View Categories

SSO and Authentication

Table of Contents

Overview #

DnXT Suite supports multiple authentication methods to integrate with your organization’s identity infrastructure. Whether you use local accounts managed entirely within DnXT, an LDAP/Active Directory server, or a federated Single Sign-On (SSO) provider like Azure AD, Okta, or any SAML 2.0 compliant identity provider, DnXT can accommodate your security requirements.

This guide covers how to configure each authentication method in the SSO Configuration tab within DnXT Administrator’s Configurations module, as well as how authentication types interact with user creation and password management.

Authentication Methods at a Glance:
Local — Credentials stored and managed in DnXT. Best for small teams or standalone deployments.
LDAP — Credentials validated against an external LDAP/Active Directory server. Best for organizations with existing directory infrastructure.
SSO (SAML/OAuth) — Credentials managed by a federated identity provider. Best for enterprise environments with centralized identity management.

Accessing SSO Configuration #

  1. Log in to DnXT Administrator.
  2. Click Configurations in the left sidebar.
  3. Select the SSO Configuration tab.

SSO Configuration Interface #

The SSO Configuration tab displays a list of property name/value pairs. Each property controls a specific aspect of the authentication flow. Properties are organized by authentication protocol and provider type.

Configuration Properties #

The configuration is structured as a key-value editor. Common properties include:

Property Name Description
sso.enabled Enable or disable SSO authentication (true/false)
sso.protocol The authentication protocol (SAML, OAuth2, OpenID Connect)
sso.provider.name Display name of the identity provider
sso.idp.entity.id The Identity Provider’s Entity ID / Issuer URL
sso.idp.sso.url The SSO login endpoint URL provided by your IdP
sso.idp.slo.url The Single Logout (SLO) endpoint URL (optional)
sso.idp.certificate The IdP’s X.509 signing certificate (PEM format)
sso.sp.entity.id The Service Provider Entity ID (DnXT’s identifier)
sso.sp.acs.url The Assertion Consumer Service URL (DnXT’s callback URL)
sso.attribute.username The SAML attribute name that contains the username
sso.attribute.email The SAML attribute name that contains the email address
sso.attribute.federated.id The SAML attribute name that contains the federated user ID

Modifying Properties #

  1. Locate the property you want to change in the list.
  2. Click the Value field to edit it.
  3. Enter the new value.
  4. Click Save to apply the changes.

Setting Up SAML-Based SSO #

SAML (Security Assertion Markup Language) is the most common protocol for enterprise SSO. Follow these steps to configure SAML SSO with providers like Azure AD, Okta, ADFS, or OneLogin.

Step 1: Register DnXT in Your Identity Provider #

  1. Log in to your identity provider’s administration console (e.g., Azure AD Portal, Okta Admin).
  2. Create a new Enterprise Application or SAML App Integration.
  3. Set the Entity ID (Identifier) to the value you will use in sso.sp.entity.id (e.g., https://yourcompany.dnxtsolutions.com).
  4. Set the ACS URL (Reply URL) to your DnXT SSO callback URL (e.g., https://yourcompany.dnxtsolutions.com/api/auth/sso/callback).
  5. Configure the SAML attributes/claims to include username, email, and a unique federated ID.
  6. Download the IdP metadata or note the Entity ID, SSO URL, and signing certificate.

Step 2: Configure DnXT SSO Properties #

  1. Navigate to Configurations > SSO Configuration.
  2. Set sso.enabled to true.
  3. Set sso.protocol to SAML.
  4. Enter the IdP Entity ID in sso.idp.entity.id.
  5. Enter the SSO Login URL in sso.idp.sso.url.
  6. Paste the IdP signing certificate (PEM format) in sso.idp.certificate.
  7. Set sso.sp.entity.id to the Entity ID you registered in your IdP.
  8. Set sso.sp.acs.url to your DnXT callback URL.
  9. Map the SAML attribute names to DnXT fields using sso.attribute.username, sso.attribute.email, and sso.attribute.federated.id.
  10. Click Save.

Step 3: Create SSO User Accounts #

  1. Navigate to User Management > Users.
  2. Click Add and select SSO as the user type.
  3. Enter the user’s details including the Federated ID that matches the claim value from the IdP.
  4. Assign a role and module access.
  5. Click Save.
Important: The Federated ID in the DnXT user record must exactly match the value sent by your identity provider in the SAML assertion. A mismatch (even differences in letter casing) will prevent the user from logging in via SSO.

Step 4: Test the SSO Flow #

  1. Open a new browser window (or incognito/private window).
  2. Navigate to your DnXT login page.
  3. Click the SSO Login button (if available) or navigate directly to the SSO endpoint.
  4. You should be redirected to your identity provider’s login page.
  5. Authenticate with your IdP credentials.
  6. After successful authentication, you should be redirected back to DnXT and logged in automatically.

Setting Up LDAP Authentication #

LDAP (Lightweight Directory Access Protocol) allows DnXT to validate user credentials against your organization’s Active Directory or LDAP server.

LDAP Configuration Properties #

Property Description Example
ldap.enabled Enable LDAP authentication true
ldap.url LDAP server URL ldaps://ad.yourcompany.com:636
ldap.base.dn Base Distinguished Name for user searches DC=yourcompany,DC=com
ldap.bind.dn Service account DN for binding CN=svc-dnxt,OU=ServiceAccounts,DC=yourcompany,DC=com
ldap.bind.password Service account password (masked)
ldap.user.filter LDAP search filter for users (sAMAccountName={0})
ldap.domain Active Directory domain name YOURCOMPANY

Configuring LDAP #

  1. Navigate to Configurations > SSO Configuration.
  2. Set ldap.enabled to true.
  3. Enter your LDAP server URL in ldap.url. Use ldaps:// for secure connections.
  4. Set the ldap.base.dn to the root of your user tree.
  5. Provide the service account credentials in ldap.bind.dn and ldap.bind.password.
  6. Set the ldap.user.filter to match your directory structure.
  7. Click Save.
Tip: Always use LDAPS (LDAP over SSL, port 636) instead of plain LDAP (port 389) to ensure credentials are encrypted in transit. The service account used for binding should have read-only access to the directory — it only needs to search and authenticate users, not modify directory entries.

Creating LDAP User Accounts in DnXT #

After configuring the LDAP connection, you must create user accounts in DnXT for each LDAP user who needs access:

  1. Navigate to User Management > Users.
  2. Click Add and select LDAP as the user type.
  3. Enter the Username (must match the LDAP username).
  4. Enter the user’s Distinguished Name (DN) from the directory.
  5. Enter the Domain name.
  6. Assign a role and module access.
  7. Click Save.

When the user logs in, DnXT will validate their credentials against the LDAP server rather than a local password store.

Local Authentication #

Local authentication is the default method where user credentials are stored and managed entirely within DnXT. No external identity infrastructure is required.

How Local Authentication Works #

  1. An administrator creates a user account with the Local user type in User Management.
  2. The user receives an invitation email (if SMTP is configured) or is given a temporary password.
  3. The user logs in at the DnXT login screen with their username and password.
  4. Passwords are validated against the configured Password Configuration policies.

When to Use Local Authentication #

  • Small teams without existing LDAP or SSO infrastructure
  • External consultants or contractors who are not in your corporate directory
  • Development and testing environments
  • Fallback administrator accounts when SSO is the primary method
Best Practice: Even when using SSO as your primary authentication method, maintain at least one local administrator account as a fallback. If your identity provider experiences an outage, you will still be able to access DnXT Administrator to troubleshoot.

Mixed Authentication Environments #

DnXT supports running multiple authentication methods simultaneously. For example, you can have SSO users, LDAP users, and local users all active in the same tenant. The user type is determined at the account level — each user account specifies whether it authenticates via Local, LDAP, or SSO.

Authentication Flow by User Type #

User Type Login Method Password Managed By Password Policy Applies?
Local Username + password on DnXT login screen DnXT Yes
LDAP Username + password validated against LDAP LDAP/Active Directory No (LDAP policy applies)
SSO Redirect to identity provider Identity Provider No (IdP policy applies)

Two-Factor Authentication (2FA) #

DnXT supports two-factor authentication for enhanced security. 2FA can be enabled on a per-user basis in the user’s Security settings (see User Management). When 2FA is enabled, the user must provide a second verification factor (typically a time-based one-time password from an authenticator app) after entering their primary credentials.

Troubleshooting Authentication Issues #

SSO Login Redirects But Does Not Complete #

  • Verify that the ACS URL in your IdP matches the value in sso.sp.acs.url exactly
  • Confirm the IdP signing certificate is current and correctly pasted in sso.idp.certificate
  • Check that the user’s Federated ID in DnXT matches the claim value from the IdP

LDAP Users Cannot Log In #

  • Verify the ldap.url is reachable from the DnXT server
  • Confirm the service account (ldap.bind.dn) credentials are correct
  • Check that the ldap.user.filter matches your directory schema
  • Ensure the user’s DN in DnXT matches their actual DN in the directory

Local User Password Reset Not Working #

  • Verify Mail Configuration SMTP settings are correct
  • Check that the user has a valid email address in their profile
  • Review the Audit Trail for failed email delivery events

FAQ #

Can I switch a user from Local to SSO authentication? #

You would need to create a new SSO user account and deactivate the old local account. The user type cannot be changed on an existing account because the authentication mechanism and required fields differ.

Does DnXT support OAuth 2.0? #

Yes. DnXT supports OAuth 2.0 and OpenID Connect in addition to SAML 2.0. Set the sso.protocol property accordingly and configure the OAuth-specific properties (client ID, client secret, authorization endpoint, token endpoint).

Can SSO users still log in with a password? #

SSO users authenticate exclusively through their identity provider. They do not have a local password in DnXT. If the identity provider is unavailable, SSO users cannot log in.

How do I set up SSO with Azure Active Directory? #

Follow the SAML SSO setup steps in this guide. In Azure AD, create an Enterprise Application, configure SAML SSO with the DnXT Entity ID and ACS URL, and download the Federation Metadata XML or note the individual values. Then enter those values in the DnXT SSO Configuration.

Related Articles #

What are your Feelings

Powered by BetterDocs

Leave a Reply

Your email address will not be published. Required fields are marked *