Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Configure AD LDS as External Directories


With Active Directory Lightweight Domain Services (AD LDS), network administrators and users have access to directory data. In AD LDS, for instance, a user's name, password, phone number, and so on, is stored and enabled for other authorized users on the same network to access. AD LDS stores information about network objects and makes it easy to find and use this information for administrators and users. Based on a hierarchical, logical structure, Active Directory organizes directory information by using a structured data store.

miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, Azure AD, OpenLDAP, Google, AWS Cognito etc), Identity Providers (like Okta, Shibboleth, Ping, OneLogin, KeyCloak), Databases (like MySQL, Maria DB, PostgreSQL) and many more.

Given below are the steps to configure AD LDS as External Directories connect it with miniOrange broker to single sign-on into using SAML protocol.

1. Setup AD LDS as External Directories

  • Click on External Directories >> Add Directory in the left menu of the dashboard.
  • Configure AD as External Directory

  • Select Directory type as AD/LDAP.
  • Select Directory type as AD/LDAP

    • STORE LDAP CONFIGURATION IN MINIORANGE: Choose this option if you want to keep your configuration in miniOrange. If the active directory is behind a firewall, you will need to open the firewall to allow incoming requests to your AD.
    • STORE LDAP CONFIGURATION ON PREMISE: Choose this option if you want to keep your configuration in your premise and only allow access to AD inside premises. You will have to download and install miniOrange gateway on your premise.
    • Select ad/ldap user store type

  • Enter LDAP Display Name and LDAP Identifier name.
  • Select Directory Type as Active Directory.
  • Enter the LDAP Server URL or IP Address against the LDAP Server URL field.
  • Click on the Test Connection button to verify if you have made a successful connection with your LDAP server.
  • Configure LDAP server URL Connection

  • In Active Directory, go to the properties of user containers/OU's and search for the Distinguished Name attribute. The bind account should have minimum required read privileges in Active Directory to allow directory lookups. If the use case involves provisioning (such as creating, updating, or deleting users or groups), the account must also be granted appropriate write permissions.
  • Configure user bind account domain name

  • Enter the valid Bind account Password.
  • Click on the Test Bind Account Credentials button to verify your LDAP Bind credentials for LDAP connection.
  • Check bind account credentials

  • Search Base is the location in the directory where the search for a user begins. You will get this from the same place you got your Distinguished name.
  • Configure user search base

  • Select a suitable Search filter from the drop-down menu. If you use User in Single Group Filter or User in Multiple Group Filter, replace the <group-dn> in the search filter with the distinguished name of the group in which your users are present. To use custom Search Filter select "Write your Custom Filter" option and customize it accordingly.
  • Select user search filter

  • Click on the Next button, or go to the Authentication tab.
  • You can also configure following options while setting up AD. Enable Activate LDAP in order to authenticate users from AD/LDAP. Click on the Next button to add user store.
  • Activate LDAP options

    Here's the list of the attributes and what it does when we enable it. You can enable/disable accordingly.

    Attribute Description
    Activate LDAP All user authentications will be done with LDAP credentials if you Activate it
    Fallback Authentication If LDAP credentials fail then user will be authenticated through miniOrange
    Enable administrator login On enabling this, your miniOrange Administrator login authenticates using your LDAP server
    Show IdP to users If you enable this option, this IdP will be visible to users
    Sync users in miniOrange Users will be created in miniOrange after authentication with LDAP

  • Click on the Next button, or go to the Provisioning tab.

2. User Import and Provisioning from AD

  • If you want to set up provisioning, click here for detailed information. For now, we are skipping this step by clicking Skip on Provisioning.
  • Click on Skip Provisioning Button

3. Attributes Mapping from AD

  • By default userName, firstName, lastName, email are configured. Scroll down and click on Save Configurations. To fetch additional attributes from Active Directory, enable Send Configured Attributes. On the left side, enter the name that you wish to release to the applications. On the right side, enter the attribute name from Active Directory. E.g., if you wish to fetch company attribute from Active Directory, and send it as organization to configured applications, enter the following:

    Attribute Name sent to SP = organization
    Attribute Name from IDP = company

  • Attributes Mapping from AD

4. Test Connections

  • You will see a list of directories in External Directories. Go to the directory you have configured, click Select, then go to Test Connections and click on it.
  • Test AD/Ldap connection

  • Click on Test Connection to check whether you have enter valid details. For that, it will ask for username and password.
  • Enter username and password to test LDAP connection

  • On Successful connection with LDAP Server, a success message is shown.
  • Successful connection with LDAP Server

5. Test Attribute Mapping

  • You will see a list of directories in External Directories. Go to the directory you have configured, click Select, then go to Test Attribute Mapping and click on it.
  • In External Directories, click Select, and then Test Attribute Mapping

  • A pop-up will appear to add the username. After clicking Test, you will see the Test Attribute Mapping Result.
  • Enter username to test Attribute Mapping configuration

    Fetch mapped attributes for user

Set up AD as External Directory configuration is complete.


Note: Refer our guide to setup LDAP on windows server.



6. Configure your application in miniOrange


Note:

If you have already configured your application in miniOrange you can skip the following steps.





  • Click on Create App under SAML.
  • Click on Create SAML App

  • Search for your Application. In case you do not find your app, search for Custom SAML App.
  • Search for your SAML App

    Configure SAML Application

  • Get the ACS URL and SP Entity ID from your application.
  • Enter the following values OR click on Import SP Metadata:
  • Service Provider Name Choose appropriate name according to your choice
    SP Entity ID or Issuer Your Application Entity ID
    ACS URL X.509 Certificate (optional) Your Application Assertion Consumer Service URL
    NameID format  Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    Response Signed Unchecked
    Assertion Signed Checked
    Encrypted Assertion Unchecked
    Group policy Default
    Login Method
  • Click on Save to configure your application.
  • Now to get the IDP metadata of the app configured, Go to apps >> your_app >> select >> metadata tab.
  • Go to the metadata section

  • Click on the Show Metadata details in the Information required to Authenticate via External IDPs section. Download the metadata XML file by clicking on Download Metadata button or copy the Metadata URL link.
  • Downlaod metadata - URL

  • You need to Upload this metadata in your application.
  • Click on Create App under OAuth/OIDC. Click on Open ID Connect App .
  •  Add OAuth openIDConnect app

  • You can add any OAuth Client app here to enable miniOrange as OAuth Server. Few popular OAuth client apps for single sign-on are Salesforce, WordPress, Joomla, Atlassian, etc.
  • Select your OAuth openIDConnect app

    Configure OAth AddopenIDConnect app

  • Enter following Values:
  • Client Name Add appropriate Name
    Redirect URL Get the Redirect-URL from your OAuth Client
    Description Add if required
    Group Name Default
    Policy Name
    Login Method
  • Click on Save
  • Now to provide the required data to OAuth client go to the app configured i.e apps >> your_app >> select >> edit.
  • Edit OAuth editOpenidConnect app

    OAuth openidConnect app endpoints

    Note: Choose the Authorization Endpoint according to the identity source you configure.

  • When you want to use you want to use miniOrange as OAuth identity server use this endpoint: https://{mycompany.domainname.com}/moas/idp/openidsso
  • If you are configuring any Identity Provider in Identity Providers Menu and not using miniOrange as IDP use this endpoint: https://{mycompany.domainname.com}/broker/login/oauth{customerid}
  • Click on Create App under JWT.
  • Click n External JWT app

  • Select JWT App.
  • SelectJWT app

  • Configure the name for your application and configure Redirect-URL which tells where to send JWT response. Redirect-URL should be an endpoint on your application where you want to achieve SSO.
  • Configure JWT App

    In case you are setting up SSO with Mobile Applications where you can't create an endpoint for Redirect or Callback URL, use below URL.

    https://login.xecurify.com/moas/jwt/mobile

  • Click Save
  • To get the SSO link for your application, Go to Apps >> your_app >> select >> Edit.
  • Get SSO Link

  • Then, copy the Single Sign On Url and verify SSO setup by browsing that url.
  •  SSO URL

  • On successful authentication, you will be redirected to configured Redirect or Callback URL with JWT token
  • You will need to download a certificate from App > Manage Apps, and click Certificate link against your configured application. This certificate will be used for signature validation of JWT response.
  • Download certificate to proceed with SSO

Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products