TABLE OF CONTENTS


Introduction and Overview

The purpose of VIDIZMO ID Connector is to sync Microsoft Active Directory users in VIDIZMO portal/tenant account. This document provides introduction, purpose, and explanation about deployment of VIDIZMO ID Connector in an on-premise or private cloud environment.


VIDIZMO Identity Sync Service

Identity Sync Service is a Win32 service configured on the main ID Connector server. The service is located in Server Manager > Tools > Services. It must be running at all times for uninterrupted synchronization and therefore it's startup type should be set to automatic.

The VIDIZMO Identity Sync Service is responsible for synchronizing active users found in all domains within the organization’s AD forest, by scanning all the domains which are part of the forest.


Other than users, it would also synchronize the active groups and organizational units (OU) available in each domain, which are later used by VIDIZMO ID Connector admin to provide mapping with VIDIZMO portal.


Note: Only AD users belonging to the Group(s), OU(s) or Domain(s), that have been mapped will be able to gain access to VIDIZMO portal. If the admin wants to remove an entire domain in the forest, it can be done by removing the mapping of the domain with VIDIZMO portal website.

This service uses rules in the main database to push synchronization, and can be configured to run in different time intervals. The time interval can be set in the ID Connector website by going to Settings > Application Configuration section.


VIDIZMO ID Connector Website

The ID Connector acts as the gateway for users to gain access to VIDIZMO portal. It is used to authenticate and authorize users coming directly to VIDIZMO portal.


The ID Connector Website is configured under IIS (Internet Information Services) and uses the same database as the Identity Sync Service. It depends on AD for authenticating and authorizing users using mappings in the database and allows access to VIDIZMO portal. If a user belongs to a group that is added in the Application Configuration section of ID Connector website, the user would get access to configuration sections. These configuration options include:


Application Configuration

This is the main section within ID Connector website to configure the user account. You may configure time interval for the ID Connector synchronization service to synchronize all the users between AD and VIDIZMO.


Note: If a user is not synchronized by VIDIZMO Identity Sync Service, the website does a JIT (just in time) synchronization of that user to let the user have immediate access to VIDIZMO.


Database Configuration

This section allows administrators to configure the database and set up a new one if required. The synchronization service as well as the ID Connector website will use this database for regular operations.


Manage Channels

Manage Channels section allows administrators to view existing VIDIZMO portals that have been added and can be mapped to groups, OUs and domain(s). This also shows the total number of users who have been synchronized in VIDIZMO portal.


Channel Mapping

This is the section where portals can be mapped to OU, Groups, and/or Domains. Admins can search for the required OU, Group or Domain from the list to enable portal mapping.


Manage Users

Manage Users section lists all the users synced from AD, the sync status is displayed with each user. It also provides search and filtering options that help find individual users.


Note: This page will only show users synced from AD. The sync process has filters configured such as Email Address, First Name, and Last Name, which may limit display of users and therefore the users may not appear in the list here.


Sync Log

The sync log is updated in ID Connector upon completion of a full synchronization process. Administrators can obtain information such as the number of users imported and synchronized with VIDIZMO etc.


Software Prerequisites

Here is the list of prerequisites needed for deploying VIDIZMO ID Connector:


Windows (OS) Requirements

  • Windows Server 2016, 2019 or later (Standard or Enterprise Edition)
  • .NET Framework 4.8
  • Web server Role (IIS), configured with following role services:
    • Common HTTP Features (Complete)
    • Application Development
      • ASP .NET
      • .NET Extensibility
    • Security
      • Basic Authentication
      • Windows Authentication
    • Management Tools (Complete)


Database Server Requirements

SQL Server 2016 Standard or Enterprise Edition with below features:

  • Database Engine
  • Client Tools Connectivity
  • Management Tools


Active Directory (AD) Requirements

VIDIZMO ID Connector acts as a bridge between MS Active Directory and VIDIZMO, running in cloud or on-premise. For VIDIZMO ID Connector to do it's tasks, it needs to interact with AD, to be able to get users' information and sync in VIDIZMO. ID Connector needs configuration and privileges described in detail below:


Active Directory User Account

A user created in an on-premise Active Directory who is member of the Active Directory's User Group. This is required by the ID Connector to sync user information from the Active Directory to its database.


Note: VIDIZMO ID Connector must run under this AD user account. This AD User Account must be part of the Administrators group on the machine where the ID Connector will be installed. Moreover, it should also be part of the sysadmin group in the SQL Server. For routine operations, the minimum permissions required in SQL server are db_owner after the database has been set up.


Active Directory Group

A group within Active Directory with all ID Connector admins as members. Any AD users added to this group will gain access to configuration and administration sections of the ID Connector Website. Such users will be able to:

  • Add Channels to define Channel Mappings
  • Make modifications to application configuration
  • Modify database connections or create new databases
  • Check Synchronization logs
  • Check users that were synchronized with ID Connector

Only limited sections will be available for the users who do not belong to this group.


Note: All users who are members of this group will gain access to ID Connector configuration and administration sections. It is therefore recommended to create a separate group for ID Connector rather than using a built-in group provided in AD.


Access Rules for HTTP/HTTPS

To allow external access on ID Connector website, open ports 80 (HTTP) and 443 (HTTPS for secure access). This is an optional step and only applicable when external access is needed on ID Connector website.

Note: In case of external access, users accessing from the internet will still be authenticated and authorized from AD.


Domain Name

An "A" record in either a local DNS server or a public DNS Server is needed (public DNS is needed if external access is required).


ID Connector Installation and Configuration

This section provides detailed information about installation and configuration of ID Connector.


Create AD User and Group

The following sequence of steps will walk you through the process of setting up AD User and Group for managing ID Connector. Below is the step-by-step process:

  1. Create an AD group "ID Connector Admin" with scope set to "Universal" and group type set to "Security".
  2. Create a new AD user account "ID Connector Admin" and uncheck "User must change password at next logon" when creating the user account.
  3. Add group membership for this new user account to the group we created earlier.


Add the new group to local admins group on ID Connector server

The next step is to add this new group to Local Administrators Group on the server where ID Connector is installed. To do this, follow the steps below on the ID Connector server:


1. Open Command Prompt

2. Type/execute below command

NET LOCALGROUP ADMINISTRATORS /ADD [DOMAINNAME\GROUPNAME or groupname@domainname]

3. Press Enter and the command should return "The command completed successfully".

4. Login on ID Connector server with the new AD user account we created in previous step.


Install .NET Framework 4.8

Download and install .NET Framework 4.8 from https://dotnet.microsoft.com/download/dotnet-framework/thank-you/net48-web-installer


Install VIDIZMO Identity Sync Service

This section provides information about installing VIDIZMO Identity Sync Service.


1. Download ID Connector source files "VIDIZMO.zip" to deploy the web application.

2. In this example, we extract the source files in c:\VIDIZMO.

3. Open command-prompt (run as administrator).

4. Type/execute the following command:

sc create IdentitySynchService binPath=C:\Vidizmo\IdConnector\Web\VIDIZMOSyncService\IdentitySynchService.exe DisplayName=”VIDIZMO Identity Sync Service”

5. Once the service is installed, right click on it and go to properties.

6. In the Properties dialog, go to Log On tab and change the user account to use the AD user (created previously).

7. Start "VIDIZMO Identity Sync Service".


Install SQL Server and SQL Server Management Studio

Include below features:

  • Database Engine
  • Client Tools Connectivity
  • Management Tools

Note: Login Windows with the AD user that was created in previous steps.

Note: Add the current logged in account to SQL administrators during installation.


Deploy ID Connector Web App

This section provides complete details and steps needed for deploying ID Connector web application.


Install IIS Web Server

IIS is needed to service the ID Connector website, please follow below steps:


1. Go to Server Manager > Add Roles and Features
2. In Roles section, select Web Server and include features when prompted
3. In Features section, select ASP 4.7

4. In Web Server roles, select below features:

  • Common HTTP Features (Complete)
  • Application Development
    • ASP .NET
    • .NET Extensibility
  • Security
    • Basic Authentication
    • Windows Authentication
  • Management Tools (Complete)

Create and Configure IIS Website

This section explains creating IIS website for Id Connector. Please follow below steps:


1. Open IIS management snap-in

2. Expand server object > right click "Sites" > Add Website

3. Enter site name as "Id Connector"

4. Enter physical path as "[SYSTEM DRIVE]\VIDIZMO\IdConnector\Web"

5. In Binding section, create HTTP or HTTPS binding as needed


Launch ID Connector Web Application

This section explains the process of launcing ID Connector web application.


Note: Please make sure the VIDIZMO Identity Sync Service is in running state.


1. Login on your VIDIZMO ID Connector serve.

2. Open IIS > select your ID Connector website > Authentication

3. Disable Windows Authentication

4. Enable Basic Authentication

5. Restart ID Connector website

6. Open web browser

7. Navigate to "localhost" or "127.0.0.1" or the DNS name that points to the IP address of your VIDIZMO ID Connector server.

8. This will prompt for username and password

9. Login VIDIZMO ID Connector website


ID Connector Database Configuration

Once you're logged in VIDIZMO ID Connector website:


1. Go to Setting > Database Configuration > Edit

2. Select "Create New Database" to create the new ID Connector database

3. Click the Save button to save changes


ID Connector Application Configuration

In the ID Connector website:


1. Go to Settings > Application Configuration > Edit

2. Enter the Group Name. This is the group we created earlier (in previous steps where we added ID Connector admin users)

3. Create a sync schedule (as needed)

4. Change VIDIZMO Sync Service status to "Activate"

5. Click the update button to save changes


Add VIDIZMO Portal in ID Connector

Login your ID Connector website and follow below steps:


1. Go to Portal > Manage Portals

2. Click Add to add new portal


Create Portal Mapping for VIDIZMO Portal Website

To sync users and groups, login your ID Connector website and follow steps below:


1. Go to Portal > Portal Mapping

2. Select the VIDIZMO portal to create mapping

3. Click "Define" to define new mapping

4. Leave Keyword box blank, use All in domain and All in Group/OU's and click on the search button

5. This will display all AD users, groups, OUs and domains in your AD forest



6. Select users, groups, domains or OUs that you would want to sync and click Add button to create portal mapping

7. To start synchronization, go to Settings > Application Configuration > click Enforce Synchronization or wait for the sync interval before the system triggers sync process.

8. To view and manage synced users, go to Users > Manage Users in your ID Connector website


Troubleshoot ID Connector Issues

The ID Connector web app provides logging functionality for troubleshooting in case of issues:


- Login your ID Connector website

- Go to Settings > Service Activity Logs to review events related to VIDIZMO Identity Sync Service

- Go to Settings > Application Error Logs to review application related errors which may have occurred

- Make sure the VIDIZMO Identity Sync Service is in running state before you can launch the website

- ID Connector uses first name, last name and email address AD attribute to sync users. Please make sure these are associated accordingly.

- The ID Connector service mode must be set to use "IMPORT_AD_AND_SYNC_DESTINATION". This would allow ID Connector to import users from AD and sync in VIDIZMO channel.

- The ID Connector service mode can be modified in IdentitySynchService.exe.config file in the source location.



--End of Document--