Thanks to the advantages of today’s technology, you no longer have to make in-person meetings to get your group work done. Using the iManage Document Management System, you have real-time access to your work, from anywhere, at anytime. This does raises some questions, though. How secure is iManage Work? How could you prevent basically anyone from having access to your work? Of course imanage thought about that too.
iManage Work offers multiple authentication types for users connecting to the iManage Work Server. You have 5 choices, all of which are supported in the iManage Work Classic and iManage Work 10 clients.
- Explicit Login
This is a straightforward authentication method in which user credentials are authenticated against iManage libraries using the user ID and password stored in the iManage database. Explicit Login’s disadvantage is that anyone with a user ID who obtains or guesses that user’s password can gain access to the user’s account.
Due to this, the user would need to manage another set of credentials, while the administrator would need to manage users in the iManage control center by enabling, disabling and adding users in the active directory.
Explicit Login is primarily meant for virtual user accounts that are only iManage work users without a connection to the Active Directory (AD) or for a virtual admin account with a unique, secure password.
- Legacy Trusted Login
This is the most basic method of domain user authentication in the iManage DMS, which works on the Classic Client. It has limited use and requires both the user and server to be on the domain.
The majority of users use Legacy Trusted Login due to most customers’ use of iManage Work being limited to the company environment. With this authentication method, users cannot open their environment from external connections. Legacy Trusted Login also relies on a trusted pre-authentication realized by the login manager. Additionally, it is not compatible with iManage Work 10 and is not supported in the iManage Cloud.
Legacy Trusted Login is not recommended for use in high-security environments, though its security can be enhanced with Kerberos. For added security, we recommend that administrators at least move to Kerberos Trusted Login, which is discussed next.
- Legacy Kerberos Trusted Login
The iManage Data Management System offers a successor to the Legacy Trusted Login method mentioned above, with increased security. For this authentication method Kerberos must be configured for Work Server.
Legacy Kerberos Trusted Login works for the Classic and Work Desktop clients for Windows 10.x, although it is not available for the iManage Work Web client, which requires the use of the following two most secure authentication options.
- Network Login
Network Login is a more recent authentication method than Trusted Login, introduced in iManage Work 9.0 Update 6. It allows users to log in with domain credentials from any location and requires a Work Anywhere SSL connection. Network Login works with all current clients and is one of the available authentication methods compatible with iManage Cloud.
A disadvantage of Network Login is apparent whenever users arrive to a web interface: they will always be prompted to enter their corresponding credentials. On the iManage Desktop client the system saves users’ credentials (similar to Explicit Login), but on the Web interface users will always have to type in their Domain, User ID and their Network Login. In the Cloud, the downside of using Network Login is users’ need to connect to their LDAP/AD server.
- Claims-Based Authentication (SAML)
Claims-based authentication is the most secure and cloud-friendly security option the iManage DMS offers and therefore, it is the most recommended to use.
Claims-based authentication validates the login attempt against the desired authorization provider. This allows administrators to provide identification using multiple options, including Multi-Factor Authentication (MFA). One of the most significant benefits of using Claims-Based Authentication is that iManage Work clients and Work Server do not have to be on the domain; Work Server contains the necessary configurations to route users to the identification provider.
This method works with versions 9.3.1 and higher iManage Work Classic and all iManage Work 10 clients, although it is only supported by iManage Work Servers configured for the following HTTPS-based protocols:
- IManage Work Anywhere
A Bit More About SAML
Claims-based authentication is achieved using the Security Assertion Markup Language (SAML) protocol. But what is it? SAML is a new authentication standard which allows firms to incorporate iManage Work authentication to their current system, which also allows their login credentials to be managed at one place in their active directory. SAML-based claims authentication is accomplished with a back-end identity provider such as AD FS, Ping Identity, or Shibboleth.
A significant advantage of SAML is its agility and customization. It allows users to add and remove security policies available from their identification provider without any iManage configuration.
An added benefit is the user experience provided by SAML, which is deemed the user experience of choice for several reasons:
- Training required is reduced: If SAML is already being used, there will not be any additional login dialogue or forms. There is no need to teach a user’s credentials or how to type their domain backsplash ID to login to the iManage Work 10 Client. If iOS and mobile SAML is enabled, there is a very low level of training and entry required for users to start leveraging these applications without interfering with the Desktop client. It is an excellent first step moving forward to iManage Work 10 adoptions.
- Remote Access: After enabling SAML, a large number of firms will be more comfortable to turn to mobile or the use of external connections. Most identification providers will offer an authentication policy that is different within and outside the network, as this allows one to add additional scrutiny to external connections. For this matter, single sign-in is used when the user is within the company’s network, while if the user is outside of the firm’s network, they will be prompted for multi-factor authentication. With this, the firm can meet security standards and also provide access from anywhere to the Work 10 client.
- Administrative cost: Finally, if the firm is configured to use iManage directory Sync and SAML, there should be no reason for an administrator to reset the password, add users or disable users in the iManage Control Center, as iManage’s directory sync will synchronize all users’ credentials from the company’s active directory to iManage Work 10, therefore allowing the administrator to manage all users’ security in one place.
iManage SAML authentication is a secure and trustworthy choice with endless benefits for end users and security auditors.
We have provided five different ways to protect your work documents in iManage Work while you maximize efficiency. Now you know your work can be created and managed from anywhere to increase productivity, but you can also rest assured it will be safe. Depending on the version of the iManage DMS you decide to use you can tailor your security and productivity needs to those of your business, just as our clients can attest.
Here at MacroAgility Systems Inc. we are committed to provide our customers with an excellent service and the most reliable products currently on the market to bring you the most innovative solutions available. Let us connect your business to the product it needs to make it stronger.