Anywhere Management Center
Configuration Sections
The MindLink Management Center will load with the Licence configuration as its default page. The user can navigate through different configuration settings by using the navigation tree on the left, which includes the following configuration sections:
Licence
The licence page ensures the products you are using are supported by MindLink and that only the correct products (as stated by contract) are in use. Once you install a product's management center the License tab will be the first tab you see. Each Management center requires a valid license file to be provided.
License File
The Browse for license file... button opens a file browser window, from which you select the licence file provided during your purchase of the MindLink Product(s); This will be the file you received within the correspondence with your account manager.
Once the file is selected the details will populate as long as the license is valid.
License errors
If the license is not accepted there will be an error message that indicates the cause of the issue.
Please contact your account manager to receive a current license within contract renewal.
License Details
Selecting a valid license file will populate the details section with the license information.
License holder: This field specifies the Company name the license is issued to and also the product owner at the time of purchase.
Expiry date: The date the product expires. At this time (grace period built in) the product will cease to function.
Details: This field contains the product/s that the license has been issued for. MindLink will not run with an incorrect product license (a single license can be issued for multiple products).
Enabled users
This capacity is based on the number of users who could log on, rather than the current number of users logged on.
The system periodically checks the number of users who could log on and starts rejecting new logins if it sees that the number of hypothetical users is larger than the licensed capacity.
Logging
The logging section enables the user to configure the logging level as well as the log file location for the Connector Service.
Please note that logging on the Connector Service is performed using the Microsoft Enterprise Library Logging Application Block.
MindLink Server
Logging Level
By default logging is configured as follows:
- Error level - Error class events
- Warning level - Warning class events (Recommended)
- Info level - Info class events
- Verbose level - All class events
Log file location can be set by Clicking on the Browse button, where an absolute path to a new log file location can be chosen, or you can manually edit the field to a path relative to the Connector Service install location.
The account used to run the Connector Service must have write access to the install location of the product in order to log to the rolling log file. By default, the file can be found at %ProgramFiles%\MindLink Software\MindLink Application\ConnectorService\Logs\Connector.log
Enable audit logging enables audit logs for every user interaction on the chat system.
Add advanced logging configuration to record user logins in a separate file
The Advanced tab allows key/value pairs to be used to configure additional logging functionality
See the Advanced section for details
General
The General section lets the user configure the general settings that will be applied to the Connector Service.
Information Service
Information service port: The port number used when behind a load-balancer to provide a service heart-beat. Port can be tested with http://{server}:9007/InfoService/Status
File Transfers
Maximum concurrent downloads: The maximum number of allowed concurrent file download requests.
If an attempt is made to download a file when the number of active file downloads to the server is equal to the number specified, the download will fail with an error indicating that the server limit is currently exceeded and to try again later.
Maximum concurrent uploads: The maximum number of allowed concurrent file upload requests.
If an attempt is made to upload a file when the number of active file uploads to the server is equal to the number specified, the upload will fail with an error indicating that the server limit is currently exceeded and to try again later.
Maximum file size for file uploads: If the configured connector supports file posting, the maximum size of files in kilobytes allowed to be uploaded.
If an attempt is made to upload a file that is larger than the specified size, the server will return an error indicating that the file is too large to upload.
Features
Enable instant messaging:
When set, allows connected clients to use one-to-one messaging.
When not checked, user presence will not be published, instant messaging will be disabled, and the client will be limited to group messaging functionality. Any client that exposes instant messaging functionality when instant messaging is disabled will receive failure notifications from the server when an attempt is made to use such functionality.
MindLink Requires at least one chat modality - instant messaging or group chat - to be enabled
Enable group chat:
When set, allows connected clients to use group chat.
When not checked, group chat preferences are not loaded and users will not see any groups or chat rooms to which they are subscribed in their contacts list nor will they be able to search for and add groups.
MindLink Requires at least one chat modality - instant messaging or group chat - to be enabled
Allow user to disable instant messaging
When set, allows users to specify whether they want to log on with or without the instant messaging capability enabled on their web or mobile client.
When not checked, users will not be able to choose to enable/disable instant messaging upon login and the setting will default to the configuration in the management center .
Allow user to disable group chat
When set, allows users to specify whether they want to log on with or without the group chat capability enabled on their web or mobile client.
When not checked, users will not be able to choose to enable/disable group chat upon login and the setting will default to the configuration in the management center .
Enable file transfers in 1-1 conversations
Allows users to upload files into IM conversations. This functions the same as file uploads into Group Chat conversations, supporting most file formats. Images, Text files, PowerPoint, videos, Excel files and .PDF files are all supported, among other file types. Any file upload must comply with the size restrictions configured in the File transfers section above.
Enable audio calls
Enables audio calls in MindLink. The call option will be available in IM conversations, as one-to-one calls, and in Multiparty conversations as a conference call. Both call types are cross-platform compatible with the native Skype for Business clients.
More information can be found on the Voice Troubleshooting page.
Enable setting profile pictures
Allows user to set profile pictures in the web client.
Users can add, change or remove profile pictures through the MindLink client itself. This functionality must be enabled in the management tool first and allows a user to make changes from their contact card. When configured, a 'Upload photo' button will be showing on the contact card.
When not check profile pictures can be view in the MindLink client, but users are not able to set a profile picture.
Message Constraints
Maximum message length: The number of characters that a single message can include.
If an attempt is made to send a message that is longer than the specified length, the server will automatically convert the message to a Story.
Maximum story length: The maximum number of characters that a single story can include.
If an attempt is made to send a story that is longer than the specified length the server will not send the message and will return an error indicating that the story exceeded the maximum allowed length.
Add-Ins
These are special panels that appear below the chat input in chat rooms. The system administrator configures which panel appears in which chat room using the Group Chat Administration Tool.
Add-ins are entirely optional and do not need to be configured to deploy MindLink Anywhere.
Client Add-Ins are web pages hosted inside the Group Chat Console client, which communicate with the parent window using JavaScript.
MindLink Anywhere hosts each Client Add-In inside a Html IFRAME element within the MindLink Anywhere page. The Client Add-In can communicate with MindLink Anywhere using the same JavaScript calls as in the Group Chat Console client.
However, to enable this communication to happen, both MindLink Anywhere and the Client Add-In page must be served from the same domain and port address. This is a standard security requirement enforced by all browsers.
For instance, if MindLink Anywhere is served from http://www.MindLink.net/MindLink Anywhere, then for any Client Add-In to be shown in MindLink Anywhere it must also be served from a relative path on http://www.MindLink.net e.g. http://www.MindLink.net/myclientaddin
In an enterprise environment, it is often not the case that MindLink Anywhere and any Client Add-Ins will be served from the same actual machine. Hence, they will be served from different domains/ports and so Client Add-In/MindLink Anywhere communication will be forbidden. The use of a reverse-proxy is therefore required to mux requests to MindLink Anywhere and to any configured Client Add-Ins to the same domain. See the Prerequisites page to Configure Add-in Proxies
Skype for Business
The Adaptor section manages the selection of the underlying chat system to which to connect and the infrastructure DNS servers that define the chosen platform.
Topology
Server Version: Select the chat platform from the dropdown : Skype 2015 or Skype 2019
Autoprovision server information: Enable the auto detection of the Front End Server. This will allow the server to detect any server changes within the Topology and auto configure the new servers.
Autoprovisioning application ID: Enter the Application ID of the trusted application on the Front End. Only required if 'Autoprovision server information' is enabled
Local Server Name: Manually enter the FQDN of the local machine, if autoprovisioning will not be utilised.
Next hop connection
Server Name: Manually enter the FQDN of the Skype for Business front end or pool server. Only required if autoprovisioning is not used.
Trusted Application Server
Server/Listen Ports: The default communication port for Skype used by the Front End Server to listen on when using trusted authentication.
- MindLink Anywhere => 4097
Platform Certificate: The certificate to use for establishing an MTLS connection with the Skype for Business server.
Persistent Chat
Explicit Explicit connections involve specifying specific chat pools in the management tool. Only users within those specified persistent chat pools can login. A single chat pool can be specified in the Default Persistent Chat pool endpoint address field. Multiple chat pools are specified by clicking the Connect to multiple Persistent Chat pools checkbox. Entries added in the table can be removed by pressing the Delete key.
Auto provision Auto provisioned connections allow users to login as any user located on the configured persistent chat pools on the server. The user does not need to specify any of the configured chat pools to login as users located on them.
Auto Provision Group Chat Information: Automatic discovery of the lookup address for querying Group Chat. Use this option to look at multiple chat pools.
Default Persistent Chat pool endpoint address: Manually enter the lookup address for querying Group Chat. This is the address created upon activation; use Get-csPersistentChatEndpoint to identify.
Connect to Multiple Persistent Chat pools
Users can connect to multiple persistent chat pools. This allows users to join chat rooms that are located on any of the specified persistent chat pools - within the limits of membership and permissions.
Troubleshooting
Use untrusted connection: To Debug the communication protocol and transport mechanism during debug mode.
Disable transport: The transport type between the Connector service and the SfB pool e.g. TLS or TCP during debug mode.
Authentication Protocol: Domain protocol set to either NTLM or Kerberos.
Conversation History
Conversation History: Enable conversation history saving and loading.
Preferences
Preferences: Sets the file repository for saving local preferences.
Private File Transfers
Private file transfer cache - Specified directory where private file transfers cache folders are kept
Sessions
Session timeout: This sets the timeout for MindLink Anywhere. The MindLink client will be set to an idle/away status after being disconnected from the network after the configured time has elapsed.
Active Directory
LDAP Connections
Autodiscover global catalogue: When enabled, the Active Directory configuration will be autodiscovered for the given forest
Skype for Business forest name: Select the relevant forest name in which platform is installed and base for AD operations for users.
Server name: Manually enter the FQDN of the LDAP server is Auto-Discover is not detecting correctly.
Use default port: Default port number of the Global Catalogue used to look-up user SIP addresses from Active Directory i.e. 3268.
Port number: To enter a custom port number to look-up user SIP addresses from Active Directory.
Timeout (seconds): Specify the time interval in seconds for Active Directory queries.
Use default naming context: Auto-discover the name of the root context of the directory. Use this is membership is not restricted.
Naming context: Manually enter full OU path if users are to be restricted to this AD OU object
Authentication
Search filter: Must be configured, responsible for retrieving a sip address for a user via Active Directory.
Default user domain: The default domain that will be used if a user does log specify a domain in their user name when logging on.
Restrict usage to members of a group. Restrict access to Members of this AD Group to be able to log in
Restricted group distinguished name: Select the Group from the dropdown (start typing the name to dynamically list) if users are to be restricted to this AD Group.
Exchange
Administrators can explicitly configure how the exchange server is resolved.
Exchange Web Services settings
Autodiscover Exchange Web Services Enable to automatically discover the exchange server for a user's email address.
Exchange Web Services URL: Manually provide the Exchange server URL.
Use default Exchange autodiscover URLs When enabled, the default Exchange autodiscover URLs will be used as recommended by the exchange installation.
Exchange autodiscover URLs Manually enter the Exchange autodiscover URLs. A list of well-known URLs can be added and the management center will look to resolve the exchange server name based on them.
Network
This section is for configuring network connections.
in most scenarios, the default values will suffice, though HTTP Proxy settings may be provided here if required.
Call routing
This section is for configuring connections to STUN/TURN servers for voice call routing.
A configuration here is only required if you enable Audio Calling, and require ICE Server infrastructure.
Group Aliases
When enabled, per-room aliases can be set in chat rooms.
Users will be able to set Alias display names in groups. This will replace the user display name with a custom name of up to 50 characters.
The user's actual name will still show below their alias name in smaller, grey text.
Enable group aliases This enables aliases in chat rooms.
Database connection string: Configure the connection string with the following syntax: Server=FQDN SQL server; Initial Catalogue=SQL catalogue; Integrated Security=SSPI
or if you wish to use a Failover SQL partner you could use the following syntax: Server=FQDN SQL server; Failover Partner=FQDN SQL partner; Initial Catalogue=SQL catalogue; Integrated Security=SSPI
Override credentials for this operation If the user running the management center does not have sufficient SQL permissions, then these can be overridden by a set of credentials that have sufficient permission by your SQL administrator.
After adding the credentials for the user, the connection to the database will need to be tested. The management center will display an error if the configuration is incorrect.
Test the connection To check the validity of a relevant SQL database connection string and the override credentials , select 'Test'. The following steps may differ and as such are outlined in the two scenarios listed below.
Once the database connection has been tested successfully, the MindLink service can be started.
Translation
Message translation is an optional feature that allows users to translate messages in a conversation from any foreign language into their target language, which they configure on the Logon page.
Enable translation will activate the translation configuration in the following section:
Translation service
Translation service-based URL: This is the URL of the translation service you are using.
API key: This is the key to your translation service used to provide the functionality.
API key HTTP header name: This is the HTTP header name for the API key.
Configuring message translation will show the language picker on the log in page. From here users can select their language preference from the languages provided by the translation service.
Custom Preferences
The administrator is able to keep a repository of user preferences. This enables the continuation of preferences across group chat sessions. This also allows for the ability to read preferences across nodes.
An example of such a deployment could be a file share across a network. This allows an administrator to store preferences across multiple machines within a network (if required) meaning that changes made on one machine persist across multiple nodes when the same file store is referenced. In this sense, preferences can be stored cross-site.
Custom preferences repository location: The pathway in which the preferences are written to, which can be anywhere that is capable of being read and written to; including across networks. If you don't know where to put it the MindLink install directory can be used, as shown in the screenshot.
The Test button will assess access to the provided pathway. In the event the file pathway referenced is not accessible it is possible to either A) change location (in the event it is invalid) OR B) Provision access rights to the service account running MindLink Anywhere, which is a prerequisite to utilising the custom preferences repository. If successful the message "Custom preferences repository location is available" will show.
Also worth noting is the possibility of having preferences persist during an outage such as in an active-passive disaster recovery scenario. If two machines are connected properly and preferences are shared it is possible that in the event machine 1 falls, machine 2 can pick the preferences up without any outage on the user side. Please note that a batch job would have to be setup to facilitate this transference of preferences across the machines
Content classification
Content classification settings
Enable conversation and message classification:
The master setting used to enable/disable classification functionality.
Scheme file path:
The path to the Classification schema .XAML file
Attribute mapping file path:
The path to the user attributes mapping .XML file
Enable global classification banner:
When enabled a banner is displayed at the top and bottom of the MLA client, displaying the users highest attribute clearance level.
Enable default classification:
A default classification pre-populates the classification builder with the configured attributes. Without a default classification set, users will need to select a classification from the picker before being able to send a message.
Default marking IDs:
ID(s) of attribute(s) are configured and will be used as the default classification for the picker when users have not already set their own classification.
Test Harness
The test harness allows a test file to be run, returning success and failure results of the configuration.
The XML you provide will be run against the classification system to return results.
Tests Source
Tests file location: the path to the test XML file the Browse button will allow a file to be selected
Execute tests button will run the XML and return the results
Test Results
Here, results from the XML are returned. A pass/fail result will be shown against each test.
Community of Interest
Enable communities of interest
This setting enables/disables communities of interest
Attribute name
This is where attributes are defined
Metadata configuration file path:
Path to the CommunitiesOfInterestConfig.xml file
IM Ethical Wall
Enable instant messaging ethical wall
The setting enables/disables the ethical wall feature.
Ruleset configuration file path
Path to the EthicalWallConfiguration.xml file.
User attributes provider
The User Attribute Provider page must be configured if any one or more of the following dependant features are enabled :
- Classification
- Communities of Interest
- IM Ethical Wall
- Attribute based Access Control
Server settings
- Pre-v23.2
- Server URL: The server url needs to follow the format of https://authorizationserver.net:8443/api/entity/{0}&issuerDN={1}&abbreviate=false&specification=Sept2020
v23.2+
Server URL:
When the "User attribute provider type" is set to HWAC, the server url needs to follow the format of:
https://attribute.service.com:8443/api/entity/{0}&issuerDN={1}&abbreviate=false&specification=Sept2020When set to SLAM, the server url needs to follow the format of:
https://attribute.service.com:8443/rest/v3/users/{dn}/infoplus
User attribute provider type: Determines the type of attribute service being used.
Client certificate: The client certificate required to authenticate against the Attribute Server.
Cache settings
Disable caching Disables Caching of user attributes
Cache timeout (minutes): If caching is enabled a timeout interval can be configured.
Attribute based access control
Enable attribute-based access control This setting enables/disables the ethical wall
Attribute name The name of the attribute(s) that will be utilised for ABAC functionality
Attribute value
The Attribute value(s) to assert access rights to the client. Multiple attribute values can be provided to further specify the requirements.
Advanced
Behind each UI configuration in the Management Center, a key-value pair is responsible for mapping configuration values to assigned functionality.
These key/value configurations are saved to C:\Program Files\MindLink Software\MindLink Anywhere\ManagementTool\staging.config
The Advanced page gives administrators an accessible interface to directly configure key/value pairs in the Management Center.
- This section is usually used to add new configuration keys for features that don't have an existing UI configuration available yet.
- In most cases, these take the form of debug keys - a key with debug. at the start.
- If advanced keys are required for a feature, the documentation will outline each key and the expectations for its value in the respective feature's documentation section.
- While the Advanced page can be used to configure keys for any of the functionality with a UI configuration, too, it is not recommended and is rarely beneficial.
Custom Settings
| Configuration Key | Configuration setting value |
|---|---|
| Key | Value |
| global.message.maxlength | 200 |
| Key | Value |
| debug.web.client.disclaimer.nocache | True |
Configurations are added to the Advanced page as table rows. Each row requires a key and a value, creating a key/value pair.
Some configuration changes require several dependant key/value pairs to complete the configuration, such as MCE or the "Add advanced logging configuration to record user logins in a separate file" scenario below.
Notes when using Advanced Keys
- Invalid keys will be ignored
- Invalid values for valid keys are likely to cause the MindLink service to crash on start-up
- Rows are mutually exclusive: while some features require multiple key/value pairs to set up, you can add other keys on rows between them
- For ease-of-use it is recommended to keep related keys grouped together.
- Rows cannot be reordered in the Management Center, but it is possible for advanced administrators to modify the order of advanced keys in the staging.config file directly.
- For maximum resiliency, creating a backup of the staging.config is recommended before attempting this.
- The Management center should be closed before modifying the Staging.config file.
- Advanced keys are saved at the bottom of the Staging.config file, with the format
<add key="advanced: " value=" " /> - Selecting an entire line and cut-pasting it above/below other advanced keys will re-order the Advanced table after changes to the config file are saved and the management center is re-opened.
- Advanced keys should not be moved out of the assigned advanced key section at the bottom of the config file; reordering advanced keys should remain localized to above/below the other advanced keys.
Advanced Keys and UI configurations - What takes priority?
In a scenario where you have Advanced keys that map to a feature also configured in the UI pages, only one of these can be applied to the final configuration.
There are several factors that determine the final configuration, with the specifics detailed in the dropdown below.
In short, advanced keys will be prioritized if the UI also configures the same underlying key.
- Manually adding a new key (without the
debug.prefix) will be prioritized. - Upgrading from a version without a UI configuration to a version with a UI, the key will still be prioritized if it doesn't include the
debug.prefix, though the upgrade process should also migrate key's values to the UI and remove the old keys. debug.keys are added to earlier release versions before a UI configuration is released.- A key with
debug.wont have a UI configuration yet, so it will always be applied. - When the UI configuration is added, we remove the
debug.prefix from the corresponding key(s). Each key's value will be migrated to the UI automatically and the olddebug.keys will be ignored.
- A key with
Full details for keys' application and upgrade scenarios:
Generally, Advanced keys take priority over UI configurations.
- This happens whenever a key added to the Advanced page is the same as the underlying key of the UI configuration.
- Advanced keys are applied after the UI configuration on start-up.
- Key/value migration will take place when upgrading from a version requiring Advanced configuration to a new version that adds a UI configuration (this applies to
debug.and Standard keys)- Values for old keys will be automatically migrated to the new UI configuration section
- The old key(s) should be removed from the Advanced page.
In the event you upgrade your MindLink version from a version requiring Advanced keys to configure functionality to a newer version that includes UI configuration for that functionality, the results will depend on the type of keys that were used:
- starts with
debug.- If the previous version configured the feature with debug keys, the debug key(s) will be ignored.- When adding the UI configuration, the
debug.prefix is removed from the underlying key(s). - Old debug keys that have been migrated no longer correspond to the feature and will be ignored.
- If, for whatever reason, a debug key is not removed in the migration (or is added back later) it will be ignored.
- When adding the UI configuration, the
- does not start with
debug.- If the previous version configured the feature with standard keys, the key(s) on the advanced page will take priority.- When adding the UI configuration, the same underlying key(s) will be used.
- Standard keys that have been migrated still correspond to the feature and their values will be applied if they remain in the Advanced configuration.
- If, for whatever reason, a key is not removed in the migration (or is added back later) it will be applied over the corresponding values in the UI.
- starts with
Add advanced logging configuration to record user logins in a separate file
Several debug keys can be applied that will make the authentication flow log with a context and report authentication success/failure :
- The identity that was authenticating
- The success/failure result
- The reason for the failure
Copy the Key / value pairings into the Advanced configuration table to set up your deployment to utilise a separate file that filters authentication requests. Your advanced tab should look like this:
After saving and starting the service, a log file that outputs authentication results is created and utilised in a default path (C:\Program Files\MindLink Software\MindLink Anywhere\logging.log).
MCE
The MindLink Chat Engine provides a secure engine capable of delivering group chat functionality as a Standalone deployment or in parallel with UCMA.
MCE delivers valuable enhancements to security and functionality beyond the capabilities of UCMA groups, while seamlessly integrating with an existing UCMA environment for IM, presence and UCMA group chat.
More information about MCE, including configuration details for each of the supported deployment scenarios, can be found on the MCE Introduction page.
The MCE section can also be accessed at any time from the header navigation menu at the top of the docs site.
Encryption
MCE Groups support end-to-end message encryption.
With the configuration of an encryption service, MCE groups can be created as encrypted groups by group administrators. Encryption of Security Contexts, and further administrative configuration options, provide flexible and secure options for encryption deployments to meet a variety of enforcement requirements.
More information about Encryption can be found on the End to End Message Encryption page.
Encryption configuration details can be found in the MCE Configuration section, which is versioned by release.
Email
MCE Email functionality provides opportunities to extend the reach of MindLink communication, notifying users of key events.
Users being added as members of new groups can benefit from a prompt notification that a new group has been created that they are a member of.
Email configuration details can be found in the MCE section, under the versioned configuration pages.
MindLink Anywhere
This section manages MindLink Anywhere settings that affect the way the web client is hosted and displayed to a user.
Server
Web client port number: The port number at which the web client will be available. For example, if the port number is 9080 and HTTPS is enabled, then navigating to "https://{fqdn}:9080/ will display the web client.
Use HTTPS: When set, hosts the web client over HTTPS. A valid certificate must be specified in order for the configuration to save successfully.
Certificate: A valid certificate must be specified in order for the configuration to save successfully.
Base Path: Appended text to the URL i.e. https://FQDN:port/yourbasepath .
Session Timeout: The session timeout period assigned to manage the session when long polling stops.
Long Polling Session Timeout: Defines when long polling will stop.
Disconnect grace period: Defines the duration of the grace period.
Disclaimer
Custom disclaimers can now be configured that will display when connecting to the web client.
Enable Disclaimers will enable the functionality.
Disclaimer: Set the default disclaimer in the text box. This disclaimer will show for all users connecting to the web client, unless a client connects with a discriminating request header
Enable different disclaimers based on request headers will allow Request Headers to be set up that show different disclaimer content.
Discriminating Header Name will be the universal header name applied. One value is set and all Discriminated Disclaimers are nested within.
Discriminated Disclaimers is where the different disclaimers are set up. The Discriminator is the request header value, while the Disclaimer is the message content to display. Multiple disclaimers can be configured at once, as long as the Discriminator is unique.
Custom Branding
Custom branding configurations allow administrators to configure custom application header and strap line strings to personalize their MindLink Anywhere deployment.
Brand Name
Configure the brand name for the MindLink Anywhere client
Brand strap line (optional)
Configure a strap line for the application, shown on the MLA home page (if a custom home page is not used)
Custom Header and Footer
A header and footer section can be configured in the MindLink Anywhere client. This banner shows at the top and bottom of the client respectively.
Custom Header: The header is shown at the top of the client
A URL will need to be set
The height of each region can be set separately.
An invalid URL format will display a warning message
Custom Footer: The footer shows at the bottom of the client.
A URL will need to be set
The height of each region can be set separately.
An invalid URL format will display a warning message
Custom URLs
The Homepage, In-app Help Link and Logon page Help Link can be configured with custom URL destinations.
Custom Homepage URL:
- When a custom Homepage URL is configured, the MindLink icon in the top-left will redirect to the configured URL instead of MindLink's default homepage.
- This new URL will be displayed within the MindLink client, in place of the default page, rather than a new tab.
Help link URL:
- Providing a valid URL will introduce a new icon in the header of the web app.
- Clicking the icon will open the URL in a new tab.
- If an invalid URL is used the icon will not show.
Logon Help link
- Providing a valid URL will introduce a new icon in the logon page.
- Clicking the icon will open the URL in a new tab.
- If an invalid URL is used the icon will not show.
SfB Group Administration
SfB Group administration allows users to manage Skype for Business groups from the MLA client. To manage groups a few prerequisites will need to be met.
The group administration is enabled on the MindLink Anywhere page in the management tool.
In the dropdown three options are available:
Disabled - Disables group administration
Integrated inside the application - This adds group management as an option in the users profile menu.
External website - This allows users to use an external website for SfB group management.
- Clicking the Manage Skype for Business groups externally option in the users profile will direct them to the website specified via the SfB Group Management URL option.
- The text on the Manage Skype for Business groups externally button can be modified by setting the SfB Group Management button description value. Leaving this value blank will mean the default value is used.
Authentication
Password authentication is the default mechanism, where users manually provide their usernames and password.
MindLink also supports Single Sign-On which allows a user to log onto related systems once and not have to re-enter their credentials for each system. Enabling SSO involves the configuring of the adaptor, and may involve extra configuration depending on the type of connector. For all connectors, the client must be told to connect via SSO by checking the Enable SSO box.
There are three protocols which support Single Sign-On:
- 1. Windows Authentication
- 2. HTTP Header Authentication
- 3. OpenID Connect Authentication
General
Token Issuing Certificate: Select the certificate to use for the Token Issuing Service. It is mandatory that you provide a token issuing certificate, as this is used to manage user authentication. Ensure that the certificate has a key length of 2048 bits and is set up for the digital signing.
Allow users to select the preferred authentication mechanism: Gives the user the ability to select their preferred authentication mechanism. This is only available when more than one mechanism is configured. If more than one authentication mechanism is enabled and the authentication fails then the mechanism will attempt to authenticate with the next mechanism, until all have been attempted.
Password Authentication
Enable password authentication: Enabled by default. When enabled, connecting to the MLA server simply presents a web version of the MindLink Anywhere username and password screen.
Windows authentication (NTLM/Kerberos)
MindLink Anywhere Single Sign-On supports both Windows Integrated Authentication and NTLM mechanisms.
Windows Integrated Auth is supported in all browsers except for Safari. If Kerberos is not available, Single Sign-On automatically resorts to NTLM.
For Kerberos to be supported, the MLA URL must be registered as a Service Principal Name.
These are windows authentication mechanisms to authenticate using SSO. SSO (Single Sign-on) allows users to sign in once with their details and be automatically authenticated each time they visit the MindLink site.
NTLM: For the SSO functionality of MindLink Anywhere to work correctly, the MindLink Address will need to be treated as a trusted site section of the End-Users Web Browser. This can be configured by Group Policy or manually. These Instructions are based on Manual configuration using Internet Explorer - other Browsers may vary.
From within Internet Explorer go to Tools > Internet Options
In the dialogue box that launches, select the Security tab
Select the Trusted Sites icon and click the Sites button
Insert the address of the MindLink Anywhere instance, and click Add.
Click Close, Click OK
Kerberos: operates using "principles" which are identifiers for users and services for which Kerberos tickets can be generated. So that a client can create a ticket readable by a service, it looks up the service principal name and asks the Kerberos server to produce a ticket that can be given to the service. If the service has no registered principal name, or an incorrect principal name is used (for instance falling back to a default service name) then the ticket will be incorrect and authentication will fail.
Windows Authentication: Windows authentication can be implemented by running the following command as a domain administrator:
setspn -U -A http://<server_fqdn> <server_fqdn>
e.g.
setspn -U -A http://machine.domain.com machine.domain.com
Note this only affects Windows Authentication, NTLM does not use SPNs.
Bypass SSO By appending a query string to the URL the SSO mechanism can be bypassed, allowing the client to automatically utilise the configured authentication mechanism to log on directly without prompting. Windows configuration needs to be configured to use the bypass feature. The query string to bypass SSO is below:
- ?bypassLogOnConfiguration=true#/ The first request will require the user to enter credentials, even when using the bypass query string. Every login after the initial will login automatically.
HTTP header authentication
- SfB deployments require the users full sip address. For example: sip:testuser@domain
This allows the client to be authenticated using a configured pre-authenticated header. Enabling this option allows HTTP headers to be passed to an external authentication module, for example a proxy server.
Example: User credentials can be read from the relevant attributes within the HTTP header of the user's security certificate. These attributes are then authenticated against an authentication module such as a proxy. Once authenticated successfully, a session is then established.
OpenID Connect authentication
This allows the user to be authenticated using an OpenID Connect identity provider.
Authority URL: Specify the URL where the OpenID connect identity provider is hosted.
Client ID: Specify the client or application ID of the registered MindLink application on the OpenID connect identity provider.
Identity claim type: Specify the name of the OpenID connect claim type that can be used to uniquely identity the user.
Identity Active Directory attribute: Specify the name of the Active Directory attribute which will match the value of the OpenID connect claim type.
OpenID Connect scopes: Specify the scopes of the request that will be made to the provider. The "openid" scope is required.
Example: The configured user claim is retrieved on successful authentication with the identity provider. The claim is checked against the configured AD domain with the given attribute to identify the user for authentication with MindLink. Once authenticated successfully, a session is then established.
This requires the MindLink application to be registered with the identity provider. The registered application must be configured with the following:
- A redirect URI matching the web client path, i.e. https://FQDN:port/yourbasepath
- Support the authorization code flow with PKCE
- Support the "openid" and any other configured scopes.
- Returns your claim type of choice in the ID token, within the configured scopes.
- Support CORS. For AzureAD identity providers, the V2.0 endpoint must be specified.
Note that OpenID Connect authentication is not supported on Internet Explorer. The mechanism will not be available to Internet Explorer users even if it is enabled in the management center.
When using Microsoft Azure Entra (Azure AD) as an OIDC provider, make sure that you use the v2.0 endpoint for the authority URL.
Also make sure to include the email scope if you are using email addresses to link user accounts.
Troubleshooting OpenID Connect authentication
See MLA Troubleshooting.
External URL Redirection
External URL redirection allows the MLA client to redirect to a specified URL in the event of authentication failure or the user logging out.
Authentication failure redirect URL will redirect the user to the configured URL if they fail to authenticate.
Log out redirect URL will redirect the user to the configured URL when they log out. If a user is unable to authenticate i.e. enters the wrong credentials, it is possible to have them redirected to an external URL i.e. www.google.com