Integrate Directories

User directories like Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) are centralized repositories for managing user information within an organization. They are essential parts of identity and access management (IAM) systems for storing user accounts, authentication credentials, access rights, and other identity details. Integrating these directories allows organizations to authenticate, query, and modify user and group information in a standardized way.

This page provides a concise overview of the following topics:

  • What is user federation?
  • Rationale of user federation with Unifyia
  • Typical LDAP/AD integration workflow
  • LDAP/AD mappers and their role in the Unifyia Platform
  • Common Configurations for integrating LDAP or AD directories
  • Add and manage directories

Understanding User Federation

User federation in identity and access management (IAM) allows users from different organizations or domains to access resources and applications seamlessly. According to NIST, it involves sharing identity and authentication information across interconnected systems. This process establishes trust relationships between different identity providers (IdPs), ensuring secure and efficient user authentication and authorization. These systems maintain a trusted relationship, enabling users to access various applications and domains without needing separate credentials for each one.

In the Unifyia platform, you can integrate a user federation provider to facilitate the federation of user accounts with an Active Directory or LDAP. This service will be the primary source of user data once integrated

User Federation with Unifyia Platform

As mentioned before, the platform supports integration of Active Directory and LDAP. Organizations can integrate directories to enable the following features:

  1. Allow user federation
  2. Enable automated access control decisions based on the defined mappers
  3. Automate user account creation by importing users
  4. Read and authenticate the primary credential issued by an organization
  5. Issue derived credentials to the federated users by verifying the HSPD12issuanceStatus from the directory.
  6. Read the UPN value from the user's parent directory and map it to the UPN attribute in the authentication certificate.
  7. Save the issuance status of the authentication certificate to the altSecurityIdentities attribute of the selected directories. (Optional)
    • Enable reverse certificate mapping as recommended by Microsoft
  8. Check the issuance status of the primary credential before renewing the derived credential.
  9. Place a derived credential on suspension status in response to a status change of the primary credential in the source directory after checking the HSPD12issuancestatus (TRM) attribute value.
  10. Suspend/revoke the derived credential if the primary credential certificate is revoked/suspended by checking the CRL (certificate revocation list).

Typical LDAP/AD Integration Workflow

A typical LDAP/AD integration involves configuring connection parameters, configuring authentication bindings, searching and updating settings, and synchronization settings. To integrate LDAP integration, the following are the sequence of steps:

  1. Getting started by selecting a provider
  2. Configure
    • connection and authentication settings to communicate to LDAP
    • LDAP/AD searching and updating settings
    • Synchronization Settings (Currently supports only IMPORT on demand)
  3. Configure LDAP/AD Attribute Settings (Mappers)

LDAP/AD Mappers

LDAP/AD mappers are essential components of directory services within identity and access management (IAM) architecture that facilitate the integration between directory services and other applications or systems. They ensure that user and group information are federated to the Unifyia platform, enabling seamless and secure access across systems. They ensure that the user information stored in the LDAP directory can be effectively utilized by the connected applications.

Role of Mappers in the Unifyia Platform

When configured, the mappers:

  • allow mapping directory attributes, e.g.,cn, sn, mail to the corresponding attributes in the Unifyia platform, e.g., username, last name, email.
  • import the user account details from the directory
  • authenticate users using the password-based credentials against the LDAP directory in the Unifyia platform
  • map LDAP groups to the Unifyia platform's authorization framework.
  • manage custom attributes in the LDAP directory and ensure they are correctly interpreted and utilized by the Unifyia platform.
  • Read access to certain sensitive user attributes must be enabled to map them in the Unifyia platform for issuance of the derived credentials based on the primary credential verification.
    • hspdissaunceStatus
    • hspdUpn
    • others

When you create a user federation service provider (LDAP, AD), the Unifyia platform provides a set of predefined mappers for each provider configured. You can update/delete the existing ones and add custom mappers as required.

Common Configurations LDAP/AD

Although each type of directory has its configuration options, they all share some common settings. Refer to the following table to understand the configuration options available for both LDAP and AD:

Term Description
Connection URL Connection URL to your directory
Enable StartTLS Encrypts the connection to LDAP/AD using STARTTLS, which will disable connection pooling. Possible values are True and False. 
Use Truststore SPI Specifies whether the LDAP/AD connection will use the Truststore SPI (Service Provider Interface) with the Truststore configured in the standalone.xml/domain.sml. Possible values are True and False.
Connection Pooling Connection pooling refers to the practice of maintaining a pool of active connections that can be reused for multiple requests instead of creating and closing connections for each request. This technique improves the efficiency and performance of applications that frequently interact with LDAP servers. Possible values are True and False.
Connection Timeout The recommended minimum is 120000. Specify the value in milliseconds. This set value determines the maximum duration the LDAP client will wait to establish a connection with the LDAP server.
Bind Type It refers to the method used for authentication when a client connects to an LDAP server. The bind operation is essential because it allows the client to establish a session and authenticate itself to the server, which in turn grants the client appropriate access to the directory information.
  • None: No authentication method
  • Simple: This is the type of authentication used during the LDAP bind operation. This option mandates to use of a simple authentication method where the client sends a Distinguished Name (DN) and a password to the LDAP server in plain text unless secured by TLS/SSL.
Bind DN Distinguished Name (DN) corresponding to a user or service account, which will be used by the identity provider to access the LDAP server.
Bind Credentials Enter the password corresponding to the user or service account mentioned in the Bind DN.
Edit Mode The Edit Mode configuration on the LDAP configuration page defines the user's LDAP update privileges. It allows users or admins to modify user metadata. Users can be edited through the Account console and admins can be edited through the Admin console. From the drop-down list, choose one of the options:
  • Read Only: Choose this option if you do not want the user metadata or other mapped attributes to be updated. The system will throw an error if any change or update is attempted. Password updates are not supported.
  • Writable: This option allows you to change the username, email, first name, last name, and password. It allows you to write back the attribute change automatically with the LDAP store.
  • Unsynced: It means user data will be imported, but not synced back to LDAP. Not supported currently.
Users DN The full DN of the LDAP tree where your users are. This DN is the parent of all the users. In a typical user DN uid=john.doe,ou=People,dc=example,dc=com, the full LDAP DN will be dc=example,dc=local. This indicates that the directory is structured under the domain example.local.
Username LDAP Attribute The name of the LDAP attribute that is mapped to the Unifyia platform's username attribute. For many LDAP server vendors, it can be uid or cn.
RDN LDAP Attribute An RDN (Relative Distinguished Name) is a component of an LDAP entry's Distinguished Name (DN). The DN uniquely identifies an entry in the LDAP directory. The RDN is the portion of the DN that is unique at a specific level in the directory hierarchy. The RDN is composed of one or more attribute-value pairs.
For example, in the DN cn=John Doe,ou=People,dc=example,dc=com, the RDN is cn=John Doe. This means that at this particular level in the hierarchy (under ou=People), the entry is uniquely identified by the cn (Common Name) attribute with the value John Doe.
UUID LDAP Attribute The UUID (Universally Unique Identifier) attribute is a unique identifier assigned to entries within the directory. This attribute ensures that each entry can be uniquely identified, even if other attributes like the name or email address change. Different LDAP implementations might use different attribute names for the UUID. For example,
  • OpenLDAP: entryUUID
  • Active Directory: objectGUID
If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in the tree. For example, uid or entryDN.
User Object Classes LDAP user object classes define the types of entries and the attributes that those entries must or can contain within the directory. They provide a flexible and structured way to represent users and their related information within a directory. Each object class includes specific attributes that help define various aspects of a user, from basic identification details to organizational and security information.
Examples of User Object Classes:
  • inetOrgPerson
  • organizationalPerson
  • person
  • top
  • user (specific to Microsoft Active Directory)
User LDAP Filter LDAP user object classes define the types of entries and the attributes that those entries must or can contain within the directory. They provide a flexible and structured way to represent users and their related information within a directory. Each object class includes specific attributes that help define various aspects of a user, from basic identification details to organizational and security information.
For example, to find users in the Engineering department with the last name Doe, provide the filter syntax as (&(ou=Engineering)(sn=Doe)). Make sure that this value starts with (, and ends with ). Leave this empty if you do not need any additional filters.
Common Operators
  • Equality: (attribute=value)
  • Presence: (attribute=*)
  • Substring: (attribute=val*)
  • Negation: (!(attribute=value))
  • AND: (&(...)(...))
  • OR: (|(...)(...))
Search Scope The search scope defines the extent or depth of the directory tree that should be searched when a query is executed. The search is limited to the users in the DNs specified by the User DNs. Different search scopes allow you to control whether the search should be limited to a specific entry, its immediate children, or the entire subtree. Possible values are One-level and Subtree.
  • One Level: Select this option, when you want to find entries under a specific organizational unit (OU).
  • Subtree: Select this option, when you need to perform a comprehensive search that includes all entries within a subtree.
Read Timeout A read timeout specifies the maximum amount of time that a client will wait for a response from the server after sending a request. This is crucial for ensuring that the application does not hang indefinitely if the server is slow to respond or if there are network issues.
Import Users
  • True: Users will be imported into the identity provider DB and synced by the configured sync policies.
  • False: No users are imported
Sync Registrations It denotes if newly created users should be created within the LDAP store. This setting is effectively applied only with WRITABLE edit mode. This is the process of synchronizing user registrations, updates, and deletions across directories or between LDAP directories and other identity management systems. This synchronization ensures that user data remains consistent and up-to-date across all connected systems.
Periodic Full Sync LDAP periodic full synchronization involves regularly updating LDAP directory data from an external authoritative source or another LDAP directory. This ensures that the information within the LDAP directory remains current and accurate over time.
Periodic Updated Users Sync When synchronizing, creates or updates users created or updated after the last sync only.

Add New Directory

Follow the below steps to add a new directory:

  1. Log into the platform with administrator credentials.
  2. Navigate to Integrations > Datasources > Directory.
  3. Select + Add New Directory.
  4. Provide a name for the directory being added.
  5. Select a vendor.
  6. Configure directory settings. Refer to Integrate LDAP and Integrate Active Directory how-to guides to learn how to configure the required settings for integrating an LDAP or AD server with the Unifyia platform.
  7. Select Test Connection to check if you can connect to the directory.
  8. Select Test Authentication to check if you can authenticate to the directory.
  9. Select Save to save the directory configuration.
  10. Navigate to the Mappers You will find a set of predefined mappers. Edit or delete them as required. Refer to the respective Mappers section in Integrate LDAP and Integrate Active Directory how-to guides to learn more about mappers.
  11. Once the mappers' configuration is complete, you are ready to manage user federation with the Unifyia platform.

Manage Directories

  1. Log into the platform with administrator credentials.
  2. Navigate to Integrations > Datasources > Directory.
  3. A list of configured directories is displayed.
  4. To edit a directory, select the Pencil icon at the end of the selected directory row and modify the configuration parameters as needed. Note that the name and vendor type cannot be edited. Select Update to save the changes.
  5. To delete a directory, select the Bin icon at the end of the selected directory row. Select Yes to confirm or No to exit the process.

Back Next
On this page
Related Links