Identity providers
The system supports these identity provider types for user authentication:
- Active Directory (AD)
- OpenLDAP
- 389 Directory Server
- LDAP Compatible: Other LDAP-compatible identity providers not listed above.
To use one of these systems to authenticate users with your system, you need to first add your identity provider to the system.
Adding identity providers
Procedure
Select the Configuration window.
Click Security.
On the Identity Providers tab, click Create.
Select and configure an identity provider type.
Click Create.
Related CLI commands
createIdentityProvider
Related REST API methods
POST /security/identityProviders
You can get help on specific REST API methods for the Admin App at REST API - Admin.
User information caching
The system caches the following information from each of your identity providers:
- The names of users who access the system.
- The groups that each user belongs to.
As long as this information is in the system's cache, your users can perform any activities for which they have permissions, without the system needing to reconnect to the identity provider.
LDAP user information remains in the cache for four hours.
Any changes that you make on the identity provider are not reflected in the system until the information is removed from the cache. For example, if you add a user to an LDAP identity provider, that user cannot access the system for up to four hours, or until the cache is cleared. If you delete a user from an LDAP identity provider, that user will be able to access the system for up to four hours, or until the cache is cleared.
To ensure that a change is reflected immediately, use the clearCache
command or API.
Related CLI commands
clearCache
Related REST API methods
POST /security/clearCache
You can get help on specific REST API methods for the Admin App at REST API - Admin.
Identity provider configuration settings
These sections describe the configuration settings for each type of identity provider that your system supports.
Security Realm Name: The name by which to identify this identity provider in the system. This name appears as an option in the Security Realm list on Admin App login pages.
- Identity Provider Hostname: Hostname or IP address for the identity provider.
- Transport Security: The protocol to use for securing communications between the system and the identity provider. Options are:
- None
- TLS Security (Transport Layer Security)
- Use Suffix For Hostname Verification: When enabled, if the client hostname doesn’t match the certificate hostname, hostname verification will instead check whether the ending of the client hostname matches the provided suffix. WARNINGThis option could impact security and should only be enabled if the client hostname is expected to differ from the certificate hostname.
- Hostname Suffix: The suffix which will be used for hostname checking if the default hostname verification check fails.
- Use Suffix For Hostname Verification: When enabled, if the client hostname doesn’t match the certificate hostname, hostname verification will instead check whether the ending of the client hostname matches the provided suffix.
- SSL (Secure Sockets Layer)
NoteWhen selecting TLS Security, the Use Suffix For Hostname Verification setting appears. - Identity Provider Host Port: Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
- For None or TLS Security (Transport Layer Security), 389
- For SSL (Secure Sockets Layer), 636
- User Name: A user account on the identity provider. Your system uses this user account to read information from the identity provider.
- Password: The user account password.
- Domain: The AD domain in which the user account is defined. NoteUse the short name for the AD domain. For example, use
MYACTIVEDIRECTORY
instead ofMYACTIVEDIRECTORY.local
. - Search Base DN: The distinguished name (DN) of the identity provider location where you want your system to begin its searches for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, the system searches for users and groups in the organization unit called Users in the corp.example.com domain.
- Default Domain Name: The default domain for users logging into the Admin App and Search App. For example, if you specify a default domain name of east.example.com, the user jdoe@east.example.comneeds to specify only jdoe when logging into either app.
- Identity Provider Hostname: Hostname or IP address for the identity provider.
- Transport Security: The protocol to use for securing communications between the system and the identity provider. Options are:
- None
- TLS Security (Transport Layer Security)
- Use Suffix For Hostname Verification: When enabled, if the client hostname doesn’t match the certificate hostname, hostname verification will instead check whether the ending of the client hostname matches the provided suffix. WARNINGThis option could impact security and should only be enabled if the client hostname is expected to differ from the certificate hostname.
- Hostname Suffix: The suffix which will be used for hostname checking if the default hostname verification check fails.
- Use Suffix For Hostname Verification: When enabled, if the client hostname doesn’t match the certificate hostname, hostname verification will instead check whether the ending of the client hostname matches the provided suffix.
- SSL (Secure Sockets Layer)
- Identity Provider Host Port: Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
- For None or TLS Security (Transport Layer Security), 389
- For SSL (Secure Sockets Layer), 636
- User Name: A user account on the identity provider. Your system uses this account to read information from the identity provider.
- Password: The user account password.
- User DN Template: A template on the LDAP server. When a user logs into their system, the provided username is inserted into this template to determine the user's LDAP distinguished name (DN).
- Unique ID: The unique identifier for the specified LDAP server.
- Member Name Attribute: The name of the attribute that each group on the identity provider uses to list its members.
- Search Base DN: The distinguished name (DN) of the identity provider location where you want your system to begin searching for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, your system searches for users and groups in the organization unit called Users in the corp.example.com domain.
- Group Object Class: The objectClass value for groups on the LDAP server.
- Identity Provider Hostname: Hostname or IP address for the identity provider.
- Transport Security: The protocol to use for securing communications between the system and the identity provider. Options are:
- None
- TLS Security (Transport Layer Security)
- Use Suffix For Hostname Verification: When enabled, if the client hostname doesn’t match the certificate hostname, hostname verification will instead check whether the ending of the client hostname matches the provided suffix. WARNINGThis option could impact security and should only be enabled if the client hostname is expected to differ from the certificate hostname.
- Hostname Suffix: The suffix which will be used for hostname checking if the default hostname verification check fails.
- Use Suffix For Hostname Verification: When enabled, if the client hostname doesn’t match the certificate hostname, hostname verification will instead check whether the ending of the client hostname matches the provided suffix.
- SSL (Secure Sockets Layer)
- Identity Provider Host Port: Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
- For None or TLS Security (Transport Layer Security), 389
- For SSL (Secure Sockets Layer), 636
- User Name: A user account on the identity provider. Your system uses this account to read information from the identity provider.
- Password: The user account password.
- User DN Template: A template on the LDAP server. When a user logs into their system, the provided username is inserted into this template to determine the user's LDAP distinguished name (DN).
- Unique ID: The unique identifier for the specified LDAP server.
- Member Name Attribute: The name of the attribute that each group on the identity provider uses to list its members.
- Search Base DN: The distinguished name (DN) of the identity provider location where you want your system to begin searching for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, your system searches for users and groups in the organization unit called Users in the corp.example.com domain.
All types
Security Realm Name: The name by which to identify this identity provider in the system. This name appears as an option in the Security Realm menu on Admin App login pages.
Active directory
- Identity Provider Hostname: Hostname or IP address for the identity provider.
- Transport Security: The protocol to use for securing communications between the system and the identity provider. Options are:
- None
- TLS Security (Transport Layer Security)
- SSL (Secure Sockets Layer)
- Identity Provider Host Port: Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
- For None or TLS Security (Transport Layer Security), use 389.
- For SSL (Secure Sockets Layer), use 636.
- User Name: A user account on the identity provider. Your system uses this user account to read information from the identity provider.
- Password: The user account password.
- Domain: The AD domain in which the user account is defined. NoteUse the short name for the AD domain. For example, use
MYACTIVEDIRECTORY
instead ofMYACTIVEDIRECTORY.local
. - Search Base DN: The distinguished name (DN) of the identity provider location where you want your system to begin its searches for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, the system searches for users and groups in the organization unit called Users in the corp.example.com domain.
- Default Domain Name: The default domain for users logging into the Admin App and Search App. For example, if you specify a default domain name of east.example.com, the user jdoe@east.example.com needs to specify only jdoe when logging into either app.
LDAP compatible
- Identity Provider Hostname: Hostname or IP address for the identity provider.
- Transport Security: The protocol to use for securing communications between the system and the identity provider. Options are:
- None
- TLS Security (Transport Layer Security)
- SSL (Secure Sockets Layer)
- Identity Provider Host Port: Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
- For None or TLS Security (Transport Layer Security), use 389.
- For SSL (Secure Sockets Layer), use 636.
- User Name: A user account on the identity provider. Your system uses this account to read information from the identity provider.
- Password: The user account password.
- User DN Template: A template on the LDAP server. When a user logs into their system, the provided username is inserted into this template to determine the user's LDAP distinguished name (DN).
- Unique ID: The unique identifier for the specified LDAP server.
- Member Name Attribute: The name of the attribute that each group on the identity provider uses to list its members.
- Search Base DN: The DN of the identity provider location where you want your system to begin searching for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, your system searches for users and groups in the organization unit called Users in the corp.example.com domain.
- Group Object Class: The objectClass value for groups on the LDAP server.
OpenLDAP 389 Directory Server
- Identity Provider Hostname: Hostname or IP address for the identity provider.
- Transport Security: The protocol to use for securing communications between the system and the identity provider. Options are:
- None
- TLS Security (Transport Layer Security)
- SSL (Secure Sockets Layer)
- Identity Provider Host Port: Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
- For None or TLS Security (Transport Layer Security), used 389.
- For SSL (Secure Sockets Layer), use 636.
- User Name: A user account on the identity provider. Your system uses this account to read information from the identity provider.
- Password: The user account password.
- User DN Template: A template on the LDAP server. When a user logs into their system, the provided username is inserted into this template to determine the user's LDAP distinguished name (DN).
- Unique ID: The unique identifier for the specified LDAP server.
- Member Name Attribute: The name of the attribute that each group on the identity provider uses to list its members.
- Search Base DN: The DN of the identity provider location where you want your system to begin searching for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, your system searches for users and groups in the organization unit called Users in the corp.example.com domain.
Viewing identity providers
You can use the Admin App, REST API, and CLI to view the identity providers that have been added to your system.
Procedure
Select the Configuration window.
Click Security.
Select the Identity Providers tab.
Related CLI commands
getIdentityProvider
listIdentityProviders
Related REST API methods
GET /security/identityProviders/{uuid}
GET /security/identityProviders
You can get help on specific REST API methods for the Admin App at REST API - Admin.
Deleting identity providers
When you delete an identity provider from your system, all users from that provider lose access to the system.
Procedure
Select the Configuration window.
Click Security.
On the Identity Providers tab, click the delete icon (
) for the server you want to remove.
Related CLI commands
deleteIdentityProvider
Related REST API methods
DELETE /security/identityProviders/{uuid}
You can get help on specific REST API methods for the Admin App at REST API - Admin.
Using the CLEAR CACHE button
The CLEAR CACHE button lets an administrative user refresh their Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) privileges in realtime, allowing for quick access to security changes for all users of all AD and LDAP identity providers configured in the system.
To clear the cache:
Procedure
Open the Admin App.
Click Configuration > Security > Identity Providers.
Click CLEAR CACHE.
The message “Successfully cleared the cache” appears and your identity provider cache is refreshed.