="IVRDesignerEditAnnouncePermissionGroup" />

</appSettings>
Sorry, your browser does not support inline SVG. article updatedarticle updated3/25/2024 8:16:28 AM (UTC)3/25/2024 8:16:28 AM (UTC)