13.2. Overview

NextGIS ID on-premise (NGID on-premise) is an authorization and user management server for NextGIS software. For companies with local networks isolated from the Internet to a certain degree this offers a way to authorize users of desktop and mobile NextGIS software.

The functionality of NGID on-premise includes:

  • user sign-in with login and password;

  • modifying user credentials (login, password), deleting users;

  • adding users to a team that has extended access to software features, managing team members;

  • user sign-in via OAuth2 in various applications;

  • personal web pages for users where they can view their profile and change their password.

13.2.1. Authorization and profile

The home page of NGID on-premise opens on a sign-in dialog (see auth_window). Enter login and password for a user created in the Admin Console.

../../_images/auth_window_en.png

Pic. 13.1. User authorization window

After a successful sign-in you’ll see the user profile page (see profile_window). On this page the user can modify personal information and change password.

../../_images/profile_window_en.png

Pic. 13.2. User profile window

13.2.2. Team

To add a new team member, enter login and password for the user. You can also delete a user from the team. Team management is available in the Team section, add /users to the URL to view it (see ngidop_team). Each added user is displayed in the list. Users included in the team have access to extended functionality of the NextGIS software.

../../_images/ngidop_team_en.png

Pic. 13.3. Adding users to the Team

13.2.3. OAuth applications

You can permit this type of authorization for various NextGIS apps. Set it up in the OAuth Application section of the settings (see ngidop_apps_oauth):

Each of this apps must be configured to allow authorization via NextGIS ID on-premise. By default the apps use the cloud authorization service my.nextgis.com. For more details on setting up authorization in these apps see the corresponding documentation.

../../_images/ngidop_apps_oauth_en.png

Pic. 13.4. Setting up OAuth applications

Note

To access the extended functionality of the desktop and mobile software you need to enter the NextGIS ID server in the settings of the desktop application (see auth_server_settings). By default it uses the public authorization service https://my.nextgis.com.

For a service deployed in a local network the address follows the model of https://gis.mycompany.com/ngid. Enter this URL as the authorization server address. In a web browser use the link: * https://gis.mycompany.com/ngid/ - user profile will open.

../../_images/auth_server_settings_en.png

Pic. 13.5. Configuring authorization server in QGIS

13.2.4. Setting up LDAP

To open LDAP settings, add /ldapsettings to the URL (see ldap_settings). In the LDAP SERVER section enter the URL of the authorization server, user login and password to sign in on the server.

Integration with Microsoft Active Directory external server

During sign-in via the standard dialog in NextGIS Web the system checks if the user exists in the NextGIS Web software. If it is a Microsoft Active Directory account, the password is checked in the Microsoft Active Directory. If the user does not exist in NextGIS Web, the Microsoft Active Directory database is checked for the username. If the user is found in that database, the password is checked. If the Microsoft Active Directory signs in the user successfully, NextGIS Web will automatically create a user with the same login. The account type will be set to Microsoft Active Directory.

../../_images/ldap_settings_en.png

Pic. 13.6. LDAP settings page

In the User search section enter the data base to be used for user search and LDAP attributes for the search parameters (login, name, surname).

If a user is part of a group, you can add that information in the last section of the LDAP configuration section. This field is not required, but it allows to limit access for users outside a particular group. Users that are members of other groups won’t be able to sign in even if they enter a correct login/password combination.

13.2.5. NextGIS ID on-premise identificator

For integration with global NextGIS services (such as GeoServices) a unique GUID is used. You can view it in the NextGIS ID on-premise section (see ngidop_guid). To set it up open your profile on my.nextgis.com and enter the GUID in the NextGIS ID on-premise section (see GUID_on_my).

../../_images/ngidop_guid_en.png

Pic. 13.7. GUID in NextGIS ID on-premise settings

../../_images/GUID_on_my_en.png

Pic. 13.8. GUID in the NextGIS ID cloud account

For Collector and Tracker enter the hub parameters to the table in Settings using the addresses where they are deployed.