Integrating Active Directory with ThoughtFarmer via our Employee Directory Connector (EDC) is a critical step in enhancing user authentication and access control within your organization as well as syncing user data. The choice of network architecture plays a pivotal role in ensuring the security, accessibility, and manageability of this integration. The EDC has 2 main components that facilitate the integration:
- Login site: This is an IIS site that users will be redirected to in order to complete the authentication process. It will use your AD Domain to authenticate the user and send back a SAML response to your ThoughtFarmer cloud instance to verify the user's identity.
- EDC Windows Service: This service runs the process that will query your Domain Controller via LDAP to fetch information for automated user provisioning. It will create or deactivate ThoughtFarmer user accounts as well as sync other user information such as profile fields, manager relationships, security group memberships, etc...
We recommend 2 different configurations that will depend on your organization's requirements. Those are:
- DMZ: In a DMZ (Demilitarized Zone) configuration, the ThoughtFarmer EDC server is placed in a partially isolated network segment, allowing external access while maintaining security.
- Internal Network: In an internal network configuration, the ThoughtFarmer EDC server resides within your organization's internal network, providing security but limiting access to internal users or those on a VPN.
Before we delve into the details of the network architecture options, it is essential to understand your organization's specific requirements and constraints.
- Requirement: Do you need to provide access to ThoughtFarmer from outside your organization's network?
- Implication: If external access is required, a DMZ configuration is necessary. If not, an internal network configuration can be considered.
IT Resource Availability
- Requirement: What are your IT resource constraints? Consider factors like staffing, budget, and expertise.
- Implication: A DMZ configuration is more complex to set up and maintain, whereas an internal network configuration is easier to manage with limited IT resources.
- Requirement: You would like users to not have to sign on to ThoughtFarmer and allow their network domain credentials to pass through via Windows SSO.
- Implication: Only a server on your internal network joined to your domain is able to facilitate Windows SSO.
- Requirement: How critical is the security of your integration?
- Implication: A DMZ configuration provides access from the general internet but requires more rigorous security measures. An internal network configuration is inherently more secure but limits access to users within your network or on a VPN.
The DMZ configuration requires an additional server setup in a network segment protected from your internal network via a firewall. Specific ports are opened to allow for direct communication to a single Domain Controller. For details on the configuration please contact us through our helpdesk.
- External access from the general internet.
- Segregation of internal and external network traffic.
- More complex to configure and maintain.
- Requires dedicated security measures (e.g., firewalls, intrusion detection, certificates).
- Connects to a single domain controller. So no redundancy for LDAP calls if the primary domain controller fails.
The internal network configuration has the ThoughtFarmer EDC on a server that is on your internal network and joined to your domain.
- Simpler setup and maintenance.
- Inherent security for internal users.
- Built-in redundancy in the Windows network Domain connection with multiple Domain controllers.
- Allows for Windows Single Sign-on so network users do not have to re-enter their credentials.
- No direct external access, necessitating VPN for remote users.
- Limited accessibility for external parties.
Comparison of network architectures
|Criteria||DMZ Configuration||Internal Network Configuration|
|Potentially higher||Potentially lower|
Windows Single Sign-on