Add a directory service

This topic describes how to add a directory service (for example, LDAP) to the Idaptive Identity Service so you can continue using your existing directory without migrating users to another directory source.

After you add your existing directory service, users can access Idaptive Identity Service with their existing user accounts.

You can add the following as directory services in the Idaptive Admin Portal:

  • LDAP

  • Google

  • Azure Active Directory

  • Active Directory

If you have the same username in multiple directory services, you can set the lookup order so your preferred directory service is searched first.

Add LDAP as a directory service

LDAP communicates with the Idaptive Connector over TLS/SSL on port 636. As part of the client/server handshake between the connector and the LDAP server, the LDAP server must present the connector with an X.509 certificate. To establish a trust relationship between the connector and the LDAP server, you must install the CA certificate that issued the LDAP server’s Server Authentication certificate on the machine running the Idaptive Connector (specifically, the Local Computer Trusted Root Certification Authorities certificate store).

Your LDAP servers must meet the following minimum requirements before you add LDAP as a directory service.

  • The server must support reading of the server's Root DSE (RFC 4512, section 5.1), and the Root DSE attributes must indicate that the server supports the LDAPv3 protocol.

    As LDAPv2 was retired in 2003, most current servers will meet this requirement; however, any server that fails to meet these requirements is not supported.

  • A per-entry attribute that can be used as a server-scope unique identifier is required.

    This attribute should be invariant, i.e. it should never change for the lifetime of the entry. This will default to the DN, but if the DN is liable to change in your installation you can specify a different attribute. In this case an operational attribute such as entryUuid is preferred. If your LDAP server/schema lacks this operational attribute then you can try using a "unique" structural attribute as an alternative, but Idaptive does not recommend or support this.

    In either case, if the attribute ever changes then the user/group that it represents will be seen as a different user/group, resulting in orphaned users, "lost" OATH tokens, and deleted app settings and assignments. It is extremely important that care be taken to select an appropriate attribute. Information about best practices for selecting an attribute for this purpose can be found here.

    The selected attribute may not be changed after the configuration is created.
  • An attribute containing the user's login name must exist and must be able to be queried to obtain the entity's DN, and a simple bind using that DN and a provided credential must be able to be successfully completed.

  • The server must support the Modify Password Extended Operation for password reset/change to work as expected.

Idaptive's LDAP support is flexible enough that some servers not meeting the minimal requirements could be configured successfully, but Idaptive does not recommend or support servers that do not meet the minimal requirements.

To add LDAP for the connector

  1. Log in to Admin Portal as a system administrator and go to Settings > Users > Directory Service > Add LDAP Directory.

  2. Provide the required information.

    To map your LDAP instance, click the Mappings tab and see Configure LDAP Directory Service for details on how to map your LDAP instance.
  3. Click Connectors and select the Idaptive Connector to use with this service or let the LDAP server find an available cloud connector.

  4. Click Save.

    LDAP users are now available in the Idaptive Identity Service. Add them to roles so you can grant permissions to applications, enforce authentication profiles, and more.

    For additional information on configuring an LDAP service, see Configure LDAP Directory Service for details.

Add Google as a directory service

If you are using G Suite to store and manage your user information, you can configure Idaptive Identity Service to recognize it as a directory service. Users can then use their Google account details to log in to User Portal.

To add G Suite as a directory service

  1. Log in to Admin Portal as a system administrator.

  2. Click Settings > Users > Directory Service > Add Google Directory.

  3. Click Authorize and enter your G Suite administrator credentials.

  4. (Optional) Click Add to enter a redirect URI if you want your users to use a more recognizable URI that is specific to your organization.

  5. Click Save.

    Google directory users are now available in the Idaptive Identity Service. Add them to roles so you can grant permissions to applications, enforce authentication profiles, and more.

    Repeat the above procedure to add another Google directory.

    If you use Google directory for managing your users, then do not deploy the G Suite SAML application to those same users. If you do, those users will not be able to authenticate into both Google and Idaptive Identity Service because they will be redirected back and forth between Google directory and Idaptive Identity Service.

Add Azure Active Directory as a directory service

If you are using Microsoft Azure Active Directory (AAD) to store and manage your user information, you can configure Idaptive Identity Service to recognize it as a directory service and see the users as managed domain users. You can then add your AAD users to roles and grant permissions to access applications. Your users can then log in to Idaptive Identity Service with their AAD accounts and launch assigned applications.

Idaptive Identity Service currently supports only managed domains for a single instance of Azure Active Directory. Adding multiple Azure Active Directories might have unpredictable results and is not supported.

To add AAD as a directory source, you need to register an application in your Azure account with appropriate access to the Microsoft Graph API. You can then authenticate using the Azure application's Application ID, Directory ID, and Client Secret.

We recommend registering a new Azure application that is specific to its intended purpose. For example, if you are adding Azure Active Directory as a directory source in Idaptive Identity Service in addition to integrating Office 365 for SSO and provisioning, you would register two Azure applications - one for each task. In addition, each registered application should have the minimum set of API permissions required to perform its function.

Step 1: Register an Azure application.

  1. Log in to your Azure account as an administrator.

    https://portal.azure.com

  2. Go to App registrations, then click New registration.

  3. Enter a name for your app.

  4. Select Accounts in this organizational directory only.

  5. Click Register.

    The overview page for your registered app appears.

    Once you register an app, Azure generates an Application (client) ID that is unique for your app. You will later use this ID to add AAD as a directory source in the IdaptiveAdmin Portal. If you remove the registered app in Azure, the IdaptiveAdmin Portal will lose AAD user information; AAD user objects already in the Admin Portal will be orphaned. This means you will have to:

    • remove AAD from the Admin Portal and re-add it using a new Application (client) ID
    • update the members list for any roles that included AAD users
    • update application permissions for any apps assigned to individual AAD users

Step 2: Add Certificates & secrets to allow access to the resource server.

  1. Go to Certificates & secrets, then click New client secret.

  2. Enter a description and select an expiration date option, then click Add.

  3. Copy the client secret value and paste it into a text editor for later use.

    The client secret value will be unavailable once you logout, so it's critical to capture the value now.

Step 3: Grant the necessary API permissions to your newly registered app.

  1. Go to API permissions, then click Add a permission.

  2. Click Microsoft Graph.

  3. Click Application permissions.

  4. Scroll down the permissions list and select the following permissions, then click Add permissions.

    • Domain.Read.All

    • Group.Read.All

    • User.Read.All

    Azure updates the permissions for your app; however, you still need to provide admin consent.

    Refer to Microsoft's documentation for more information on the difference between Delegated and Application permissions, as well as reference material for each permission.

  5. Click Grant admin consent for <your company>.

  6. Click Yes on the confirmation prompt.

    Since you are already logged in as an administrator, a notification Successfully granted admin consent for the requested permissions. appears at the top of the page.

  7. Return to the overview page for the registered application; you will need the information there for the following steps.

Step 4: Add the Azure Active Directory in the Idaptive Admin Portal.

  1. Open a new browser tab and log in to the IdaptiveAdmin Portal as a member of the system administrator role.

  2. Go to Settings > Users > Directory Services, then click Add Azure Active Directory.

    The Azure Active Directory Service window appears.

  3. Enter a name for the Azure Active Directory.

  4. Copy the following values from the overview page of your registered app in the Azure portal and paste them into the Azure Active Directory Service window in the Admin Portal.

    • Application (client) ID
    • Directory (tenant) ID

  5. Enter the client secret value you saved previously.

  6. Click Authorize.

    Your available domains appear in the table below the authorize button. Domains not indicated as Federated are considered Managed domains.

    If you add additional custom domains in AAD, you have to re-authorize AAD in the Idaptive Admin Portal before you can query the users and groups.

  7. Below the list of domains, click Copy URL to copy the authenticated redirect URI.

  8. From the Overview page of your registered app in the Azure portal, click Add a redirect URI.

  9. Click Add a platform, then click Web.

  10. Paste the redirect URL you copied from the Idaptive Admin Portal into the Redirect URIs field.

  11. Select ID tokens in the Implicit grant section, then click Configure.

    Your Azure Active Directory users can now log in to Idaptive Identity Service using their Azure Active Directory credentials. Add them to roles so you can grant permissions to applications, enforce authentication profiles, and more.

    After entering a username, users are redirected to login.microsoftonline.com for authentication, then redirected back to the Idaptive User Portal after successfully completing authentication mechanisms.

    Signing out from Idaptive results in managed domain users signing out from AAD as well; however, due to third-party limitations users are not signed out of the Azure Portal (portal.azure.com).

Add Active Directory as a directory service

To add Active Directory as a directory service you need to install the Idaptive Connector. Refer to Idaptive Connector for more information.

Order directory service lookup

If you have the same username in multiple directory services, you can set the lookup order so your preferred directory service is searched first. For example, you might want LDAP to be searched before AD. Directory services are listed in the order of lookup. You can change the list order to your preferred lookup order.

Idaptive Directory is always listed first, and Federated Directory is always listed last. You can only change the order of AD, LDAP, and Google.

To change the directory lookup order

  1. Click Change Lookup Order.

  2. Drag and drop the listed directory services until they are in the preferred order.

    Directories listed on top are searched first

  3. Click Save Lookup Order.