You can configure HotDocs Hub to use several different security options.
In this Topic Hide
HotDocs Hub with User Management
HotDocs Hub with User Management and Active Directory
HotDocs Hub without User Management
You can deploy Hub in the follow security configurations:
The HotDocs Hub with User Management configuration uses the User Hub component to secure access to Hub resources. For example, templates and interviews. Users access the Hub using Hub-only user accounts.
You must enable a TLS/SSL connection in IIS when installing HotDocs Hub with User Management.
The Hub requires a certificate for signing access tokens, used for authenticating requests to Hub APIs. You must supply this certificate yourself. The certificate has the following configuration requirements:
You must also add the certificate's thumbprint to the HotDocs Identity Server application settings SigningCertificateThumbprint key during the installation process.
HotDocs recommends that you use a separate security certificate as the signing certificate for HotDocs Hub. However, you can use the SSL certificate as the signing certificate if necessary.
Once you install and configure Hub, tenancy administrators can create Hub-only user accounts and set access permissions through the Hub user interface. These accounts are then allocated to resources by Administrators, through the Hub user interface. A user can only log in to the Hub user interface and see the resources they have been explicitly given access to by an Administrator. See Using the User Hub for more information.
You must sign requests to the Hub APIs with an OAuth2 token.
You can also configure HotDocs Hub to use Active Directory for user account management and authentication. In this configuration, HotDocs Hub reads user account details from an Active Directory server. You use these existing user accounts to allocate user permissions in Hub, rather than creating new user accounts in Hub itself. The User Hub component is still used to allocate permissions to HotDocs resources. For example, templates and interviews.
You must enable a TLS/SSL connection in IIS when installing HotDocs Hub with User Management and Active Directory.
The Hub requires a certificate for signing access tokens, used for authenticating requests to Hub APIs. You must supply this certificate yourself. The certificate has the following configuration requirements:
You must also add the certificate's thumbprint to the HotDocs Identity Server application settings SigningCertificateThumbprint key during the installation process.
HotDocs recommends that you use a separate security certificate as the signing certificate for HotDocs Hub. However, you can use the SSL certificate as the signing certificate if necessary.
You must sign requests to the Hub APIs with an OAuth2 token. See Using OAuth2 with HotDocs Hub for more information.
The HotDocs Hub with User Management configuration does not use the User Hub component. You must use another security system to control user access to HotDocs resources. For example, IIS configuration settings.
It is strongly recommended that this configuration of the HotDocs Hub is not deployed on an extranet or public-facing server.
The Hub installer adds multiple applications to Internet Information Services (IIS) when HotDocs Hub is installed. You can control access to the applications by granting users permissions on individual applications in IIS. See Configuring HotDocs Hub User Access Permissions for more information.
You can use IIS configuration settings to restrict access to the HotDocs Hub APIs.
You can isolate the Hub APIs from the general network by restricting usage to known client network IP addresses. This is configured using either IIS or the Windows Firewall. See Configure IPv4 Address and Domain Name Allow Rules for more information.
You can also restrict access to the Hub applications using standard network authentication, i.e. through IIS application pools. The application pool under which the Hub API applications run should use a domain account. This domain account should only be used by the Hub APIs.