Security Configuration Options
You can use the HotDocs Hub in several different security configurations:
- HotDocs Hub with User Management – use the User Hub component for user account management and authentication.
- HotDocs Hub with User Management and Active Directory – use User Hub and Active Directory for user account management and user authentication.
- HotDocs Hub without User Management – the User Hub component is not installed; you must provide your own user authentication.
In this Topic Hide
HotDocs Hub with User Management
HotDocs Hub with User Management and Active Directory
HotDocs Hub without User Management
HotDocs Hub with User Management
The HotDocs Hub with User Management configuration uses the User Hub component to secure access to Hub resources. For example, templates and interviews. Users access the Hub using Hub-only user accounts.
Connection Security
TLS/SSL
You must enable a TLS/SSL connection in IIS when installing HotDocs Hub with User Management.
Signing Certificate
The Hub requires a certificate for signing access tokens, used for authenticating requests to Hub APIs. You must supply this certificate yourself. The certificate has the following configuration requirements:
- Must be exportable.
- Must be imported to the local machine Personal store.
- Must be imported to the local machine Trusted Root store.
- The identity for the application pool under which the HotDocs Hub applications run must have permissions to the private key of the certificate. You configure these permissions after you install Hub.
You must also add the certificate's thumbprint to the HotDocs Identity Server application settings SigningCertificateThumbprint key during the installation process.
HotDocs recommends that you use a separate security certificate as the signing certificate for HotDocs Hub. However, you can use the SSL certificate as the signing certificate if necessary.
Hub-only User Accounts
Once you install and configure Hub, tenancy administrators can create Hub-only user accounts and set access permissions through the Hub user interface. These accounts are then allocated to resources by Administrators, through the Hub user interface. A user can only log in to the Hub user interface and see the resources they have been explicitly given access to by an Administrator. See Using the User Hub for more information.
Using the APIs
You must sign requests to the Hub APIs with an OAuth2 token.
HotDocs Hub with User Management and Active Directory
You can also configure HotDocs Hub to use Active Directory for user account management and authentication. In this configuration, HotDocs Hub reads user account details from an Active Directory server. You use these existing user accounts to allocate user permissions in Hub, rather than creating new user accounts in Hub itself. The User Hub component is still used to allocate permissions to HotDocs resources. For example, templates and interviews.
Connection Security
You must enable a TLS/SSL connection in IIS when installing HotDocs Hub with User Management and Active Directory.
Signing Certificate
The Hub requires a certificate for signing access tokens, used for authenticating requests to Hub APIs. You must supply this certificate yourself. The certificate has the following configuration requirements:
- Must be exportable.
- Must be imported to the local machine Personal store.
- Must be imported to the local machine Trusted Root store.
- The identity for the application pool under which the HotDocs Hub applications run must have permissions to the private key of the certificate. You configure these permissions after you install Hub.
You must also add the certificate's thumbprint to the HotDocs Identity Server application settings SigningCertificateThumbprint key during the installation process.
HotDocs recommends that you use a separate security certificate as the signing certificate for HotDocs Hub. However, you can use the SSL certificate as the signing certificate if necessary.
Using the APIs
You must sign requests to the Hub APIs with an OAuth2 token. See Using OAuth2 with HotDocs Hub for more information.
HotDocs Hub without User Management
The HotDocs Hub with User Management configuration does not use the User Hub component. You must use another security system to control user access to HotDocs resources. For example, IIS configuration settings.
It is strongly recommended that this configuration of the HotDocs Hub is not deployed on an extranet or public-facing server.
Using IIS to grant access to Hub Components
The Hub installer adds multiple applications to Internet Information Services (IIS) when HotDocs Hub is installed. You can control access to the applications by granting users permissions on individual applications in IIS. See Configuring HotDocs Hub User Access Permissions for more information.
Using IIS to grant access to APIs
You can use IIS configuration settings to restrict access to the HotDocs Hub APIs.
Network Routing
You can isolate the Hub APIs from the general network by restricting usage to known client network IP addresses. This is configured using either IIS or the Windows Firewall. See Configure IPv4 Address and Domain Name Allow Rules for more information.
Network Authentication
You can also restrict access to the Hub applications using standard network authentication, i.e. through IIS application pools. The application pool under which the Hub API applications run should use a domain account. This domain account should only be used by the Hub APIs.