If you use Active Directory (AD) in your organisation it is worthwhile integrating it with Contensis. Setting up this synchronisation service will allow you to keep the same user credentials between AD and Contensis, removing the need for users to remember an extra password and the need to set up all new accounts to be used within Contensis.
Please note, however, if you use either ADFS or Azure AD as a federated identity provider, you should not use AD Synchronisation as it is not supported for these scenarios.
With federated identity, user synchronisation is handled as the user logs-in.
How the synchronisation works
All you need do to synchronise with the AD is provide the system with the relevant AD information and most importantly a synchronisation group. This group will be used as a filter to bring across the users you want to have access to Contensis.
It is often easier just to bring across all users, as if you have an intranet run by Contensis it makes sense to give access to all users. Once the synchronisation group has been set, all users in this group will be moved into Contensis the next time the AD service is scheduled to run.
These users and groups are brought across merely as proxy users, meaning we don't move any password information into Contensis. Your users will still be able to login using their AD password and we always go to AD to perform a check on the password provided to the software.
When the users and groups are synchronised their parent and child groups are maintained. For example, if a user is in a group called Editors, which is also in a group called Contensis, when they are added to the synchronisation group there would be two groups and a user created in Contensis.
Once the AD groups and users have been imported you can assign permissions to them within Contensis.
Where to manage the users and groups?
You can manage users and groups in Contensis and in AD. You can also run a system having two methods of authentication, running both AD users and Contensis users side by side. How you manage the users and groups effectively will largely depend on the organisation structure, and how well defined your Active Directory is.
Currently the Contensis UI does not prevent you from changing group in group relationships for AD groups but if you were to do this, they would simply be reset next time the system runs the synchronisation.
What is synchronised by default
If you were to synchronise with an AD user Bob, who had his first name spelt incorrectly and you corrected this in Contensis, the next time the synchronisation runs the first name will be replaced with the incorrect version. However if the AD Update from the CMS to Active Directory is activated, then the AD user record would be updated with the correct version.
Depending on the AD integration settings, some fields in the User Profile screen and web control may be disabled, to prevent users making changes to fields which will be overwritten by values from AD when the AD Synchronisation next runs.
However, if additional fields are configured using the Custom Mappings, these fields will not be disabled in the User Profile control. Therefore while it would be possible to edit these custom mapped fields in the Contensis UI, we would not recommend doing this, as any fields changed in the CMS would be replaced by the values from AD when the AD Synchronisation next runs.
Any changes made to users will be overwritten next time the AD Synchronisation runs unless you enable AD Update. When you enable AD Update user profile fields will become editable.
Individual properties that are synchronised by default:
- Account Disabled
- Account Locked
- Email Address
- First name
- Last Name
- Telephone Number
- Job Title
- Division (Mapped To Company name in Contensis)