Versions Compared

Version Old Version 4 New Version 5
Changes made by

Steinar Skjerven

Marcin Sikora

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Create the domain user

    1. In Active directory create user named svcKeycloak. The user should only need to be a Domain User.

    2. Once the user is made, run a dsquery command to get the Bind DN string (ie. CN=svcKeycloak,OU=ServiceAccounts,OU=Users,OU=VirtualWorks,DC=e1,DC=internal)

  2. Run the following command on domain controller to assign a SPN to the user and generate a keytab file:

    Code Block
    ktpass -out keycloak.keytab -princ HTTP/locator.internal@COMPANY.INTERNAL -mapUser Keycloak@COMPANY.INTERNAL -pass password! -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

Configuring Active Directory integration

  1. Go to User Storage Federation menu option

  2. On the right side, there is a list box labeled Add Provider. Select the LDAP provider type and you will be sent to the provider's settings page.

  3. Adjusts settings according to screen below:

    1. Enter the display name for the provider

    2. Choose Active Directory in Vendor field

    3. Set Import users to On. Authority Service will import users into local database.

    4. Set Edit Mode to Read Only. You will be unable to modify the username, email address, first and last names, or any other mapped attributes. Updates to passwords are not supported.

    5. Set Sync registrations to Off. Users created in Authority Service will not be synced back to LDAP.

    6. The remaining settings are dependent on particular Active Directory setup. You should adjusts example to your current configuration. To learn more about these settings, hover your mouse pointer over the tooltips in the Authority Service Admin Console.

Configuring

...

Single Sign On

Info

This configuration is optional. Perform following steps only if you want to enable Kerberos Signle Sign On.

  1. Run the following command on domain controller to assign a SPN to the user and generate a keytab file:

    Code Block
    ktpass -out keycloak.keytab -princ HTTP/locator.internal@COMPANY.INTERNAL -mapUser Keycloak@COMPANY.INTERNAL -pass password! -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

  2. Copy keycloak.ktab file to <Saga Directory>\volumes\authority\docker-entrypoint.d

  3. In LDAP provider configuration, turn on Kerberos integration and fill in details according to screen below

    1. Set Allow Kerberos authentication to ON

    2. Set your Kerberos Realm (ie. COMPANY.INTERNAL)

    3. Set your Server principal according to spn set on domain user (ie. HTTP/locator.internal@COMPANY.INTERNAL)

    4. Point to keytabfile ie. c:\docker-entrypoint.d\keycloak.ktab if you have copied ktab to <Saga Directory>\volumes\authority\docker-entrypoint.d

    5. If you want to debug your configuration, set Debug to On.

    6. Set Use Kerberos For Password Authentication to On.

...

Configuring Active Directory group mappings

This feature enables you to configure group mappings from Active Directory to Authority Service. The group mapper may be used to convert Active Directory groups from a specific branch of an LDAP tree to Authority Service groups. Additionally, it will import user-group mappings from Active Directory to Authority Service user-group mappings.

...

In LDAP provider configuration go to the Mappers tab

...

Add new mapper of type group-ldap-mapper

...

Configure as in example below

  1. Enter LDAP Groups DN specific for your AD setup

  2. Enter objectSid as Mapped Group Attributes to import group sids

...

Limitations

Active Directory user federation through LDAPS requires that the domain controller has a valid SSL certificate issued by a well-known authority.