Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

External user databases that already exist can be federated with Authority Service. By default, the Authority Service supports LDAP and Active Directory. When a user logs in, Authority Service looks up the person in its internal user database. If it is unable to identify it there, it will search across all User Storage providers configured for the realm until it finds one that matches. The Authority Service retrieves data from the external store and converts it to a internal common user model. It is possible to federate multiple different LDAP servers in the same Authority Service realm. You can map LDAP user attributes into the Authority Service common user model. By default, it maps username, email, first name, and last name, but you are free to configure additional mappings.

Authority Service imports users from LDAP into the local user database. Synchronization occurs on-demand or via a scheduled background job. There is an exception for password synchronization. Authority Service makes no attempt to import passwords. Password validation is performed on the LDAP server at all times.

Setting up Active Directory user federation

Given that:

  • Locator is avaible under https://locator.internal host name

  • AD domain name is COMPANY.INTERNAL

  • Domain controller is at ldap://DC.company.internal

  • AD Users distinguished name is OU=Users, DC=company, DC=internal

you should perform following steps to setup user federation.

Prerequisites

  1. Create the domain user

    1. In Active directory create user named svcKeycloak. The user should only need to be a Domain User.

    2. Once the user is made, run a dsquery command to get the Bind DN string (ie. CN=svcKeycloak,OU=ServiceAccounts,OU=Users,OU=VirtualWorks,DC=e1,DC=internal)

  2. Run the following command on domain controller to assign a SPN to the user and generate a keytab file:

    ktpass -out keycloak.keytab -princ HTTP/locator.internal@COMPANY.INTERNAL -mapUser Keycloak@COMPANY.INTERNAL -pass password! -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

Configuring Active Directory integration

  1. Go to User Storage Federation menu option

  2. On the right side, there is a list box labeled Add Provider. Select the LDAP provider type and you will be sent to the provider's settings page.

  3. Adjusts settings according to screen below:

    1. Enter the display name for the provider

    2. Choose Active Directory in Vendor field

    3. Set Import users to On. Authority Service will import users into local database.

    4. Set Edit Mode to Read Only. You will be unable to modify the username, email address, first and last names, or any other mapped attributes. Updates to passwords are not supported.

    5. Set Sync registrations to Off. Users created in Authority Service will not be synced back to LDAP.

    6. The remaining settings are dependent on particular Active Directory setup. You should adjusts example to your current configuration. To learn more about these settings, hover your mouse pointer over the tooltips in the Authority Service Admin Console.

Configuring Kerberos integration

  1. Copy keycloak.ktab file to <Saga Directory>\volumes\authority\docker-entrypoint.d

  2. In LDAP provider configuration, turn on Kerberos integration and fill in details according to screen below

    1. Set Allow Kerberos authentication to ON

    2. Set your Kerberos Realm (ie. COMPANY.INTERNAL)

    3. Set your Server principal according to spn set on domain user (ie. HTTP/locator.internal@COMPANY.INTERNAL)

    4. Point to keytabfile ie. c:\docker-entrypoint.d\keycloak.ktab if you have copied ktab to <Saga Directory>\volumes\authority\docker-entrypoint.d

    5. If you want to debug your configuration, set Debug to On.

    6. Set Use Kerberos For Password Authentication to On.

Configuring Active Directory group mappings

This feature enables you to configure group mappings from Active Directory to Authority Service. The group mapper may be used to convert Active Directory groups from a specific branch of an LDAP tree to Authority Service groups. Additionally, it will import user-group mappings from Active Directory to Authority Service user-group mappings.

  1. In LDAP provider configuration go to the Mappers tab

  2. Add new mapper of type group-ldap-mapper

  3. Configure as in example below

    1. Enter LDAP Groups DN specific for your AD setup

    2. Enter objectSid as Mapped Group Attributes to import group sids

Limitations

Active Directory user federation through LDAPS requires that the domain controller has a valid SSL certificate issued by a well-known authority.

  • No labels