Platform Settings > Authentication > LDAP, ADFS Integration

LDAP, ADFS Integration

LDAP Integration

Lightweight Directory Access Protocol (LDAP), serves as a “phone book” for networks. It offers centralized storage for usernames, passwords, and user attributes. LDAP verification is crucial for user identity and permission management, providing the fundamental mechanism for logging in with credentials.

Accessing User Federation

The User Federation module in vuSmartMaps allows access to external databases and directories, including LDAP and Active Directory.

  1. The User Federation page can be accessed from the platform left navigation menu by navigating to Platform Settings > User Federation.


  2. Upon entering the User Federation module, the landing page, when no provider is added, appears as follows.


💡Note: Read and write permissions to the Preferences module are needed to access the user federation module.

Adding a New LDAP Provider

  1. To add a new LDAP provider, click the + New Provider button and select LDAP.


  2. Provide the necessary details for adding an LDAP provider.


    • General Options
      • Vendor: Select LDAP Vendor (provider) – options include Active Directory, Red Hat Directory Server, Tivoli, Novell eDirectory, and Other.
    • Connection and Authentication Settings
      • Connection URL: Connection URL to your LDAP Server
      • Enable StartTLS (Optional): Encrypts the connection to LDAP using StartTLS, which will disable connection pooling.
      • Connection Timeout (Optional): LDAP connection timeout in milliseconds.
        • Test Connection Button: Test if the connection is established.
      • Bind Domain Name: Provide the Distinguished Name (DN) of the LDAP admin. IDP will use this DN to access the LDAP server.
      • Bind Password: Password of the LDAP admin.
        • Test Authentication Button: Test authentication with the server.
    • LDAP Searching and Updating
      • Users Domain Name: Specify the full DN of the LDAP tree where user data is located.
      • Username LDAP Attribute: Define the LDAP attribute that is mapped as the IDP’s username.
      • User Object Classes: List all values of the LDAP object class attribute for users in LDAP, separated by commas.
    • Synchronization Settings
      • Periodic Full Sync (Optional): Enable to periodically perform a full synchronization of LDAP users to IDP.
      • Full Sync Period: Period for full synchronization in seconds.
      • Periodic changed users sync (Optional): Enable to periodically synchronize changed or newly created LDAP users to IDP.
      • Changed Sync Period: Period for synchronization of changed or newly created LDAP users in seconds.
  3. Clicking Save adds the LDAP provider to the user federation page.


💡Note: The current version of vuSmartMaps supports adding only one LDAP Provider.

Enabling/Disabling LDAP Provider

On the User Federation page, a radio button allows you to enable/disable the LDAP provider.

💡Note: The LDAP provider is enabled by default after the initial addition in the user federation module.

Viewing LDAP Configuration

  1. Clicking on the provider’s name navigates you to a page displaying all LDAP-related configuration settings in the Settings tab.




  2. Enable/Disable LDAP Server: Toggle using the radio button.


  3. Sync Users: Options include sync changed users, sync all users, and remove imported users.


Viewing Mapper

  1. Navigate to the Mapper tab to view all mappers associated with the LDAP provider.


  2. Click on a mapper’s name to view specific details.



Editing LDAP Configuration

  1. To edit the LDAP configuration, click the Edit icon on the user federation page.


  2. Make necessary edits in the LDAP Provider settings.


Adding a New Mapper

  1. To add a new mapper, navigate to the Mapper tab. And click on the + New Mapper button.


  2. Provide all the required information related to the mapper.
    • Name: Name of the mapper.
    • Mapper Type: Used to map a single attribute from the LDAP user to the attribute in the identity provider database.
      • User Attribute Mapper: Maps attributes from LDAP user to IDP user attributes.
      • Hardcoded Attribute Mapper: Hardcode a value to a user attribute.
      • Group LDAP Mapper: Maps group mappings of groups from LDAP to identity provider.

💡Note: For the Group LDAP Mapper, you can set an LDAP Filter to define the common name as “Vunet-*” to ensure that only roles with the “Vunet-” prefix are imported. This helps in filtering and importing only the relevant roles specific to vuSmartMaps.

Viewing Mapper

Click on a mapper’s name to view specific details.

Editing the Mapper

To edit the existing mapper, click on the Edit icon across that respective mapper and edit the configuration as required.

Deleting the Mapper

To remove the existing mapper from the user federation page, click on the Delete icon across the respective mapper.

Accepting the warning by clicking on the Delete button shall remove this mapper.

Deleting LDAP Configuration

  1. To delete the existing LDAP configuration, click the Delete icon.


  2. Accept the warning message to remove the LDAP configuration.

Syncing Users with LDAP Server

You can sync users with the options available, as required.

  1. Sync changed users
  2. Sync all users
  3. Remove Imported Users

To view the users added by the LDAP provider, navigate to the User Management module.

💡Note: When LDAP is configured and synchronization occurs, all LDAP users are imported into the system. However, by applying the Vunet-* filter to the group, only the groups with this prefix will be pulled. Additionally, in the user management module, all roles with the Vunet- prefix will be listed.

Signing in with LDAP Provider

Once successfully configured, logging in through the LDAP provider is as straightforward as a standard login, using default username/password forms for authentication.

ADFS Integration

Active Directory Federation Services (ADFS) is a Windows Server feature extending single sign-on (SSO) access to applications and systems outside the corporate firewall. ADFS operates on a claims-based access control authorization model, provided by Microsoft.

ADFS enables SSO across secure boundaries like the internet, allowing users to utilize their local credentials for external systems. It establishes trust relationships between different systems, enabling users to present tokens for access.

Configure ADFS

ADFS configuration can be performed using either the identity provider or vuSmartMaps. The vuSmartMaps ADFS configuration API wraps around the identity provider’s API.

ADFS Configuration Guide

Follow these step-by-step instructions to configure OpenID Connect v1.0 using the Identify Providers section:

  1. Accessing the Configuration Page: Open the identity provider’s administration console and navigate to the “Identity Providers” section. Click on OpenID Connect v1.0 in the User-defined section to initiate the configuration process.



  2. Setting up the OpenID Provider: You’ll be presented with a form similar to the one shown below:




    • Alias: Choose a unique alias to identify your identity provider in the IDP.
    • Display Name: Define the name that will be displayed to users in the login form. For example, if you use “Azure AD” as the display name, a corresponding button “Sign in with Azure AD” will appear in the login form.
    • Display Order: If configuring multiple identity providers, set the display order to determine button rendering in the UI. Leave it blank for default ordering.
    • Discovery Endpoint: Provide the OpenID configuration URL for the app registered with your identity provider. This URL enables the IDP to fetch necessary URLs like token URL, authentication URL, user info endpoint, etc.
    • Client Authentication: Specify how the IDP will interact with the identity provider. Use the default value (“Client secret sent as post”) unless instructed otherwise.
    • Client ID and Client Secret: Obtain these values from the app registered with your identity provider.
  3. Complete the Configuration: Fill in the required fields based on your OpenID Connect setup. Once all the settings are configured, proceed to the next step.
  4. Save and Test Configuration: After entering the necessary information, save the configuration. The IDP will validate the setup by testing the connection to the OpenID provider.
  5. Verification and Activation: Once the configuration is saved and tested successfully, you can proceed to activate the OpenID Connect integration. This will enable users to log in using the configured OpenID provider.

Mappers

Besides configuration, clients often create mappers to synchronize user roles and memberships. Our API exposes three mapper types:

  1. Advanced Claim to Group: Assigns users to specific groups based on claims.
  2. Attribute Importer: Imports declared claims from tokens into user properties.
  3. Hardcoded Attribute: Sets a predefined value to a specific user attribute.

Signing in with ADFS Provider

Upon successful ADFS configuration, an additional login button will appear for the configured identity provider. Proper configuration prompts redirection to the provider’s authentication form. Once logged in, you will be redirected to the IDP. If it’s your first login, you must provide additional user information.

  1. Access the ADFS Login: Upon successful configuration, a new button will appear alongside the regular login options. Click on this button to initiate the ADFS login process.



  2. Authentication Form: If your configuration is correct, clicking the ADFS login button will take you to the authentication form of the configured identity provider. Below are screenshots illustrating this process using Azure AD as an example:



  3. Completing the Provider Login: Once redirected to the identity provider’s authentication form, follow the provided instructions to log in using your identity provider credentials. After successfully logging in through the identity provider, you will be redirected back to the identity provider platform.
  4. Additional User Information: If this is your first time signing in with the configured identity provider, you may be prompted to provide additional user information. This step ensures seamless integration for the identity provider.



  5. Logged in to External User Account: Once you’ve filled in the required information, you will be logged into vuSmartMaps as an external user. Enjoy a smooth login experience without the need for additional credentials.

💡Note: Depending on the mappers you’ve configured, users can be automatically assigned to groups based on the mapper logic. This streamlines access control and ensures that users are directed to the appropriate resources within the platform.

By successfully signing in with your ADFS provider, you enhance security and user experience by leveraging established authentication infrastructure and streamlined access to external systems.

Resources

Browse through our resources to learn how you can accelerate digital transformation within your organisation.