There are several operations related to user interaction with forms in the TransForm E-Forms Manager catalog for which you may want to involve end user authentication. Such operations may include:
Download of published forms from the form catalog;
Submission of forms by end users who have downloaded and filled them out;
Electronic signing of forms (or sections of forms) by end users;
Autofill calls to pre-populate forms with data from an external database, and
Workflow status checking.
In the case of electronic signing, end user authentication is always a requirement, since the act of signing itself requires the signer to identify oneself. When you configure the other types of operations, however, TransForm E-Forms Manager allows you to specify whether or not you want to involve authentication. Furthermore, the system allows you to highly customize the rules for authentication for each type of operation on a form-by-form level. This enables you to enforce policies regarding which users are allowed to perform certain operations on specific forms.
In any type of transaction where end user authentication is employed, TransForm E-Forms Manager needs access to a repository of user data so that it can:
Authenticate users based on the user ID and password they provide, and
Retrieve user information (such as first and last name) for use by the system to populate signature fields and/or display information on a signer or submitter.
TransForm E-Forms Manager gives you several options for connecting to and searching various types of authentication repositories by allowing you to create various types of Authentication Providers. Once you have defined one or more Authentication Providers, you can assign them (either by themselves or in ordered groups) to Authentication Schemes. Authentication Schemes are then assigned to operations for which you want to require authentication. At the time such an operation is called, TransForm E-Forms Manager handles the process of gathering the form user's authentication credentials (user ID and password), and uses them to search the provider or providers associated with the Scheme assigned to the operation. Authentication completes successfully and the operation continues once the authenticating user's information is found by one of the searches. This gives you a very flexible and easily configurable means of implementing rules and policies for end user interaction with your electronic forms.
The first step in configuring end user authentication for forms that reside in the form catalog consists of providing TransForm E-Forms Manager with the information it uses to query directory services, databases, or other authentication stores that contain user information. This information is supplied through the definition of one or more Authentication Providers. Authentication Providers are then assigned to one or more Authentication Schemes. Authentication Schemes can in turn be assigned to individual operations associated with form versions in the form catalog. What follows is a detailed description of each of the configuration items.
An Authentication Provider contains a group of settings that are used to connect to and query one of several types of supported authentication repositories with user credentials supplied from a form. Using these settings, TransForm E-Forms Manager can provide end user authentication functionality through:
Active Directory Integration: Connecting to and querying Active Directory servers to authenticate end users.
LDAP Integration: Connecting to and querying LDAP servers to authenticate end users.
SQL-compliant Database Integration: Connecting to and querying a database using an ODBC connection and custom SQL query.
E-Forms Manager Authentication: Using TransForm E-Forms Manager's built-in repository of End User data. A provider and a scheme for this type of authentication is included in the system, and in a new system it is set as the default. The repository for TransForm E-Forms Manager authentication is managed from the End Users area.
TransForm E-Forms Manager allows you to create as many authentication providers as may be needed by your system. This enables you to employ different repositories or even different searches within the same repository in your e-form processes.
Each type of provider requires different settings to designate how to connect to and how to search its authentication repository. For instance, an Active Directory provider requires information such as the LDAP URL for an Active Directory server and one or more DN strings that define the directory paths that will be searched. A Database provider requires an ODBC DSN to establish its connection to the database, along with a SQL query that will retrieve user information from a table in the database using the user ID and password supplied by the form user. The TransForm E-Forms Manager provider simply uses the system's built-in repository and requires custom settings.
An authentication scheme is simply a named, ordered grouping of authentication providers. A scheme may contain one or more providers. Once defined, schemes may be assigned to various authentication-related form operations within the form catalog area. TransForm E-Forms Manager allows you to create as many authentication schemes as you need.
If your system has more than one authentication scheme defined, you will designate one scheme as the system's Default Authentication Scheme. The default scheme is automatically used by form operations that require authentication for which a particular scheme has not been assigned. This saves you the effort of assigning an authentication scheme to each and every form operation when most or all operations will use the same scheme anyway. In addition, by changing the default designation from one scheme to another, you can change the authentication policy for forms system-wide without having to edit the settings for each and every form in the catalog.
The following sections describe how to create and configure Authentication Providers and Schemes for use with your forms.
Select Authentication from the Administration tab. This opens a screen containing two tabs, labeled Providers and Schemes. The Providers tab allows you to view and edit Authentication Providers, and the Schemes tab lets you view and edit Authentication Schemes. The first step in configuring authentication for your system will be the definition of one or more Authentication providers.
The Authentication Providers tab shows a list of all of the providers that have been defined for your system. In a new system, a single provider will be shown, called "E-Forms Manager." This represents the built-in authentication repository that you can use as an alternative to external user data repositories. The TransForm E-Forms Manager provider cannot be edited or deleted. If you have upgraded from a previous version that had an Active Directory or LDAP connection defined, you will also see an additional provider listed, which contains the settings that were defined previously.
The provider list shows the following summary information about each provider:
Provider Name: The name assigned to the provider when it was created. This name should indicate the type of search performed by the provider.
Provider Type: Indicates the type of repository to which the provider connects. Available provider types include Active Directory, LDAP, Database, and E-Forms Manager.
Status: Whether or not the provider is enabled for use. As long as it is not the only provider assigned to a scheme, a provider may be disabled so that authentication processes ignore it when checking against the providers in a scheme.
Edit: Opens the provider create/edit window, described below.
Delete: Allows you to delete the provider. If the provider is enabled, this control is disabled. Also, if you attempt to delete a provider which is the only one assigned to a scheme, you will be asked to reassign the provider first.
Clicking on any row in this list will open a window that shows all of the available details about the provider selected.
To create or edit an authentication provider, click the New Authentication Provider link above the provider list, or click one of the Edit links within the list. This will open the Authentication Provider Setup wizard, which will step you through the process of configuring the provider. The first screen of the wizard gathers basic information about the provider, including the provider name, provider type, and whether or not the provider should be enabled.
Depending on the type of provider that you choose on this screen, the second screen of the wizard will vary in order to gather information specific to the type of provider you are defining. These settings will be used by TransForm E-Forms Manager whenever a transaction occurs that requires end user authentication, in order to contact the repository defined and search for the user based on credentials supplied by the user.
To configure Active Directory Authentication, you must enter data into all of the fields displayed. The table below describes the information you must provide:
|
Field Name |
Description |
Example |
|
Active Directory Server URL |
This is a URL that uses the LDAP protocol to locate and communicate with your Active Directory server. This URL should provide the protocol, the computer name or IP address of the server hosting the Active Directory service, followed by the port number.
|
ldap://myserver:389
|
|
Active Directory Domain |
This is the name of the domain listed in your Active Directory server to which authenticating users belong.
|
mycompany.com
|
|
User Name Search Base |
Directory root path in the distinguished name (DN) format. This uniquely identifies a directory root path in a networked environment, and the parameters you specify identify to TransForm E-Forms Manager the directory paths it will search in order to find and authenticate users. You may enter multiple paths, but if you enter more than one, separate the paths with a semicolon. |
OU=Users,OU=MyBusiness,DC=MyCompany,DC=com; CN=Users,DC=MyCompany,DC=com |
The table below describes the information you must provide in order to define an LDAP server connection and search:
|
Field Name |
Description |
Example |
|
LDAP Server URL |
This is a URL that uses the LDAP protocol to locate and communicate with your LDAP server. This URL should provide the protocol, the computer name or IP address of the server hosting the Active Directory service, followed by the port number.
|
ldap://myserver:389
|
|
LDAP Admin Name (DN) |
Enter the DN of an LDAP user who has privileges for searching data about other users. This may be left empty if your LDAP server allows anonymous searching.
|
uid=Admin
|
|
LDAP Admin Password |
Enter the corresponding password for the DN of an LDAP user.
|
****** |
|
User Entries Filter |
Enter the search filter string in LDAP format that describes the entries representing users. |
(objectClass=person) |
|
User Name Attribute |
Authentication for submission and signing requires users to enter a user ID and a password. The user ID entered (such as "bobsmith") is used in a search filter that attempts to find the user with the ID specified. Within your LDAP server there should be an attribute that represents the unique login ID for each user. Usually this attribute is named "uid". Specify the name of your system's unique login ID attribute here.
|
uid |
|
User Name Search Base |
Directory root path in the distinguished name (DN) format. This uniquely identifies a directory root path in a networked environment, and the parameters you specify identify to TransForm E-Forms Manager the directory paths it will search in order to find and authenticate users. You may enter multiple paths, but if you enter more than one separate the paths with a semicolon. |
ou=users,dc=mycompany,dc=com; ou=Administrators,dc=mycompany,dc=com |
Setup of a Database authentication provider requires that you give information that will allow the system to connect to a database and to query one or more tables in the database using the credentials supplied by the end user.
The database connection used by this type of provider is established by means of an ODBC Data Source which you should define prior to creating the authentication provider. For more information on Data Sources, see the help section on database integration and data sources.
On this screen, you will enter the following information to define the database connection and query that the provider will use:
Choose the Data Source that designates the database connection the provider will make.
Enter an SQL query that will be used to find information about the authenticating user. This query must consist of a SQL SELECT statement. It can select from a single table, or may contain one or more joins if it needs to use multiple tables. This query must follow the rules below:
Within the query, you may use the tokens $USER_ID and $PASSWORD. These tokens are replaced at the time of authentication with the actual User ID and password supplied by the authenticating user. This allows the query to look up information specific to the user who is attempting to authenticate. These tokens should be surrounded by single quotes (') if the database fields that they will check against contain character (non-numeric) data.
The query should be written so as to retrieve only one record that can be used to identify and provide information about the user. If more than one record is returned, the lookup will fail.
The SELECT portion of the query must retrieve table column values that represent the first and last name of the user. It can optionally retrieve the user's middle initial, middle name, or email address. These values are used by TransForm E-Forms Manager to supply signing information to a form when a user authenticates to sign, or to supply audit information about other authentication-based operations. (Note that if you include the user's entire middle name in your query, only the initial will be used in signing operations.)
The samples below provide some examples of how you might write an authentication query:
Example 1: (Collects first name, last name, email address, and middle initial from a single table called "employees")
SELECT first_name, middle_initial, last_name, email_address
FROM employees
WHERE user_id = '$USER_ID'
AND password = '$PASSWORD'
Example 2: (Collects first and last name from a single table called "employees")
SELECT first_name, last_name
FROM employees
WHERE user_id = '$USER_ID'
AND password = '$PASSWORD'
Example 3: (Collects information using a join between 2 tables called "user" and "user_security")
SELECT user.first_name, user.last_name, user.email
FROM user, user_login
WHERE user.user_id = user_login.user_id
AND user_login.login_id = '$USER_ID' AND user_login.password = '$PASSWORD'
You may optionally choose a hash algorithm for the password supplied by the user. If you select one of the standard hash algorithms listed, then at authentication time a hash value will be created using the password supplied by the user, which will be used in the query in place of the actual password. You should use this feature if your database stores hash values instead of passwords, and those hash values are created using one of the standard algorithms supported by TransForm E-Forms Manager.
Once you are done defining your query, click the Next button. On the next screen, you must identify values for the user's name and email address by mapping the column names you specified for retrieval in the SQL query to each of the data elements needed about the authenticating user.
On this screen, choose the columns from the SQL Select statement that will be used by TransForm E-Forms Manager as the authenticator's first and last name. You may optionally choose values for the middle initial and email address.
When you save the Authentication Provider settings, TransForm E-Forms Manager will not attempt to test your settings against the provider's target store, since no credentials are available. To test whether your settings are correct, configure a sample form for remote signing (or submission with required authentication) then try to sign or submit it.
The Authentication Schemes tab provides a list of all of the authentication schemes that have been defined for the system. In a new system, a single scheme named "Scheme 1" will be available, which contains the built-in TransForm E-Forms Manager provider.
The scheme list shows the following summary information about each scheme:
Scheme Name: The name assigned to the scheme when it was created.
Number of Providers: Indicates how many authentication providers are assigned to the scheme.
Default: One of the schemes in the list will have a checkmark in this column, indicating that it is designated as the Default Authentication Scheme. This scheme is the one used by authentication operations for which a scheme is not specifically assigned - those for which the Always Use Default option is set in a form's properties in the form catalog.
Edit: Opens the scheme create/edit window, described below.
Delete: Allows you to delete the scheme. If the provider is assigned to one or more authentication operations in the form catalog, or if it is designated as the default scheme, the Delete control is disabled. Those explicitly assigned to authentication operations have an "In Use" indicator in this column. Clicking the "In Use" link opens a window that shows all of the forms and associated operations that reference the scheme.
Clicking on any row in this list will open a window that shows all of the available details about the scheme selected.
The left-most column of each row in the table contains a radio control that you can select, then click the Set as Default button to designate that scheme as the default scheme.
To create or edit an authentication scheme, click the New Authentication Scheme link above the list, or click one of the Edit links within the list. This will open the Authentication Scheme Setup window, in which you can configure the scheme.
The Authentication Scheme Setup window allows you to name the scheme and assign providers to it. In naming the scheme, you should provide a name that briefly and accurately describes what type of user the scheme is meant to authenticate. For example, if the scheme contains one or more providers that will only authenticate members of your organization who are in the Human Resources department, you might give it a name like "Human Resources." Using clear naming will make assignment of schemes to operations simpler within the form catalog.
Assign providers to the scheme by selecting them from the list on the left and moving them to the right.
You can control the order in which the providers are checked during authentication attempts by using the Up and Down buttons to the right of the Selected Providers list.
Once you have the necessary authentication schemes defined, they are made available for use within the TransForm E-Forms Manager catalog so that you can assign them to authentication-related operations of a form. Such operations include:
Form Download
Form Submission
Electronic Signing
Form Autofill
In the form catalog, wherever the option to require authentication may be chosen, there is also a list of available authentication schemes. This list contains all of the schemes defined, along with a default option labeled "Always Use Default." If you choose this option, then TransForm E-Forms Manager will always use the scheme designated as the Default Authentication Scheme. In this way, if you change the default scheme designation, you automatically affect the behavior of all form operations that are set to use the default scheme. This option also keeps you from having to explicitly select a scheme for each and every operation.
In configuring electronic signing of forms with multiple signable field sets, you can utilize different authentication schemes to enforce policies on which users in your organization are allowed to sign which parts of the form. For example, in the picture below, the first field set in the form can be signed by all employees through the use of the "All Employees" scheme. The secondary signature (which may represent approval) may only be performed by members of the organization who can authenticate against the "Sales or HR Managers" scheme.