Lightweight Directory Access Protocol (LDAP) and external Single Sign-On (SSO) are secure authentication solutions that allow users to log in to Mavis easily and securely. Once configured by an administrator, personnel in your organization can log in without additional credentials.
Important Notes Before Starting
Mavis only allows one external login authentication method at a time.
Once an external authentication is enabled, users created in Mavis will be blocked from logging in via Mavis (Mavis administrators can still log in via Mavis).
When enabling SSO (Microsoft), if a Mavis account matches the email from the SSO provider, the user will link to the same Mavis account. If no match exists, a new user will be created using the SSO email as the account name.
Configuration Overview
1. Configure LDAP Integration in Mavis
Version Differences: V1.16.2 & V1.15.3
----------------------------------------------------------------------------------------------------
For Version V1.16.2 and Later
Only users with administrator role can manage users via the management interface.
Go to Management Interface
Select System Administration
Select Login Authentication
Click Edit
| 1. 選擇 管理介面 2. 選擇 系統管理 3. 選擇 登入驗證 4. 選擇 編輯 |
Check the LDAP option
| 5. 來源勾選「LDAP」 |
Field Descriptions:
| Field | Description |
|---|---|
| Secure Connection (SSL) | Default: Disabled. Enable if the LDAP server uses HTTPS. |
| LDAP Provider | Currently supports Windows AD only. |
| URL | LDAP server connection info (IP or domain). |
| Port | Default: 389 |
| Bind Account / DN | Provide an LDAP account with admin privileges for searching user info. Examples: cn=Administrator,cn=Users,dc=mavisdemo,dc=com or Administrator@mavisdemo.com
|
| Bind Password | Password for the bind account |
| Base DN | Example: DC=mavisdemo,DC=com
|
| Auto-Sync | Default: Disabled. When enabled, Mavis synchronizes with the LDAP server every 2 minutes. Removed LDAP accounts are also removed in Mavis. |
| Group Preview | Displays all groups under Base DN. You can assign groups as administrators or general users. For users not in any group, select No Group User. |
| Custom Filter | Optional advanced user filter. Only users matching both Group Preview and Custom Filter are synchronized. Example: (&(objectClass=user)(memberOf=CN=usinfra,OU=usoffice,DC=mavisdemo,DC=com))Exclude disabled accounts: (!(useraccountcontrol:1.2.840.113556.1.4.803:=2))
|
| Admin Filter | Filter to assign users as administrators. Example: (memberOf=CN=Administrators,CN=Builtin,DC=mavisdemo,DC=com)
|
| User Preview | Displays a list of users filtered according to your settings |
Configuration Steps:
6. LDAP Provider: Select Windows AD
7. Enter LDAP URL
8. Port: Default 389
9. Enter Bind Account / DN
10. Enter Bind Password
11. Base DN: e.g., DC=mavisdemo,DC=com
12. Enable Auto-Sync (synchronize every 2 minutes)
13. Group Preview: Click Refresh Preview to view groups under Base DN
14. Select groups to import users and assign roles:
Administrator: Imported users are administrators
User: Imported users are general users
Skip: Do not import
Note: Custom Filter can be used to further refine user selection. Not configured in this example.
Preview Sync Result: Test to preview the synchronization result
User Preview: Displays users matching the configuration
Click Save
Manual Sync: When executed, LDAP user data is immediately synchronized to Mavis
| 6. LDAP供應商:選擇 “Windows AD" 7. URL 輸入:LDAP 伺服器的連線資訊。 8. 連接埠 : 預設連接埠為 389 。 9. Bind account 或 DN: 綁定帳號 。 10. 綁定密碼: Bind password 。 11.Base DN : 域名,例如:DC=mavisdemo,DC=com 。 12.自動同步: 設定啟用後,每兩分鐘會和LDAP Server 同步. 此範例設定啟用。 13.群組預覽:點擊『重新預覽』後,將顯示 Base DN 下的所有群組列表。 14.選擇要導入用戶的群組,並設定導入用戶的相關選項。 管理者介面:將導入的用戶設為管理員。 使用者:將導入的用戶設為一般用戶。 跳過:不導入 備註:”自定義篩選條件“ 可自行設定篩選規則,此範例暫時不設定。 15.預覽同步結果:執行測試以預覽同步結果。 16.使用者預覽: 顯示根據設定篩選出的用戶列表。 17.儲存 |
| 18. 手動同步:當執行同步操作後,LDAP中的用戶資料將立即同步至Mavis |
-----------------------------------------------------------------------------------
LDAP Integration (Versions Prior to V1.15.3)
Users must have an administrator role to manage users via the Management Interface.
Steps:
Select Management Interface
Select System Administration
Select Login Authentication
Click Edit
| 1. 選擇 管理介面 2. 選擇 系統管理 3. 選擇 登入驗證 4. 選擇 編輯 |
Check the source LDAP
| 5. 來源勾選「LDAP」 |
Field Descriptions:
| Field | Description |
|---|---|
| Secure Connection (SSL) | Default: Disabled. Enable if LDAP server domain uses HTTPS. |
| LDAP Provider | Currently only supports Windows AD |
| URL | LDAP server connection info (IP or domain) |
| Port | Default: 389 |
| Bind Account / DN | Provide an LDAP account with admin privileges to search user identity info. Examples: cn=Administrator,cn=Users,dc=mavis-ldap,dc=com or Administrator@mavis-ldap.com
|
| Bind Password | Password for the bind account |
| Base DN | Example: dc=mavis-ldap,dc=com
|
| Auto-Sync | Default: Disabled. When enabled, Mavis synchronizes with the LDAP server every 2 minutes. Removed LDAP accounts will be set to inactive in Mavis after the next sync. |
| User Filter | Advanced filter for users. Example: (&(objectClass=user)(memberOf=CN=usinfra,OU=usoffice,DC=mavis,DC=ltd))Exclude disabled accounts: (!(useraccountcontrol:1.2.840.113556.1.4.803:=2))
|
| Admin Filter | Filter for users to be synced as administrators. Example: (memberOf=CN=Administrators,CN=Builtin,DC=mavis,DC=ltd)
|
| 18. 查看系統日步訊息:每24小時會定期同步 |
System Sync: LDAP user accounts under the specified server path are synchronized to Mavis every 24 hours.
| 指定LDAP server路徑下的使用者帳號已經同步回Mavis |
Note: LDAP integration may take 2–3 minutes after configuration. Users can choose LDAP authentication at the login page (login buttons will reflect available options).
Troubleshooting
| Error Message | Explanation |
|---|---|
| Invalid Username or Password | LDAP login failed. Ensure credentials are correct. |
| Duplicate User Account | LDAP user account already exists in Mavis, violating the unique account policy. Options: remove the account in Mavis or modify the LDAP username. |
| Duplicate User Email | LDAP user email already exists in Mavis, violating unique email policy. Options: remove the email in Mavis or modify the LDAP email. |
| Missing Email | LDAP user email information is missing. Contact the LDAP administrator to ensure it is configured. |
Microsoft Authentication Integration
Log in: https://portal.azure.com/#home
Select Azure Active Directory
Select App Registrations
| 登入: https://portal.azure.com/#home 1. 點選 Azure Active Directory 2. 點選 應用程式註冊 3. 點選 新增註冊 |
Click New Registration
Enter a custom name
Supported account types: Single-tenant (only this organizational directory)
Click Register
| 4. 輸入 自定義名稱 5. 支援的帳戶類型:勾選公司帳戶類型 此範例勾選:僅此組織目錄中的帳戶 (僅 mavis - 單一租用戶) 6. 點選 “註冊” |
Application (Client) ID
Directory (Tenant) ID
| 7. 應用程式 (用戶端) 識別碼:(client) ID 8. 目錄 (租用戶) 識別碼: Directory (tenant) ID |
Go to Authentication
Click Add a Platform
Select Web
| 9. 點選 驗證 10. 點選 新增平台 11. 點選 web應用程式 |
Redirect URI: https://<Mavis URL>/sso/microsoft (example: https://shun.mavisdemo.com/sso/microsoft)
Click Configure
| 12. 重新導向 URI : 輸入自己環境url ⇒ https://mavis url/sso/microsoft 範例:https://shun.mavisdemo.com/sso/microsoft 13. 點選 設定 |
14. Click Certificates & Secrets15. Select Client Secret16. Click New Client Secret17. Check Expiration: set a custom expiration date18. Click Add
| 創建用戶密鑰, 基於安全考量也請您設定密鑰有效時間 14. 點選 憑證及秘密 15. 選擇 用戶端密碼 16. 點選 新增用戶端密碼 17. 勾選 到期日:自定義到期日 18. 點選 新增 |
Secret Value: Obtain the secret key information. Note: this field will be hidden if the page is reloaded.
| 19. Secret Value: 取得密鑰資訊, 請注意:此欄位會在重新讀取頁面時被遮蔽 |
Required for Mavis configuration:
Tenant ID
Client ID
Secret Value
Mavis Configuration:
Go to Management Interface → System Administration → Login Authentication → Edit
Source: Select Microsoft
Enter Tenant ID, Client ID, Secret Value
Click Save
Integration may take 2–3 minutes. Users can then log in using Microsoft account.
| 1. 選擇 管理介面 2. 選擇 系統管理 3. 選擇 登入驗證 4. 選擇 編輯 |
Source: Select Microsoft
Enter Tenant ID
Enter Client ID
Enter Secret Value
Click Save
| 5. 來源:選擇 Microsoft 6. 輸入 Tenant ID 7. 輸入 Client ID 8. 輸入 Secret value 9. 點選 儲存 |
Please note that after configuration, it may take 2–3 minutes for the system to integrate with Microsoft (Azure AD).
Once the Microsoft (Azure AD) integration is complete, users can choose to authenticate using Microsoft when logging in. (Users will also see different login buttons on the login page.)
3. How to Integrate Login Authentication via Google SSO
Set up Workspace on Google
1. Create a Project (skip if you already have one)
Go to the following URL to create a new project and enter your project name:
https://console.cloud.google.com/projectcreate
1. Enter the project name2. Select your organization3. Click CREATE to create the new project
| 於下列網址建立新 project,輸入您的專案名稱 https://console.cloud.google.com/projectcreate 1. 選輸入專案名稱 2. 選擇 您的組織 3. 點選「CREARE」,建立新 project |
2. Set up OAuth consent
Go to the following URL to configure OAuth consent:
https://console.cloud.google.com/apis/credentials/consent
1. Enter the target audience2. Set User Type to Internal
Note: In Internal mode, only users within your organization’s Google Workspace can access the app.
In External mode, users both inside your organization and general Gmail users can access the app.
| 於下列網址設定 OAuth consent https://console.cloud.google.com/apis/credentials/consent 1. 選輸「目標對象」 2. 使用者類型 設定內部 PS: 選擇內部 模式下,只有貴機構的 Google Workspace 使用者可以存取您的應用程式 選擇外部 模式下,可同時允許 Organization 內以及一般 gmail 存取您的應用程 |
3. Click Credentials4. Click Create Credentials
| 3. 點選 用戶端 4. 點選 建立用戶端 |
5. Select Web Application6. Enter a custom name7. Authorized JavaScript origins: enter your Mavis URL (e.g., https://shun.mavisdemo.com)8. Authorized redirect URIs: enter https://{Mavis URL}/sso/google (e.g., https://shun.mavisdemo.com/sso/google)9. Click Create
| 5. 選擇 網頁應用程式 6. 輸入 自定義名稱 7. 已授權的 JavaScript 來源入: 輸入Mavis url (此範例:https://shun.mavisdemo.com) 8. 已授權的重新導向 URI:輸入 https://{Mavis url}/sso/google 此範例:https://shun.mavisdemo.com/sso/google 9. 點選 建立 |
10. Copy and save the Client ID11. Copy and save the Client Secret12. Click Done
| 10. Client ID 複製並保存 11. Client Secret 複製並保存 12. 點選 確定 |
Once these steps are complete, you should have the following information:
Client ID
Client Secret
3. Configure Login Authentication on Mavis
Only users with administrator roles can manage users via the admin interface.
1. Go to Admin Interface2. Select System Management3. Select Login Authentication4. Click Edit
| 使用者的帳戶角色需為管理員,才能從「管理介面」進行管理用戶。 1. 選擇 管理介面 2. 選擇 系統管理 3. 選擇 登入驗證 4. 選擇 編輯 |
5. Source: Select Google6. Enter Client ID7. Enter Client Secret8. Click Save
| 5. 來源選擇 Google 6. 輸入 Client ID 7. 輸入 Client secret 8. 點選 儲存 |
After the Google SSO integration is complete, users can choose to authenticate with their Google account when logging in. (Users will also see different login buttons on the login page.)