External user databases that already exist can be federated with Authority Service. By default, the Authority Service supports LDAP and Active Directory. When a user logs in, Authority Service looks up the person in its internal user database. If it is unable to identify it there, it will search across all User Storage providers configured for the realm until it finds one that matches. The Authority Service retrieves data from the external store and converts it to a internal common user model. It is possible to federate multiple different LDAP servers in the same Authority Service realm. You can map LDAP user attributes into the Authority Service common user model. By default, it maps username, email, first name, and last name, but you are free to configure additional mappings.
Authority Service imports users from LDAP into the local user database. Synchronization occurs on-demand or via a scheduled background job. There is an exception for password synchronization. Authority Service makes no attempt to import passwords. Password validation is performed on the LDAP server at all times.
Setting up Active Directory user federation
Given that:
Locator is avaible under
https://locator.internalhost nameAD domain name is
COMPANY.INTERNALDomain controller is at
ldap://DC.company.internalAD Users distinguished name is
OU=Users, DC=company, DC=internal
you should perform following steps to setup user federation.
Prerequisites
Create the domain user
...
In Active directory create user named svcKeycloak. The user should only need to be a Domain User.
...
| Markdown |
|---|
- [Introduction](#introduction) - [Prerequisites](#prerequisites) - [Configure Active Directory User Federation](#configure-active-directory-user-federation) - [Configuring Single Sign-On](#configuring-single-sign-on) - [Private Certificate Authority](#private-certificate-authority) ## Introduction The Authority Service can be configured to sync up with external user databases to provide single-sign on in two ways: - Via User Federation (the method used to sync up with Active Directory) - Via Identity Brokering (the method used to sync up with Azure Active Directory) This documentation describes how to set the Authority Service up to do user federation with Active Directory. Once the Authority Service has been set up to sync with Active Directory, the Authority Service will upon a user login first try to find the user in its internal user database. If the user is not there, the Authority Service will then retrieve the user's data from Active Directory and store it internally. ## Prerequisites - The **LDAP connection URL** to the Active Directory domain, for instance *ldaps://dc01.company.internal* - The **Users DN**. That is, the full distinguished name (DN) of the LDAP tree where users are stored, for instance *OU=Users, DC=company, DC=internal* - Create an **Active Directory service account** with Domain User permissions (in the rest of this documentation we will assume that the user was given the name *svcSagaKeycloak*). - The **password** of service account *svcSagaKeycloak* - The **Bind DN** string of service account *svcSagaKeycloak*, for instance *CN=svcSagaKeycloak,OU=ServiceAccounts,OU=Users,DC=company,DC=internal |
...
Configuring Active Directory integration
| Info |
|---|
User Federation settings are dependent on particular Active Directory setup. You should adjusts following example to your current configuration. To learn more about federation settings, hover your mouse pointer over the tooltips in the Authority Service Admin Console. |
...
Go to User Storage Federation menu option
...
On the right side, there is a list box labeled Add Provider. Select the LDAP provider type and you will be sent to the provider's settings page.
Adjusts settings according to screen below:
...
Enter the display name for the provider
...
Choose Active Directory in Vendor field
...
Set Import users to On. Authority Service will import users into local database.
...
Set Edit Mode to Read Only. You will be unable to modify the username, email address, first and last names, or any other mapped attributes. Updates to passwords are not supported.
...
Set Sync registrations to Off. Users created in Authority Service will not be synced back to LDAP.
...
Set Username LDAP attribute to “sAMAccountName”. This will set username of imported user to it’s Active Directory user name.
...
* - Import the **Private Certificate Authority root certificate** if _ldaps_ connection is using a SSL certificate issued by a private Certificate Authority. See [Private Certificate Authority](#private-certificate-authority) for details. For Single Sign-On there are these additional prerequisites: - The output file **keycloak.keytab** from running the command below with a Domain Admin user ``` ktpass -out keycloak.keytab -princ HTTP/<GATEWAY_HOSTNAME>@<UPPER_CASE_AD_DOMAIN_NAME> -mapUser <USER_NAME>@<UPPER_CASE_AD_DOMAIN_NAME> -pass <USER_PASSWORD> -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto <CRYPTO> ``` - The Saga **\<GATEWAY_HOSTNAME\>**, for instance *search.company.com*. See Section *Gateway Hostname* of the [Ayfie Locator Installation Guide](#https://ayfie-dev.atlassian.net/wiki/spaces/SAGA/pages/2400714758/Ayfie+Locator+Installation+Guide) - The **\<UPPER_CASE_AD_DOMAIN_NAME\>**, for instance *COMPANY.INTERNAL* - The service user **\<USER_NAME\>**, for instance *svcSagaKeycloak* - The service user **\<USER_PASSWORD\>**, for instance *super_secret* - The encryption type to use **\<CRYPTO\>**, for instance *AES256-SHA1* - See [ktpass](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass) for the supported encryption types - One must make sure the chosen encryption type is allowed in the domain, see article [Network security: Configure encryption types allowed for Kerberos](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos) ## Configure Active Directory User Federation - Log in to the Authority Service Admin Console (section *Configuring the Authority Service* of the [Ayfie Locator Install Guide](#https://ayfie-dev.atlassian.net/wiki/spaces/SAGA/pages/2400714758/Ayfie+Locator+Installation+Guide) explains how) - Go to *User Federation* menu option - Click *Add new provider*. Select the *LDAP* provider type and the provider's settings page will appear - Adjust the settings to these values: - *UI Display Name*: **Active Directory** - *Connection URL*: **\<the LDAP connection URL from the prerequisite section above\>** - *Bind DN*: **\<the Bind DN from the prerequisite section above\>** - *Bind Credential*: **\<the Password from the prerequisite section above\>** - *Edit Mode*: **READ_ONLY** - *Users DN*: **\<the Users DN from the prerequisite section above\>** - *Username LDAP attribute*: **sAMAccountName** - *User LDAP Filter*: **(&(objectCategory=Person)(sAMAccountName=\*)) |
...
** - If one wants to filter users to be imported by a specific Active Directory Group, then extend the filter with a memberOf clause. For example, given that one wants to import users in the *SagaUsers* group only and the distinguished name of that group is *CN=SagaUsers,OU=Groups,DC=company,DC=internal*, then use following filter *(&(objectCategory=Person)(sAMAccountName=\*)(memberOf=CN=SagaUsers,OU=Groups,DC=company,DC=internal)) |
...
Set Search Scope to Subtree.
...
Set Bind DN and Bind Credential with the domain user created in prerequisites.
...
Go to Mappers tab and edit "username" mapper. Change LDAP Attribute to sAMAccountName
Configuring Single Sign On
| Info |
|---|
This configuration is optional. Perform following steps only if you want to enable Kerberos Signle Sign On. |
...
Run the following command on domain controller to assign a SPN to the user and generate a keytab file:
| Code Block |
|---|
ktpass -out keycloak.keytab -princ HTTP/locator.internal@COMPANY.INTERNAL -mapUser Keycloak@COMPANY.INTERNAL -pass password! -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT |
...
* . - *Search Scope*: **Subtree** - *Sync Registrations*: **OFF** - *Periodic Changed User Sync*: **ON** - Click the *Test connection* and *Test authentication* buttons to verify the configuration. - Click *Save* - Go back to the page that was just saved (select *User Federation* and then *Active Directory*) - Go to Mappers tab: - Click *username* mapper and verify the setting: - *LDAP Attribute*: **sAMAccountName** - Click *Save* and go back up a level - Click *Add Mapper* - *Name*: **user** - *Mapper Type*: **user-attribute-ldap-mapper** - *User Model Attribute*: **user** - *LDAP Attribute*: **sAMAccountName** - Click *Save* and go back up a level - Click *Add Mapper* - *Name*: **source** - *Mapper Type*: **hardcoded-attribute-mapper** - *User Model Attribute*: **source** - *Attribute Value*: **ad** - Click *Save* and go back up a level - Click *Add Mapper* - *Name*: **upn** - *Mapper Type*: **user-attribute-ldap-mapper** - *User Model Attribute*: **upn** - *LDAP Attribute*: **sAMAccountName** - Click *Save* and go back up a level - In the Actions drop-down, select *Sync all users*. - Click *Users* in section *Manage* in the left side menu - Perform a search and validate that users are imported to the internal database ## Configuring Single Sign-On This configuration is optional and only required if one wants to enable Single Sign-On, something that is done via Kerberos. - Copy the keycloak.keytab file from the prerequisite section above to *D:\Program Files\ayfie\saga\volumes\authority\docker-entrypoint.d |
...
In LDAP provider configuration, turn on Kerberos integration and fill in details according to screen below
...
Set Allow Kerberos authentication to ON
...
Set your Kerberos Realm (ie. COMPANY.INTERNAL)
...
Set your Server principal according to spn set on domain user (ie. HTTP/locator.internal@COMPANY.INTERNAL)
...
\* (the path assumes recommended install directory) - Go to User Federation menu option and choose *Active Directory*. - Go to Kerberos Integration section and adjust settings: - *Allow Kerberos Authentication*: **ON** - *Kerberos Realm*: **\<UPPER_CASE_AD_DOMAIN_NAME\>** - *Server Principal*: **HTTP/\<Gateway Hostname\>@\<UPPER_CASE_AD_DOMAIN_NAME\>**) - *Keytab*: **c:\docker-entrypoint.d\keycloak. |
...
If you want to debug your configuration, set Debug to On.
...
Set Use Kerberos For Password Authentication to On.
...
Limitations
...
keytab**
- *Use Kerberos For Password Authentication*: **ON**
- Click *Save*
- Go to *Authentication* menu option, click the *browser* flow and adjusts the settings to these values:
- *Kerberos*: **Alternative**
An additional requirement is that the FQDN used to access Saga applications, has to be added to the Local Intranet Zone on the client machines (unless this already happens automatically for all domain users) for Edge and Chrome browsers. For Firefox one must make sure the setting *network.negotiate-auth.trusted-uris* in *about:config* contains the *\<Gateway Hostname\>* from the prerequisites section.
## Private Certificate Authority
If the _ldaps_ connection is using a SSL certificate issued by a private Certificate Authority (CA), the private CA root certificate needs to be imported into the authority service Docker container. Such cases will produce an "unable to find valid certification path to requested target" error message in the logs (service.log). The most typical such use case is when the customer's own IT department operates as the CA. Consult the *Private Certificate Authority* section of the [Installation Guide](https://ayfie-dev.atlassian.net/wiki/spaces/SAGA/pages/2400714758/Ayfie+Locator+Installation+Guide) for how to import the private CA root certificate.
|