LoginShare is the mechanism for authenticating your support desk users using an external database or authentication mechanism.
With LoginShare you can integrate your Kayako product with your existing Intranet, LDAP (Active Directory) or any third party applications. Single sign-on enables centralized management of staff and user accounts from one single source. If you already have backend systems and user databases available, this enables you to let your users to log in, without registering another account.
To configure LoginShare settings in the support desk, click on the Staff tab on the navigation menu bar, and then click LoginShare.
You will be presented with all the configurable settings specific to the LoginShare configuration.
|Enable external authentication for staff
||If this setting is set to Yes, all authentication requests for the staff will first be tried against the URL specified below in the "Staff LoginShare URL" field, that is the LoginShare API.
|Staff LoginShare API name
||Specify a name that you wish to keep for this LoginShare
|Staff LoginShare API URL
||Specify the LoginShare API URL here. This is a URL to the location of an authentication script.
Click Update to upload and save the settings you have made. Once enabled, the system will dispatch each login by your staff to the authentication URL. It is important that your LoginShare script is properly tested or you could lock yourself out of the system.
The LoginShare script needs to be designed to receive the following data via POST
- username: The username entered by the staff
- password: The password specified by the staff
- ipaddress: The IP address of staff attempting to login
- interface: The interface from which staff is attempting to log-in. For example: staff, admin, winapp, mobile
The LoginShare script needs to reply back with an XML format that corresponds to one of the following formats:
It is important to add interface related checks to your script or you could end up allowing access to the Admin CP
<?xml version="1.0" encoding="UTF-8"?> <loginshare> <result>0</result> <message>Invalid Username or Password</message> </loginshare>
All staff user accounts created by the LoginShare system will have a random password assigned to them.
<?xml version="1.0" encoding="UTF-8"?> <loginshare> <result>1</result> <staff> <firstname>John</firstname> <lastname>Doe</lastname> <designation>CEO</designation> <email>firstname.lastname@example.org</email> <mobilenumber>123-456-789</mobilenumber> <signature>John Doe(email@example.com)</signature> <team>Staff</team> </staff> </loginshare>
How are staff identified?
Each staff account is identified based on the username of that account. The system expects each username of staff to be unique, otherwise it will simply end up updating the staff record every time a new staff user attempts to login.
How are authentication failure handled?
Staff control panel
The staff will be denied access to the staff control panel.
Administrator control panel
The system will attempt to authenticate the staff against the user account information in Kayako's default authentication system(stored in your helpdesk's database). This is to prevent any lockouts in case your LoginShare script fails or becomes unreachable.
All staff accounts created in Kayako's default authentication system as a result of LoginShare authentication will have secure random passwords assigned to them. This means that only the staff created prior to the implementation of LoginShare will be able to login using this fallback method.