Configuring How Users Authenticate to Laserfiche Forms

Laserfiche Forms retrieves user information from either the Laserfiche Server or Laserfiche Directory Server. Configure user authentication options in the User Authentication tab on the Laserfiche Forms Configuration page.

Note: When you save changes to the settings in the User Authentication tab, Forms resynchronizes its list of accounts.

Laserfiche Server Authentication

Configuring Laserfiche Server authentication

  1. Open the User Authentication tab.
  2. Select the Use Laserfiche Server authentication option, because you will be using the Laserfiche Server instead of the Laserfiche Directory Server.
  3. Under Laserfiche Server, enter the name of your Laserfiche Server.
  4. To configure the Forms Server to secure network communications when connecting to Laserfiche, select the Use TLS connection checkbox.
  5. In the Repository field, enter the name of the repository the Forms Server will use for its list of named users. Click the down arrow on the field to choose from a list of available repositories.
  6. Type the credentials that you want Laserfiche Forms to use to access the Laserfiche Server. Please note the following:
    • The account must be a named user with the Manage Trustees privilege for the specified repository.
    • The first time you sign into Laserfiche Forms, you will need to use this account as it will be the only user with the System Administrator role. Once you sign in, you can go to the System Security page to give security roles to other users.
    • This account will be used by Forms the first time it logs in to the server. When Laserfiche Forms successfully connects to the Laserfiche Server, it will activate the special FormsUser$ account, which it will use when connecting to the Laserfiche Server in the future. Once this occurs, Forms will no longer use the account you specified to connect to the Laserfiche Server.

Allowing domain users to sign in to Laserfiche Forms

Laserfiche Forms uses Laserfiche authentication, meaning that each user that logs in to Laserfiche Forms must have a named user license associated with their user name. In order for users to be able to sign in using their domain credentials, those accounts must be associated with a named user license for the repository that Laserfiche Forms is connected to. Once you have associated domain accounts with named user licenses, those users will be able to sign in to Laserfiche Forms.

For Laserfiche Forms to know the display name or email for these domain users, Forms must get this information from the Active Directory server. To allow Laserfiche Forms to email these domain users, or to allow those users to sign in without entering their domain, additional configuration is required on the Forms Configuration page.

Additional domain user configuration

  1. Open the Laserfiche Forms Configuration page to the Forms Server tab.
  2. Fill in the Active Directory domain controller field to allow Forms to access Active Directory to find the email address and display name associated with each domain user. Enter the domain controller (DC) name for the Active Directory server. For example, if your Active Directory domain controller name is "LASERFICHE," you would enter LASERFICHE in this field. If this field is left blank, Forms will use the domain where the server is located.
  3. To allow domain users to sign in without specifying a domain with their user names, enter the domain name in the Windows domain field. For example, if the domain is "Laserfiche," you would enter Laserfiche.

Finding your Active Directory domain controller

  1. On a machine within the domain, from the Start menu, open a Command Prompt.
  2. Type nltest /dsgetdc:domain, replacing domain with the Active Directory domain name, and press ENTER.
  3. The domain controller name will be shown next to DC. This is the name you'll use in the Active Directory domain controller field. The preceding "\\" is not part of the name.

Laserfiche Directory Server Authentication

Laserfiche Directory Server provides a central location to manage users and groups across multiple Laserfiche products.

One of the benefits of using Laserfiche Directory Server is single sign-on across Laserfiche web products. Users sign in to one Laserfiche web product and will be automatically signed in to all other Laserfiche web products they are licensed for.

Important: Switching your user authentication to Laserfiche Directory Server cannot be undone and will remove all Laserfiche users and groups from Forms. The option for Laserfiche Server Authentication will be removed from the User Authentication page. Please consider the following:

  • Ensure you have created and configured all your users and groups in Laserfiche Directory Server.
  • If you had been using Laserfiche users and groups in Forms:
    • Note the Forms security settings and access rights for each user and group. You will need to apply all security to your Laserfiche Directory Server users and groups manually.
    • Note each place a form is routed to a Laserfiche user in all your processes. You will need to add the equivalent Laserfiche Directory Server user to each User Task as your existing Laserfiche users will be automatically removed.
  • Active Directory users and groups will be automatically converted to Laserfiche Directory Server users and groups, so you will not need to reapply security or reconfigure User Tasks for these users.
  • Forms Participant Users will be migrated to Laserfiche Directory Server when you run the migration utility, so you will not need to manually update these users.

To configure Laserfiche Directory Server authentication

  1. Open the User Authentication tab.
  2. If you will be giving Laserfiche Directory Server users access to Forms, select the Use a Laserfiche Directory Server for Single Sign-On authentication option.
  3. Under Laserfiche Forms Host URL, type the fully qualified domain name of your Laserfiche Forms Server, in the format //ServerName:port/Forms. This is the URL that the Directory Server STS will redirect users to after they successfully authenticate.
    • If the Use TLS Connection checkbox is not selected in theForms Server tab under Primary Forms Server URL, "http" is automatically prepended to the URL. If it is selected, "https" is prepended to the URL.
  4. Under Directory Server STS URL, type the fully qualified domain name of your Laserfiche Directory Server STS, in the format //DirectoryServer/LFDSSTS.
  5. Under Licensing Site, type the name of your Laserfiche Directory Server licensing site, in the format SiteDisplayName.
  6. Directory Server groups enable you to license many members at once. Specify a list of Directory Server groups that will be allowed to sign in to Laserfiche Forms Forms or choose "Allow everyone to sign into Laserfiche Forms" to allow access to all the licensed users. Any licensed Directory Server user accounts that are members of a selected group can sign in to Laserfiche Forms when specifying groups, and any licensed Directory Server user accounts that are in the organizations which Laserfiche Form service user has view rights can sign in to Laserfiche Forms when allowing everyone.

    Note: If you change the Laserfiche Forms license to use a different organization, you must re-validate any groups added to the list of groups who can sign in to Laserfiche Forms.

  7. Under Laserfiche Forms System Administrator specify a Directory Server account that you want to grant the System Administrator role in Laserfiche Forms.
  8. Optional: Under Active Directory domain controller specify an Active Directory domain controller to let Forms retrieve user information directly from Active Directory. Multiple controllers may be selected.
  9. Specify the Account synchronization interval in hours.
  10. Specify the Synchronized account expiration in hours.
  11. Optional: For additional security, you can specify a Session Timeout which will terminate a user session after a period of inactivity. To enable session timeouts:
    1. Check the box for Time out users after period of inactivity.
    2. Set the number of minutes before expiratipon.
    3. Select the Auto-save work in progress option to enable auto-save.

    Note: These settings affect current sessions and should be performed at a time of limited activity.

    Note: If a session timeout is specified, after the period of inactivity in Forms, the user will be signed out of all LFDS products.

  12. Optional: Select Enable public draft lockout to secure public drafts by preventing repeated attempts to guess the email address and/or password associated with a draft.
    1. Set the Number of attempts allowed before lock before the draft is locked.
    2. Specify the Minutes to keep locked for the amount of time before the user can retry.
  13. Click Save.

Synchronizing Forms Accounts

Laserfiche Forms gets its list of users from the Laserfiche repository or Laserfiche Directory Server- depending on how you authenticate users- and gets information about domain users from the Active Directory or LDAP servers. Periodically, Forms synchronizes with the Laserfiche Server, Active Directory, LDAP server, or Laserfiche Directory Server to ensure its information is current.

Important: Laserfiche Forms uses the Laserfiche Forms Routing Service for user synchronization, and the system account the Laserfiche Forms Routing Service runs under must be assigned the "ReadMemberOf" right for User objects in order to get the groups information for the Windows users in the Active Directory domain to be able to synchronize the Windows users.

Configure the following fields to specify how often you want to synchronize users: 

  • Specify the time interval (in hours) between each auto-synchronization attempt (when Forms checks for new users) under Account synchronization interval. After initial synchronization, Forms will check for new users at this interval.
  • After an account has been synchronized with Forms, the Forms Server checks for updates to that account based on the time interval (in hours) under Synchronized account expiration. After initial synchronization, Forms checks for updates to existing users at this interval.

Configuring Session Timeouts

The session timeout allows you to time out users automatically after a set period of inactivity. This ensures that Forms is secure over an extended period of time. Users get a pop-up notification before timeout alerting them that their sessions are near expiration. A user can select an action item in the pop-up notification to proceed without timing out. For systems using LFDS with SSO, timing out of Forms automatically signs out users from all Laserfiche products.

To configure the session timeout

  1. Select Time out users after period of inactivity under Session Timeoutin User Authentication.
  2. Type the number of minutes of inactivity before the session expires.
  3. Optional: Select Auto-save work in progress to automatically save drafts of user work before the session expires. This option only applies to forms for which the Save as Draft option is enabled.

    Important: If a user decides to fill out multiple drafts at the same time, and the timeout period is met, some of the multiple drafts may not be saved.

  4. Click Save.