Versions Compared

Version Old Version 10 New Version 11
Changes made by

Morten Johnsen

svc_ayfie_onedrive@ayfie.com

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

External user databases that already exist can be federated with Authority Service. By default, the Authority Service supports LDAP and Active Directory. When a user logs in, Authority Service looks up the person in its internal user database. If it is unable to identify it there, it will search across all User Storage providers configured for the realm until it finds one that matches. The Authority Service retrieves data from the external store and converts it to a internal common user model. It is possible to federate multiple different LDAP servers in the same Authority Service realm. You can map LDAP user attributes into the Authority Service common user model. By default, it maps username, email, first name, and last name, but you are free to configure additional mappings.

Authority Service imports users from LDAP into the local user database. Synchronization occurs on-demand or via a scheduled background job. There is an exception for password synchronization. Authority Service makes no attempt to import passwords. Password validation is performed on the LDAP server at all times.

Setting up Active Directory user federation

Given that:

  • Locator is avaible under https://locator.internal host name

  • AD domain name is COMPANY.INTERNAL

  • Domain controller is at ldap://DC.company.internal

  • AD Users distinguished name is OU=Users, DC=company, DC=internal

you should perform following steps to setup user federation.

Prerequisites

Create the domain user

...

In Active directory create user named svcKeycloak. The user should only need to be a Domain User.

...

Markdown
- [Introduction](#introduction)
- [Prerequisites](#prerequisites)
- [Configure Active Directory User Federation](#configure-active-directory-user-federation)
- [Configuring Active Directory With LDAPS](#configuring-active-directory-with-ldaps)
  - [Exporting Certificate Authority From The Domain Controller](#exporting-certificate-authority-from-the-domain-controller)
- [Configuring Single Sign-On](#configuring-single-sign-on)

## Introduction

The Authority Service can be configured to sync up with external user databases to provide single-sign on in two ways:

- Via User Federation (the method used to sync up with Active Directory)
- Via Identity Brokering (the method used to sync up with Azure Active Directory)

This documentation describes how to set the Authority Service up to do user federation with Active Directory.

Once the Authority Service has been set up to sync with Active Directory, the Authority Service will upon a user login first try to find the user in its internal user database. If the user is not there, the Authority Service will then retrieve the user's data from Active Directory and store it internally. In addition to this type of on-demand syncing, the Authority Service can also be configured to do the syncing as a scheduled background task.

## Prerequisites

- The LDAP connection URL to the Active Directory domain. It could be for example *ldaps://dc01.company.internal* or *ldap://dc01.company.internal*.
- The full distinguished name (DN) of the LDAP tree where users are stored. The DN is the parent of LDAP users, for instance *OU=Users, DC=company, DC=internal*.
- An Active Directory service account which will be used by the Authority Service to access Active Directory.

    - In Active directory create user named *svcSagaKeycloak*. The user only requires Domain User permissions.
    - Once the user is made, run a *dsquery* command to get the Bind DN string (ie. *CN=svcSagaKeycloak,OU=ServiceAccounts,OU=Users,DC=company,DC=internal

...

Configuring Active Directory integration

Info

User Federation settings are dependent on particular Active Directory setup. You should adjusts following example to your current configuration. To learn more about federation settings, hover your mouse pointer over the tooltips in the Authority Service Admin Console.

...

Go to User Storage Federation menu option

...

On the right side, there is a list box labeled Add Provider. Select the LDAP provider type and you will be sent to the provider's settings page.

Adjusts settings according to screen below:

...

Enter the display name for the provider

...

Choose Active Directory in Vendor field

...

Set Import users to On. Authority Service will import users into local database.

...

Set Edit Mode to Read Only. You will be unable to modify the username, email address, first and last names, or any other mapped attributes. Updates to passwords are not supported.

...

Set Sync registrations to Off. Users created in Authority Service will not be synced back to LDAP.

...

Set Username LDAP attribute to “sAMAccountName”. This will set username of imported user to it’s Active Directory user name.

...

*)

## Configure Active Directory User Federation

- Go to the Authority Service Admin Console, consult *Configuring the Authority Service* in the [Install Guide](#https://ayfie-dev.atlassian.net/wiki/spaces/SAGA/pages/2400714758/Ayfie+Locator+Installation+Guide).
- Up in the left corner, make sure it is the Saga realm that is being displayed.
- Go to User Federation menu option
- On the right side, there is a list box labeled Add Provider. Select the LDAP provider type and you will be sent to the provider's settings page.
- Adjusts settings:
  - In Console Display Name, enter the display name *Active Directory*.
  - In Vendor, choose *Active Directory*.
  - In Import Users, set to *On*. Authority Service will import users into the internal database.
  - In Edit Mode, set to *Read Only*. You will be unable to modify the username, email address, first and last names, or any other mapped attributes. Updates to passwords are not supported.
  - In Sync registrations, set to *Off*. Users created in Authority Service will not be synced back to Active Directory.
  - In Username LDAP attribute, set to *sAMAccountName*. This will set username of imported user to it’s Active Directory user name.
  - In Custom User LDAP Filter, set to *(&(objectCategory=Person)(sAMAccountName=\*))

...

* This will only import users with sAMAccountName attribute set.
    - If one want to filter users to be imported by a specific Active Directory Group, extend filter with memberOf clause. For example, given that you want to import users in *SagaUsers* group only and distinguished name of that group is *CN=SagaUsers,OU=Groups,DC=company,DC=internal*, use following filter *(&(objectCategory=Person)(sAMAccountName=\*)(memberOf=CN=SagaUsers,OU=Groups,DC=company,DC=internal))

...

Set Search Scope to Subtree.

...

Set Bind DN and Bind Credential with the domain user created in prerequisites.

...

Go to Mappers tab and edit "username" mapper. Change LDAP Attribute to sAMAccountName

Image Removed

Configuring Single Sign On

Info

This configuration is optional. Perform following steps only if you want to enable Kerberos Signle Sign On.

Run the following command on domain controller to assign a SPN to the user and generate a keytab file:

...

* .
  - In Connection URL, set the LDAP connection URL.
  - In Search Scope, set to *Subtree*.
  - In Bind DN and Bind Credential, set with the Active Directory service user created in prerequisites.
- Click *Test connection* and *Test authentication* and validate success.
- Click *Save*
- Go to User Federation menu option and choose *Active Directory*.
- Go to Mappers tab:
  - Click *username* mapper to edit.
    - In LDAP Attribute, set to *sAMAccountName*.
    - Click Save.
  - Click Create.
    - In Name, set *user*.
    - In Mapper Type, set *user-attribute-ldap-mapper*.
    - In User Model Attribute, set *user*.
    - In LDAP Attribute, set *sAMAccountName*.
    - Click Save.
  - Click Create.
    - In Name, set *source*.
    - In Mapper Type, set *hardcoded-attribute-mapper*.
    - In User Model Attribute Name*, set *source*.
    - In Attribute Value, set *ad*.
    - Click Save.
  - Click Create.
    - In Name, set *upn*.
    - In Mapper Type, set *user-attribute-ldap-mapper*.
    - In User Model Attribute, set *upn*.
    - In LDAP Attribute, set *sAMAccountName*.
    - Click Save.
- Go to Settings tab.
  - Click *Syncronize all users*.
  - Go to Sync Settings section
  - Configure Syncronization method. The recommended method is *Periodic Changed User Sync*.
  - Click Save.
- Go to Users menu option.
  - Click *View all users* and validate that users are imported to the internal database.

## Configuring Active Directory With LDAPS

Active Directory user federation through LDAPS requires that the domain controller has a valid SSL certificate issued by a well-known authority. Otherwise the Certificate Authority has to be manually imported into the Authority Service.

To import the certificate, copy the certificate file to *D:\Program Files\ayfie\saga\volumes\authority\docker-entrypoint.d* (the path assumes recommended install directory) and then restart the Authority Service.

### Exporting Certificate Authority From The Domain Controller

To export Certificate Authority from the domain controller, do the following:
 - Open control panel.
 - Open *Manage Computer Certificates*.
 - Go to *Trusted Root Certification* and find the Root CA.
 - Open the certificate, go to details.
 - Select *Copy To File...* and then the *DER encoded binary X.509 (.CER)* option in the export wizard.

## Configuring Single Sign-On

**_NOTE:_** This configuration is optional. Perform following steps only if you want to enable Kerberos Single Sign-On.

- Run the following command on domain controller to assign a SPN to the user and generate a keytab file:

  ```
  ktpass -out keycloak.keytab -princ HTTP/

...

GatewayHostName@COMPANY.

...

INTERNAL -mapUser

...

svcSagaKeycloak@COMPANY.INTERNAL -pass password! -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

...


  ```
    - Replace *GatewayHostname*, with the Gateway Hostname set in Saga, see [Install Guide](#https://ayfie-dev.atlassian.net/wiki/spaces/SAGA/pages/2400714758/Ayfie+Locator+Installation+Guide).
    - Replace *COMPANY.INTERNAL* with the Active Directory domain name.
    - Replace *svcSagaKeycloak@COMPANY.INTERNAL* with the service user created in [Prerequisites](#prerequisites).
- Copy keycloak.ktab file to *D:\Program Files\ayfie\saga\volumes\authority\docker-entrypoint.d

...

In LDAP provider configuration, turn on Kerberos integration and fill in details according to screen below

...

Set Allow Kerberos authentication to ON

...

Set your Kerberos Realm (ie. COMPANY.INTERNAL)

...

\* (the path assumes recommended install directory).
- Go to User Federation menu option and choose *Active Directory*.
- Go to Kerberos Integration section and adjust settings:
    - In Allow Kerberos Authentication, set to *On*.
    - In Kerberos Realm, set  domain name ie. *COMPANY.INTERNAL*
    - In Server Principal, set according to SPN set on domain user (ie. HTTP/locator.internal@COMPANY.INTERNAL)

...


    - In Keytab, set *c:\docker-entrypoint.d\keycloak.ktab

...

If you want to debug your configuration, set Debug to On.

...

Set Use Kerberos For Password Authentication to On.

...

Limitations

...

*.
    - In Use Kerberos For Password Authentication, set to *On*.
    - Click Save.

An additional requirement is that the FQDN used to access Saga applications, has to be added to the Local Intranet Zone on the client machines (unless this already happens automatically for all domain users).