Identity providers
The system supports these identity provider types for user authentication:
•Active Directory
•OpenLDAP
•389 Directory Server
•LDAP Compatible — Other LDAP-compatible identity providers not listed above.
To use one of these systems to authenticate users with your system, you need to first add your identity provider to the system.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 Hitachi Vantara Corporation. All rights reserved.
Adding identity providers
For information on the types of identity providers you can add, see Identity provider configuration settings.
Administration App instructions
1.Click on System Configuration.
2.Click on the Security .
3.On the Identity Providers tab, click on the Add Identity Provider button.
4.Select a identity provider type and configure it. For information, see Identity provider configuration settings.
5.Click on the Create button.
Related CLI command(s)
createIdentityProvider
For information on running CLI commands, see CLI reference.
Related REST API method(s)
POST /security/identityProviders
For information on specific REST API methods, in the Administration App, click on the help icon (). Then:
•To view the administrative REST API methods, click on Admin API.
•To view the API methods used for performing searches, click on Search API.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 Hitachi Vantara Corporation. All rights reserved.
Identity provider configuration settings
These sections describe the configuration settings for each type of identity provider that your system supports.
All types
Security Realm Name — The name by which to identify this identity provider in the system. This name appears as an option in the Security Realm drop-down on Administration App login pages.
|
Tip: To ensure that your users can easily log into the system, pick security realm names that your users will recognize and understand. |
Active Directory
•Identity Provider Hostname — Hostname or IP address for the identity provider.
•Transport Security — The protocol to use for securing communications between the system and the identity provider. Options are:
oNone
oTLS Security (Transport Layer Security)
oSSL (Secure Sockets Layer)
•Identity Provider Host Port — Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
oFor None or TLS Security (Transport Layer Security), 389
oFor SSL (Secure Sockets Layer), 636
•User Name — A user account on the identity provider. Your system uses this user account to read information from the identity provider.
•Password — The user account password.
•Domain — The AD domain in which the user account is defined.
|
Note: Use the short name for the AD domain. For example, use MYACTIVEDIRECTORY instead of MYACTIVEDIRECTORY.local. |
•Search Base DN — The distinguished name (DN) of the identity provider location where you want your system to begin its searches for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, the system searches for users and groups in the organization unit called Users in the corp.example.com domain.
•Default Domain Name — The default domain for users logging into the Administration App and Search App. For example, if you specify a default domain name of east.example.com, the user jdoe@east.example.com needs to specify only jdoe when logging into either app.
LDAP Compatible
•Identity Provider Hostname — Hostname or IP address for the identity provider.
•Transport Security — The protocol to use for securing communications between the system and the identity provider. Options are:
oNone
oTLS Security (Transport Layer Security)
oSSL (Secure Sockets Layer)
•Identity Provider Host Port — Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
oFor None or TLS Security (Transport Layer Security), 389
oFor SSL (Secure Sockets Layer), 636
•User Name — A user account on the identity provider. Your system uses this account to read information from the identity provider.
•Password — The user account password.
•User DN Template — A template on the LDAP server. When a user logs into their system, the provided username is inserted into this template to determine the user's LDAP distinguished name (DN).
•Unique ID — The unique identifier for the specified LDAP server.
•Member Name Attribute — The name of the attribute that each group on the identity provider uses to list its members.
•Search Base DN — The distinguished name (DN) of the identity provider location where you want your system to begin searching for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, your system searches for users and groups in the organization unit called Users in the corp.example.com domain.
•Group Object Class — The objectClass value for groups on the LDAP server.
OpenLDAP and 389 Directory Server:
•Identity Provider Hostname — Hostname or IP address for the identity provider.
•Transport Security — The protocol to use for securing communications between the system and the identity provider. Options are:
oNone
oTLS Security (Transport Layer Security)
oSSL (Secure Sockets Layer)
•Identity Provider Host Port — Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
oFor None or TLS Security (Transport Layer Security), 389
oFor SSL (Secure Sockets Layer), 636
•User Name — A user account on the identity provider. Your system uses this account to read information from the identity provider.
•Password — The user account password.
•User DN Template — A template on the LDAP server. When a user logs into their system, the provided username is inserted into this template to determine the user's LDAP distinguished name (DN).
•Unique ID — The unique identifier for the specified LDAP server.
•Member Name Attribute — The name of the attribute that each group on the identity provider uses to list its members.
•Search Base DN — The distinguished name (DN) of the identity provider location where you want your system to begin searching for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, your system searches for users and groups in the organization unit called Users in the corp.example.com domain.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 Hitachi Vantara Corporation. All rights reserved.
User information caching
The system caches the following information from each of your identity providers:
•The names of users who access the system
•The groups that each user belongs to
As long as this information is in the system's cache, your users can perform any activities for which they have permissions, without the system needing to reconnect to the identity provider.
User information remains in the cache for four hours.
Clearing the cache
Any changes that you make on the identity provider are not reflected in the system until the information is removed from the cache. For example, if you delete a user from the identity provider, that user will be able to access the system for up to four hours, or until the cache is cleared.
Related REST API method(s)
POST /security/clearCache
For information on specific REST API methods, in the Administration App, click on the help icon (). Then:
•To view the administrative REST API methods, click on Admin API.
•To view the API methods used for performing searches, click on Search API.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 Hitachi Vantara Corporation. All rights reserved.
Viewing identity providers
You can use the Administration App, REST API, and CLI to view the identity providers that have been added to your system.
Administration App instructions
1.Click on System Configuration.
2.Click on the Security .
3.Click on the Identity Providers tab.
Related CLI command(s)
getIdentityProvider
listIdentityProviders
For information on running CLI commands, see CLI reference.
Related REST API method(s)
GET /security/identityProviders/{uuid}
GET /security/identityProviders
For information on specific REST API methods, in the Administration App, click on the help icon (). Then:
•To view the administrative REST API methods, click on Admin API.
•To view the API methods used for performing searches, click on Search API.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 Hitachi Vantara Corporation. All rights reserved.
Deleting identity providers
When you delete an identity provider from your system, all users from that provider lose access to the system.
Administration App instructions
1.Click on System Configuration.
2.Click on the Security .
3.On the Identity Providers tab, click on the delete icon () for the server you want to remove.
Related CLI command(s)
deleteIdentityProvider
For information on running CLI commands, see CLI reference.
Related REST API method(s)
DELETE /security/identityProviders/{uuid}
For information on specific REST API methods, in the Administration App, click on the help icon (). Then:
•To view the administrative REST API methods, click on Admin API.
•To view the API methods used for performing searches, click on Search API.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 Hitachi Vantara Corporation. All rights reserved.