Security Configuration Options

The HotDocs Hub can be used in different modes, each with different security configurations:

• User Management-enabled – HotDocs Hub with the User Hub component installed.
• User Management-enabled with Active Directory – User Hub component is installed, uses Active Directory for user authentication.
• Standalone – HotDocs Hub without the User Hub installed.

In User Management-enabled mode, the User Hub is used to authenticate and authorize users trying to access HotDocs resources.  When using the Standalone mode, Hub Interfaces and APIs are typically secured using IIS configuration settings. The two modes give organizations the option to implement their own security for controlling access to the Hub, instead of using the security features of the User Hub.

In this Topic ShowHide

User Management-Enabled Security Configuration

When using the User Management-enabled mode, HotDocs Hub is installed with the User Hub component. In this configuration, the User Hub is used to secure access to Hub resources. For example, templates and Interviews. Additionally, this configuration can use Active Directory for user authentication.

Connection Security

A TLS/SSL connection is required when using the User Hub.

Authentication and Authorization

Using the Hub User Interface

Users either access the Hub through standalone, Hub-only accounts or using their domain accounts, supplied by your own user management system. These accounts are then allocated to resources by Hub Administrators, through the Hub user interface. A user can only log in to the Hub user interface and see the resources they have been explicitly given access to by an Administrator. See Using the User Hub for more information.

Using the APIs

Users may make requests to the Hub APIs if they are signed using an OAuth2 token. See the following topics for more information: Using OAuth2 with HotDocs Hub.

Using Active Directory

HotDocs Hub can also be installed in a configuration that uses Active Directory for user authentication. In this configuration, user account details are read from Active Directory. Administrators can then use these existing user accounts to allocate user permissions in Hub, rather than creating individual user accounts in Hub itself.

Standalone Security Configuration

The Standalone HotDocs Hub is installed without the User Hub component. Instead, you must use another security system to control user access to HotDocs resources. For example, IIS configuration settings.

It is strongly recommended that this configuration of the HotDocs Hub is not deployed on an extranet or public-facing server.

Using IIS to grant access to Hub Components

When HotDocs Hub is installed, a system administrator will typically see multiple applications added to Internet Information Services (IIS).

Each application uses Windows Authentication. Access to the user interface application can be controlled by granting users permissions to individual applications in IIS. See Configuring HotDocs Hub User Access Permissions for more information.

Using IIS to grant access to APIs

There are several configuration steps that can be taken to restrict access to the HotDocs Hub APIs.  

Network Routing

It is possible to isolate the Hub APIs from the general network by restricting usage to known client network IP addresses. This can be configured through IIS or the Windows Firewall. For more information, see https://technet.microsoft.com/en-us/library/cc731598(v=ws.10).aspx.

Network Authentication

It is also possible to restrict access to the Hub APIs using standard network authentication, i.e. using application pools. The application pool under which the Hub API applications run should use a domain account. This domain account should only be used by the Hub APIs. By restricting the access permissions of this domain account,