Enabling External Authentication

External authentication works with Configuration Server. If you are installing Genesys software for the first time, you must first set up the Configuration Layer following the instructions in the Framework Deployment Guide.

By default, Configuration Server does not communicate with an external authentication server.

The following table summarizes how to enable external authentication.

At startup, when external authentication is activated, Configuration Server verifies the presence of both the configuration option that points to the pluggable module, and the pluggable module itself. If either one of these is not found, Configuration Server considers external authentication to be disabled.

Configuring the Master Configuration Server

A new installation of the Master Configuration Server at its first startup reads values from its configuration file and saves those values in the Configuration Database. On all subsequent starts, it reads all values from the database and ignores those in its configuration file. (The backup Master Configuration Server, if configured, saves the information when the first switchover is completed.) As a result, you must make any changes to server-level external authentication parameters in the Options tab of the Configuration Server and Configuration Server Proxies. Any changes you make in the configuration file are ignored.

The only exception to this is the option enforce-external-auth (see enforce-external-auth). If this option is set to true in the database, but a newly installed Configuration Server reads its configuration file and finds the option set to false , Configuration Server sets it to false in the database. This ensures that all users are authenticated internally, including those without an External ID.

Synchronizing User Accounts

For Configuration Server to verify user permissions in the Configuration Database, you must synchronize the user accounts in the Configuration Database with the accounts in the external authentication system. In other words, you must create a Person object in the Configuration Database for each user who will operate in the Genesys environment. The properties of that object must correspond to the user’s parameters in the external authentication system.

To simplify the synchronization of user accounts, use the Genesys Configuration Import Wizard. For information about the wizard, refer to the Framework 8.0 Imported Configuration Data Formats Reference Manual.

Person Objects and External IDs

To be considered for external authentication, a Person must be configured with an ExternalID . In the simplest case, the External ID , it could be equal to the person's account name.

High-Availability External Authentication Configurations

You can configure multiple external authentication servers to add to the reliability and efficiency of your system, as follows:

For LDAP, redundant configurations are supported with each additional servers configured in [gauth_ldap_n] sections. This can be done at all levels–server, tenant, and user.

For RADIUS, redundant authentication servers are configured in the redisuclient.conf configuration file of Configuration Server. This can be done only at the server level.

For Kerberos, redundant configurations are not supported, each configuration applies only to the server for which it is configured.

Disabling External Authentication

To disable external authentication at the Tenant or Person level, set the library option in the authentication section to internal in the object. For Configuration Server or Configuration Server Proxy, set the option to an empty value, and then restart the server to unload the authentication module and stop the authentication.

Refer to library (for RADIUS) or library (for LDAP) for information about the library option.).