This topic describes how to configure and use Active Directory (AD) to interact with IDaaS.
About AD
Overview
AD is a directory service that runs on Microsoft Windows Server. AD allows administrators to centrally manage computers, user services, network resources, and permissions within domains in medium and large network environments.
The network endpoint feature allows you to synchronize data from AD and delegate authentication to AD without the need to open public ports.
Bind IDaaS to AD
Log on to the IDaaS console. In the left-side navigation pane, click Quick Start or IdPs. On the page that appears, click Bind AD.
Step 1: Connect to AD
Configure the AD information in IDaaS.
Nickname: the name that is displayed to a user when the user logs on to and uses IDaaS.
Network Access Endpoint: the network endpoint of the IDaaS instance. If you want to allow only IDaaS to access the AD server, add the network endpoint to the IP address whitelist on the AD server. If an IDaaS instance uses a shared endpoint, the IDaaS instance is provided with a shared and fixed public outbound IP address. If an IDaaS instance uses a dedicated endpoint, the IDaaS instance is provided with a dedicated and custom private outbound IP address and a public outbound IP address. An IDaaS instance with a dedicated endpoint can access your Alibaba Cloud Virtual Private Cloud (VPC) over a private network. This way, you can allow the IDaaS instance to access your AD without the need to open public ports. For more information, see Endpoints.
Server Address: the address of the AD server, such as 127.0.0.1:389. By default, port 389 is used for AD. Port 636 is used if LDAPS or StartTLS is enabled.
Enable StartTLS: specifies whether to enable StartTLS. We recommend that you enable LDAPS or StartTLS to improve the security of the connection. For more information about how to enable LDAPS or StartTLS, see the AD security configuration section of this topic.
Administrator Account: the AD administrator account used by IDaaS to read AD information for data synchronization or delegated authentication. The account must have read permissions at a minimum. Enter the value in the User Principal Name (UPN) format such as example@example.com or Distinguished Name (DN) format such as cn=admin, ou=technical department, dc=example, dc=com.
Administrator Password: the logon password of the administrator account.
Step 2: Select features based on your scenario
Select the features that you want to use when IDaaS interacts with AD.
Features
Synchronization Direction: The data of the AD user or organization selected as the source node is imported to the IDaaS destination node. Enter the DN of the AD node as the source node. In normal cases, the DN of the AD root node is dc=example, dc=com (your domain).
Only synchronization from AD to IDaaS is supported. Synchronization from IDaaS to AD is not supported.
Incremental Synchronization: IDaaS listens to the data of AD users or organizations, and synchronizes the changed data from AD to IDaaS every 10 minutes. If a large amount of data is involved in a single synchronization, latency may occur. We recommend that you perform full data synchronization on a regular basis to ensure data consistency between AD and IDaaS.
You can set mapping identifiers in the Field Mapping step. The system matches a field of the IDaaS account, such as Mobile Phone Number, to the same field of the AD user. If the matching is successful, the existing IDaaS account is bound to the AD user and updated. Otherwise, an IDaaS account is created.
When incremental synchronization is performed for the first time, full data synchronization is automatically performed.
Failure to import a single data entry does not affect the import of other data entries.
You can view the failure information in synchronization logs.
You must enable AD Recycle Bin to receive messages about deletion events in AD. For more information about how to enable this feature, see the Incremental synchronization section of this topic.
Delegated Authentication: If this feature is enabled, a user can log on to IDaaS by using an AD username and password.
Automatic Password Update: When a user attempts to log on to IDaaS by using AD delegated authentication, if the password of the IDaaS account is empty, the password is automatically updated to the password of the AD user. The AD password must meet the requirements specified in the password policies of IDaaS. Otherwise, the IDaaS password cannot be automatically updated to the AD password.
Advanced Settings
User/Organization ObjectClass: You can use ObjectClass to define a type of object as a user or organization. For example, the object whose ObjectClass is user in the query result is considered a user. In most cases, no modification is required.
User Sign-in ID: When a user attempts to log on to IDaaS by using AD delegated authentication, IDaaS uses the attributes to query the user in AD and matches the password. If the password is correct, the user is allowed to log on to IDaaS. You can separate multiple attributes with commas (,). In this case, these attributes are in the OR relationship. This means that a user can use one of them to log on to IDaaS. Make sure that multiple attributes correspond to the same AD user. Otherwise, the user cannot log on to IDaaS.
FILTER Statement for Filtering Users: If you want to synchronize specific users from different organizations to IDaaS, you can use a custom filter statement to filter users. Only users that meet the filter conditions can be synchronized to IDaaS. By default, the filter statement contains ObjectClass conditions in the AND relationship. You can click View Details to view the complete statement. For more information, see the Filter section of this topic.
Step 3: Configure field mapping
If you already have data in IDaaS and need to bind an AD user or organization to an IDaaS account or organization, or if you want to use the data of some fields of the AD user as the data of the IDaaS account, you must configure field mapping in this step. For example, you must configure the field mapping if you want to use the mobile phone number of an AD user as the name of an IDaaS account.
For more information, see the Field mapping section of this topic.
AD security configuration
By default, data is transmitted in plaintext without encryption or protection in AD. This may cause data theft. You can use LDAPS or StartTLS to improve the security of data transmission. After you configure a certificate in AD, you can use LDAPS or StartTLS in IDaaS. We recommend that you enable LDAPS or StartTLS.
In Server Manager, install roles, upgrade the server to a domain server, add the certificate (use SHA256 as the signature algorithm), and then configure the certificate.
After you configure the certificate, you can obtain the certificate fingerprint in IDaaS to build the trust of IDaaS for the AD certificate. This reduces the risk of fake certificates.
If you need to quickly check whether the certificate fingerprint displayed in AD is the same as that obtained from IDaaS, run the following script:
openssl s_client -connect server_host:port | openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256AD custom configuration
ObjectClass
ObjectClass in AD is a set of attributes. Each object must have an ObjectClass. You can use ObjectClass to define an object as a user, organization, or computer. For example, as shown in the following figure, the system can find the user by using the objectclass=person or objectclass=user statement. You can view ObjectClass in the attributes of the AD object.
User Sign-in ID
When a user attempts to log on to IDaaS by using AD delegated authentication, IDaaS uses the attributes to query the user in AD and matches the password. If the password is correct, the user is allowed to log on to IDaaS.
You can use one of the attributes such as userPrincipalName, sAMAccountName, mobile phone number, email address, and employee number to log on to IDaaS. You can define the attributes when you create the identity provider or on the Delegated Authentication page based on your business requirements. If you use multiple attributes, make sure that the attributes are unique and correspond to the same AD user. Otherwise, the user cannot use delegated authentication.
Filter
The modifications of the ObjectClass conditions and the filter statement affect the filter conditions of the AD node. During full data synchronization, IDaaS accounts and organizations that do not meet the filter conditions are deleted. We recommend that you adjust the synchronization protection settings and fully test whether the filtered results meet your expectations before you modify the ObjectClass conditions and the filter statement. For example, you can use another IDaaS instance to perform a test.
Overview
If you want to synchronize specific users from different organizations to IDaaS, you can use a custom filter statement to filter users. Only users that meet the filter conditions can be synchronized to IDaaS. By default, the filter statement contains ObjectClass conditions in the AND relationship. You can click View Details to view the complete statement.
The following sections describe the common operators and filter statements for AD.
Common operators
Operator | Description | Example |
= | Equal to | (cn=Alice) |
>= | Greater than or equal to | (pwdLastSet>=1319563845000000000) |
<= | Less than or equal | (sAMAccountName<=a) |
& | AND relationship, which indicates that all conditions must be met | (&(cn=CN*)(memberOf=cn=Test,ou=HQ,dc=Domain,dc=com)) |
| | OR relationship, which indicates that at least one condition must be met | (|(cn=Test*)(cn=Admin*)) |
! | NOT relationship, which indicates that all conditions must not be met | (!(memberOf=cn=Test,ou=HQ,dc=Domain,dc=com)) |
Common statements
Scenario | Example |
Select users whose usernames start with CN | (cn=CN*) |
Select the user with the specified email address | (|(proxyAddresses=*:alice@example.com)(mail=alice@example.com)) |
Select users in the specified group | (memberOf=cn=Test,ou=HQ,dc=Domain,dc=com) |
AD synchronization configuration
Obtain Base DN
Base DN is the path identifier of a node in AD. IDaaS performs operations such as queries and data synchronization only within this node. You can set the Base DN of the source node in Synchronization Direction.
The format of DN is ou=organization, dc=example, dc=com. The DN of the root node is dc=example, dc=com (your domain). You can also view the DN of the node in AD Administrative Center.
If the path of a node changes, the Base DN of the node also changes. To prevent AD data synchronization errors caused by node path changes, IDaaS uses the ObjectGuid of the node as the node fingerprint when you configure the Base DN of the source node in IDaaS. If the changed Base DN of the node does not match the node fingerprint, data synchronization is stopped. You can synchronize data after you reconfigure the source node.
Incremental synchronization
IDaaS listens to the data of AD users or organizations, and synchronizes the changed data from AD to IDaaS every 10 minutes. If a large amount of data is involved in a single synchronization, latency may occur. We recommend that you perform full data synchronization on a regular basis to ensure data consistency between AD and IDaaS.
Because of the limits of AD incremental synchronization, IDaaS must use AD Recycle Bin to obtain messages about deletion events. Enable the Recycle Bin feature in AD Administrative Center. This feature is supported on Windows Server 2012 and later.