Announcements

Shape the future of TeamViewer with our Product Team. Click here to join!

Posted by jfhallee
Digon

AD/LDAP SSO with TV

Hi, 

Has anyone been able to develop a SSO using enterprise AD/LDAP (or CAS) for TV12 using the API/REST?

Thanks!

11 Replies
Posted by mLipok
Heptagon

Re: AD/LDAP SSO with TV

"SSO" and "CAS"  
What you meant ?

 Please expand these shortcuts.

Regards,
mLipok , AutoIt MVP

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.

Posted by jfhallee
Digon

Re: AD/LDAP SSO with TV

SSO = Single Sign On

CAS = An authentification protocol commonly used (https://en.wikipedia.org/wiki/Central_Authentication_Service)

Posted by mLipok
Heptagon

Re: AD/LDAP SSO with TV

and CAS ?

 

Regards,
mLipok , AutoIt MVP

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.

Posted by mLipok
Heptagon

Re: AD/LDAP SSO with TV

As far as I know this is only to manage TV UsersAccounts with relation to LDAP/AD.

I understand that you was trying to make an commonly instaled TV APP on each AD station.

And in your case you need to make such follwowing thing happend:
UserX loging to StationA using AD/LDAP account, and he should be automaticaly loged in to they own account in TV APP. ?

Regards,
mLipok , AutoIt MVP

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.

Posted by fa9
Photon

Re: AD/LDAP SSO with TV

SSO can be accomplished with with ADFS (WS-Federated). or with CAS since CAS can be extended with Shibboleth (SAML)
Posted by jfhallee
Digon

Re: AD/LDAP SSO with TV

I understand that but I wanted to know if anyone had done it already and wanted to share his recipe to do it. We've been able to do the AD users synch into TV using the sample code here: https://integrate.teamviewer.com/en/integrate/activedirectory/index.aspx. We had to update it a tad cause it wasnt working with nested AD groups but its now working perfectly.

But now, we'd like the user created to be able to authenticate using their AD credentials instead of having to create another password into TV user management. So basically a trust in authentication between TV and our AD/LDAP.

Posted by DomLan
Heptagon

Re: AD/LDAP SSO with TV

Hi,

I try to answer you, even though you probably should apply directly to the TeamViewer support.
If I understand correctly, you want to run the SSO starting from authentication of your Windows client on their client TeamViewer: I think this is not possible, given that TeamViewer is an independent Service Provider for their credentials and provides a mechanism for OAuth for accessing user/groups/connections information and so on.

OAuth is the only way to access those services that offer their own authentication and authorization mechanism. (Facebook, Google, LinkedIn, Windows etc... do the same)

In any case, if TeamViewer offered a mechanism such as that required I would NOT use at all; If your business suffer an identity theft, even accounts of TeamViewer suffer the blow.

The same thing would occur with roles reversed: here and I think you'd be even less happy.

It 's my opinion... of course.

Regards

Domenico Langone
MCSD: App Builder
Posted by jfhallee
Digon

Re: AD/LDAP SSO with TV

Thanks DomLan for your reply!

From what I got by calling TV Support team is that the API actually allow such things as federating authentication but arent ready to put effort in documenting it and give code samples and the such but its there. They're really interrested in that feature and they already had it in their roadmap. 

Thanks also for your opinion about identity thief. Im not that good in identity security and that field, but in here we're seeing more and more authentication federations between apps and 3rd parties with however enforced password and security policies, etc. But yeah, I get your concern.

Posted by DomLan
Heptagon

Re: AD/LDAP SSO with TV

Hi,

I did not know that TeamViewer was moving in this direction regarding the federation between different services. But when talking about federated authentication I refer as a claims-based identity system: claims-based identity promotes separation of concerns at a level never archived before in the identity management world.

I'm covering the documentation to which you have reported in a previous post, and without going into details I would point out that in any case there is a separation that obviously concerns the credentials.

In your system you can give authenticate a user with "Alfred" or "Domain\Alfred"; TeamViewer in every case will keep the uniqueness of the user referring to the email address of your users who (hopefully) is unique in the world. There are certainly many items that TeamViewer will have to pay attention.

I therefore believe that the integration bid is given to relieve the transcription of a large number of master data, especially for large reality equipped with a corporate license.

In any case, without knowing exactly who will act as STS (Security Token Service) and who as RP (Relying Party), each additional answer would certainly be wrong.

@MAN: Very interesting topic!!!

Regards

Domenico Langone
MCSD: App Builder
Highlighted
Posted by DomLan
Heptagon

Re: AD/LDAP SSO with TV

Hi to all,

This is TeamViewer's most recent answer.

Regards

Domenico Langone
MCSD: App Builder
Posted by TeamViewer Staff
TeamViewer Staff

Re: AD/LDAP SSO with TV

Hi jfhallee,

currently it's not possible to use our REST API for authentication against an identity provider (IdP), but the good news are, that we are currently working on a Single Sign-On (SSO) solution.

In the meantime, you could test / use our feature "Identity Provider Connections" (IdPC) as additional security level for authentication against your IdP, as DomLan mentioned.

Team Lead Product Development (Enterprise)

Did my reply answer your question? To help others, please accept it as solution. Thanks!