Skip to content

Login Services

This section enables the configuration of login services permitted for accessing the Emakin application. While Emakin provides its proprietary login service, it also supports integration with a variety of external authentication providers. Administrators can configure multiple login methods, customize their display names on the login page, and selectively enable or disable them as required.

Login Services Configuration Panel

"Emakin" and "Active Directory" login services are included by default. Additional OpenAuth-based login services can be integrated via the Integrated Services configuration.

Emakin currently supports the following OpenAuth services:

  • Google
  • Office 365
  • Keycloak
  • E-Devlet

Login Service Configuration

The following properties can be configured for each login service:

  • Name: This is the user-facing identifier for the login service, displayed to end-users on the login page.
  • Is Enabled?: A boolean setting that determines whether the login service is active. If disabled, the service will not be presented as an authentication option to users.
  • Requires 2FA: A boolean setting indicating whether two-factor authentication (2FA) is mandatory for users authenticating via this service. If enabled, users are prompted to provide a second factor (e.g., an SMS code) following a successful initial login. Emakin automatically manages the 2FA provisioning process, such as registering the user's mobile number.

For OpenAuth-based login services, the following additional properties can be configured:

  • UserId: This property specifies which user attribute from the OpenAuth service's response should be used as the unique user identifier within Emakin. OpenAuth services typically return a unique identifier, often a randomly generated number. However, under certain conditions, a different user property might be preferred as the unique identifier (e.g., using sAMAccountName instead of a numerical ID returned by Office 365).
  • Scopes: This setting defines the OpenAuth scopes requested from the service. Scopes determine the specific permissions Emakin requests from the identity provider (e.g., access to email, profile information). This property is exclusively displayed for integrated services and is not applicable to built-in services.

Active Directory (AD) or LDAP Configuration

In addition to OpenAuth services, Emakin supports authentication against an Active Directory or LDAP server.

Once an Active Directory entry is added to the login service list, a dedicated AD configuration section becomes available. This configuration supports defining multiple Active Directory instances, allowing for dynamic selection of the appropriate AD server based on regular expressions evaluated against the logon ID or username provided by the user.

The following properties can be configured for each AD server:

  • Is Enabled?: Specifies whether this particular AD Server configuration is active. If disabled, this AD Server will not be used for authentication.
  • Host: The DNS name of the Active Directory or LDAP server. Example: ldaps.mycorp.com.
  • Port: The port number used by the LDAP service. If set to 0, the default port 636 (for SSL) or 389 (for non-SSL) will be used based on the SSL configuration.
  • SSL: A boolean property indicating whether Secure Sockets Layer (SSL) encryption is enabled for the connection. Enabling SSL is highly recommended for modern LDAP servers. The LDAP server's SSL certificate is not verified, thus supporting self-signed certificates.
  • Root DN: The distinguished name (DN) that serves as the root for all LDAP searches performed during authentication. Authentication will fail if the user is not found within this specified root DN, even if the user's credentials are correct.
  • Default Domain: Specifies the default domain name of the Active Directory. By default, the target authentication domain is automatically detected from the logon username if provided in formats such as MYDOMAIN\user or [email protected]. The default domain name is utilized when the username is not specified in one of these explicit domain formats.
  • User Name Field: Defines the LDAP attribute that stores the user's logon ID. By default, sAMAccountName is used, but some LDAP servers may use uid or other attributes for this purpose.
  • Search Field: Specifies the LDAP search expression used to locate user properties. The default expression is (&(objectClass=user)({0}={1})). In this expression, {0} is a placeholder for the User Name Field defined above, and {1} is a placeholder for the authenticated username provided by the user.

Rules

This section contains a list of regular expressions that are applied against the provided username. If any of these expressions match the logged-in username, the corresponding AD service configuration will be used for authentication. Multiple regular expressions can be specified to handle diverse username patterns.