Page Comparison

...

Authority Service imports users from LDAP into the local user database. Synchronization occurs on-demand or via a scheduled background job. There is an exception for password synchronization. Authority Service makes no attempt to import passwords. Password validation is performed on the LDAP server at all times.

Setting up Active Directory user federation

Given that:

• Locator is avaible under https://locator.internal host name

• AD domain name is COMPANY.INTERNAL

• Domain controller is at ldap://DC.company.internal

• AD Users distinguished name is OU=Users, DC=company, DC=internal

you should perform following steps to setup user federation.

Prerequisites

1. Create the domain user

   1. In Active directory create user named svcKeycloak. The user should only need to be a Domain User.

   2. Once the user is made, run a dsquery command to get the Bind DN string (ie. CN=svcKeycloak,OU=ServiceAccounts,OU=Users,DC=company,DC=internal)

Configuring Active Directory integration

1. Go to User Storage Federation menu option

2. On the right side, there is a list box labeled Add Provider. Select the LDAP provider type and you will be sent to the provider's settings page.

3. Adjusts settings according to screen below:

   1. Enter the display name for the provider

   2. Choose Active Directory in Vendor field

   3. Set Import users to On. Authority Service will import users into local database.

   4. Set Edit Mode to Read Only. You will be unable to modify the username, email address, first and last names, or any other mapped attributes. Updates to passwords are not supported.

   5. Set Sync registrations to Off. Users created in Authority Service will not be synced back to LDAP.

   6. Set Username LDAP attribute to “sAMAccountName”. This will set username of imported user to it’s Active Directory user name.

   7. Set Custom User LDAP Filter to (&(objectCategory=Person)(sAMAccountName=*)) to import users with sAMAccountName attribute set only.

      1. If you want to filter users to be imported by AD Group, extend filter with memberOf clause. For example, given that you want to import users in SagaUsers group only and distinguished name of that group is CN=SagaUsers,OU=Groups,DC=company,DC=internal, use following filter (&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=SagaUsers,OU=Groups,DC=company,DC=internal)) .

   8. Set Search Scope to Subtree.

   9. Set Bind DN and Bind Credential with the domain user created in prerequisites.

   10. Go to Mappers tab and edit "username" mapper. Change LDAP Attribute to sAMAccountName

Configuring Single Sign On

1. Run the following command on domain controller to assign a SPN to the user and generate a keytab file:

   Code Block
   ktpass -out keycloak.keytab -princ HTTP/locator.internal@COMPANY.INTERNAL -mapUser Keycloak@COMPANY.INTERNAL -pass password! -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

2. Copy keycloak.ktab file to <Saga Directory>\volumes\authority\docker-entrypoint.d

3. In LDAP provider configuration, turn on Kerberos integration and fill in details according to screen below

   1. Set Allow Kerberos authentication to ON

   2. Set your Kerberos Realm (ie. COMPANY.INTERNAL)

   3. Set your Server principal according to spn set on domain user (ie. HTTP/locator.internal@COMPANY.INTERNAL)

   4. Point to keytabfile ie. c:\docker-entrypoint.d\keycloak.ktab if you have copied ktab to <Saga Directory>\volumes\authority\docker-entrypoint.d

   5. If you want to debug your configuration, set Debug to On.

   6. Set Use Kerberos For Password Authentication to On.

...

Limitations

Active Directory user federation through LDAPS requires that the domain controller has a valid SSL certificate issued by a well-known authority.