• IAM
• Login with External IDP
• Configure AD LDS as External Directories

Configure AD LDS as External Directories

---

With Active Directory Lightweight Domain Services (AD LDS), network administrators and users have access to directory data. In AD LDS, for instance, a user's name, password, phone number, and so on, is stored and enabled for other authorized users on the same network to access. AD LDS stores information about network objects and makes it easy to find and use this information for administrators and users. Based on a hierarchical, logical structure, Active Directory organizes directory information by using a structured data store.

miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, Azure AD, OpenLDAP, Google, AWS Cognito etc), Identity Providers (like Okta, Shibboleth, Ping, OneLogin, KeyCloak), Databases (like MySQL, Maria DB, PostgreSQL) and many more.

Given below are the steps to configure AD LDS as External Directories connect it with miniOrange broker to single sign-on into using SAML protocol.

1. Setup AD LDS as External Directories

• Click on Identity Providers >> Add Identity Provider in the left menu of the dashboard.



• In Choose Identity Provider, select AD/LDAP Directories from the dropdown.



• Then search for AD/LDAP and click it.



• STORE LDAP CONFIGURATION IN MINIORANGE: Choose this option if you want to keep your configuration in miniOrange. If the active directory is behind a firewall, you will need to open the firewall to allow incoming requests to your AD.
• STORE LDAP CONFIGURATION ON PREMISE: Choose this option if you want to keep your configuration in your premise and only allow access to AD inside premises. You will have to download and install miniOrange gateway on your premise.




• Enter LDAP Display Name and LDAP Identifier name.
• Select Directory Type as Active Directory.
• Enter the LDAP Server URL or IP Address against the LDAP Server URL field.
• Click on the Test Connection button to verify if you have made a successful connection with your LDAP server.



• In Active Directory, go to the properties of user containers/OU's and search for the Distinguished Name attribute. The bind account should have minimum required read privileges in Active Directory to allow directory lookups. If the use case involves provisioning (such as creating, updating, or deleting users or groups), the account must also be granted appropriate write permissions.



• Enter the valid Bind account Password.
• Click on the Test Bind Account Credentials button to verify your LDAP Bind credentials for LDAP connection.



• Search Base is the location in the directory where the search for a user begins. You will get this from the same place you got your Distinguished name.



• Select a suitable Search filter from the drop-down menu. If you use User in Single Group Filter or User in Multiple Group Filter, replace the <group-dn> in the search filter with the distinguished name of the group in which your users are present. To use custom Search Filter select "Write your Custom Filter" option and customize it accordingly.



• Click on the Next button, or go to the Login Options tab.
• You can also configure following options while setting up AD. Enable Activate LDAP in order to authenticate users from AD/LDAP. Click on the Next button to add user store.




Here's the list of the attributes and what it does when we enable it. You can enable/disable accordingly.

Attribute	Description
Activate LDAP	All user authentications will be done with LDAP credentials if you Activate it
Fallback Authentication	If LDAP credentials fail then user will be authenticated through miniOrange
Enable administrator login	On enabling this, your miniOrange Administrator login authenticates using your LDAP server
Show IdP to users	If you enable this option, this IdP will be visible to users
Sync users in miniOrange	Users will be created in miniOrange after authentication with LDAP

• Click on the Next button, or go to the Attributes tab.

2. Attributes Mapping from AD

• By default userName, firstName, lastName, email are configured. Scroll down and click on Save button. To fetch additional attributes from Active Directory, enable Send Configured Attributes. On the left side, enter the name that you wish to release to the applications. On the right side, enter the attribute name from Active Directory. E.g., if you wish to fetch company attribute from Active Directory, and send it as organization to configured applications, enter the following:

  Attribute Name sent to SP = organization
  Attribute Name from IDP = company






• Click on the Next button, or go to the Provisioning tab.

3. User Import and Provisioning from AD

• If you want to set up provisioning, click here for detailed information. We will skip this step for now.

4. Test Connections

• You will see a list of directories under Identity Providers. From the dropdown, select AD/LDAP Directories, search for your configured directory, click the three dots next to it, and select Test Connection.



• A pop-up appears prompting you to enter a username and password to verify your LDAP configuration.



• On Successful connection with LDAP Server, a success message is shown.

5. Test Attribute Mapping

• You will see a list of directories under Identity Providers. From the dropdown, select AD/LDAP Directories, search for your configured directory, click the three dots next to it, and select Test Attribute Mapping.



• A pop‑up appears to enter a username and click Test.



• The Test Attribute Mapping Result will be displayed.

Set up AD as External Directory configuration is complete.

6. Configure your application in miniOrange

• Login to miniOrange Admin Console.
• Go to Apps >> Add Application.

• SAML Application
• OAuth Application
• JWT Application

• Under Choose Application, select SAML/WS-FED from the All Apps dropdown.



• In the next step, search for your application from the list. If your application is not found, search for custom and you can set up your app via Custom SAML App. Click on Submit New App Request if you want to submit a new SSO application request.



• Under the Basic tab, you can configure the following settings.

  Display Name (required)	Enter the Display name for your app as per your preference.
  SP Entity ID or Issuer (required)	Is used to identify your app against the SAML request received from SP. The SP Entity ID or Issuer can be in either URL or in String format.
  ACS URL or Assertion Consumer Service URL (required)	Defines where the SAML Assertion should be sent after authentication. Make sure the ACS URL is in the format: https://www.domain-name.com/a/[domain_name]/acs
  Audience URL	As the name suggests, specifies the valid audience for SAML Assertion. It is usually the same as SP Entity ID. If Audience URL is not specified separately by SP, leave it blank.
  Single Logout URL	The URL where you want the logout request to be consumed and where your users should be redirected after single logout from the applications.
  Upload App Logo	Upload a logo for your application.




• Click Next to go to the Advanced settings. Configure the following settings.

  Signed Request	Enable this to sign the saml request sent by SP. Provide the X509 certificate or upload the certificate.
  Sign Response	Enable this if you want the entire SAML response to be signed.
  Sign Assertion	Enable this if you want only the assertion within the SAML response should be signed.
  Signature Algorithm	Select the algorithm that will be used to sign the SAML request/response.
  Encrypt Assertion	Select this if you want to encrypt the assertion in SAML response and provide the algorithm and certificate for encryption.
  Relay State	Enter the URL where you want the user to redirect after sign in to the application.
  Override Relay state	Enable this to override the default relay state of the SP.
  Logout Response Binding	A Logout Response is sent in reply to a Logout Request from SP. It could be sent by an Identity Provider or Service Provider.
  IdP initiated Logout Request Binding:	A Logout Response is sent in reply to a Logout Request from the IdP dashboard. It could be sent by an Identity Provider or Service Provider. HTTP Redirect - A Logout Response with its Signature HTTP POST - A Logout Response with the signature embedded
  SAML Authentication Validity Period	The time for which the authentication should be considered valid and the user should be able to perform SSO. After that, the user will have to sign in again.
  Enable Shared Identity	This feature lets you control whether a specific application can be accessed by shared user or not.




• Click Next to go to the Login Options tab. Here, you can configure the following settings:

  Primary Identity Provider	Select the identity source from where you want the authentication to happen. You will see the list of all configured sources.
  Force Authentication	Enable this to enforce authentication on each request to access the application.
  Show On End User Dashboard	Disable this if you do not want the app to be visible for all users on end user dashboard.




• Click Next to go to the Attributes tab. Here you can add and configure the attributes to be sent to the app.

  NameID	NameID is the unique identifier for the authenticated user included in the SAML assertion. It allows the Service Provider to recognize and map the user to an account. Generally, NameID is a username or Email Address.
  NameID Format	Defines what type of identifier is used in the NameID (e.g., email, persistent, transient) so the SP can correctly map the user. If the SP does not request a specific format, the IdP can leave it unspecified and use a default.
  Add Name Format	Name Format defines how attribute names are represented in a SAML assertion (e.g., as simple strings or URIs). It helps the SP correctly interpret attribute naming and ensures consistency between IdP and SP.
  Enable Multi-Valued Attributes	Enabled:Commas (,) and semicolons (;) are treated as separators, so the attribute is split into a clean list. Example: roles = ['admin', 'editor', 'viewer']. Disabled:Commas and semicolons are not treated as separators, so the attribute stays as one combined string. Example: roles = "admin;editor;viewer".
  Attribute Mapping	You can Add Attributes to be sent in SAML Assertion to SP. The attributes include user’s profile attributes such as first name, last name, full name, username, email, custom profile attributes, and user groups, etc.




• Click Next to go to the Policies tab. You need to Save the Application first to configure the policy for the application.



• After the application is saved you can configure the policy for that application.



• Click on the Assign group button. A new Configure Group Assignment modal tab will open.
  • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
  
  
  
  • If you need to create new group. Click on Add New Group button.
  • Enter the Group Name and click on Create Group.
  
  
  
  • Click on Next.
  • Assign Policies: Add the required policies to the selected groups. Enter the following details:
  • First Factor: Select the login method from the dropdown.
  • If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
  • If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.



• Click on Save. Policies will be created for all the selected groups.
• You will see the policy listed once it’s successfully added.



• In the Metadata tab, click on any of the two tabs:
• Click on miniOrange as Idp If you want to use miniOrange as a User-Store i.e., your user identities will be stored in miniOrange.
• Click on External source as IdP If you want to authenticate your users via any external Identity Provider like Active Directory, Okta, OneLogin, etc. or any other custom IDPs.





• You can Download Metadata, Download Certficate, copy Metadata URL or copy Certificate based on your requirements.
• Similarly, you can get the values of SAML Login URL, SAML Logout URL, IDP Entity ID or issuer, IDP Logout URL, Metadata URL from here according to your metadata requirements.

• Under Choose Application, select OAuth/OpenID from the All Apps dropdown.



• Search for your application from the list. If your application is not found, search for oauth and you can set up your app via OAuth2/OpenID Connect.



• In the Basic tab, enter the following details:

  Display Name	Enter the Display Name (i.e., the name for this application).
  Redirect URL	Enter the Redirect URL. Make sure it follows this format: https://<mycompany.domain-name.com>
  Client ID	Auto-generated. Click the copy icon to use it in your application.
  Client Secret	Client Secret is hidden by default. Click the eye icon to reveal it and use the clipboard icon to copy it.
  Subject (Optional)	Select an attribute from the dropdown list.
  Description (Optional)	Add a description if required.
  Upload App Logo (Optional)	Upload an app logo (Optional). The app will be shown in the end-user dashboard with the logo that you configure here.

• Click on Save.



• You will be redirected to the Policies section.



• Click on the Assign group button. A new Configure Group Assignment modal tab will open.
  • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
  
  
  
  • If you need to create new group. Click on Add New Group button.
  • Enter the Group Name and click on Create Group.
  
  
  
  • Click on Next.
• Assign Policies: Add the required policies to the selected groups. Enter the following details:
• First Factor: Select the login method from the dropdown.
• If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
• If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.



• Click on Save. Policies will be created for all the selected groups.
• You will see the policy listed once it's successfully added.



• You can go to the Advanced tab to change other settings, such as the expiry time for Access, JWT, and Refresh tokens.
• Access Token Expiry: For how long the provided access token should be valid from creation. [In Hours] A new access token has to be generated after the expiry.
• JWT Token Expiry: For how long the generated JWT token should be valid. [ In Hours ]
• Refresh Token Expiry: For how long the generated refresh token should be valid. [In Days] You will have to generate a new refresh token after the mentioned no. of days.
• Enable Shared Identity: This feature lets you control whether a specific application can be accessed by shared user or not.



• Switch to the Login options tab.

  Primary Identity Provider	Select the default ID source from the dropdown for the application. If not selected, users will see the default login screen and can choose their own IDP. [Choose miniOrange in this case.]
  SSO FLows	Select the desired SSO flow from the dropdown, such as miniOrange as IDP, miniOrange as Broker, or miniOrange as Broker with Discovery Flow.
  Show on Enduser Dashboard	Enable this option if you want to show this app in the end-user dashboard.
  Force Authentication	If you enable this option, users will have to log in every time, even if their session already exists.
  Allowed Logout URIs	Click the Allowed Logout URIs link to add a list of post-logout redirect URIs. Users will be redirected to one of these URIs after a successful logout from miniOrange.
  Single Logout Enabled	Enable this option to send logout requests to other applications when logging out from this app.
  Sign in URL	You can include user attributes in the sign-in URL using placeholders like {{username}}, {{primaryEmail}}, {{customAttribute1}}, etc. These placeholders will be dynamically replaced with the actual user values during the IdP-initiated SSO flow. You can generate url using following attributes: username, primaryEmail, alternateEmail, fname, lname, primaryPhone and customAttribute1. The url could be like this login.com/{{username}}/?primaryEmail={{primaryEmail}} Query Parameter Format: https://<sso-url>>?username={{username}} https://<sso-url>>?username={{username}}&email={{primaryEmail}} Path Parameter Format: https://<sso-url>>/{{customAttribute1}}/{{customAttribute2}}/?username={{username}}




• Switch to the Attributes tab.
• Enable Multi-Valued Attributes Option:



• When this option is enabled, both commas (,) and semicolons (;) are treated as delimiters. Any attribute containing these characters will be automatically split and converted into a multi-valued attribute based on their positioning.
• This feature ensures that attributes with multiple values are delivered in a structured format instead of as a single concatenated string.
• For example: when this option is enabled, Attributes will be will appear as a list like roles = ['admin', 'editor', 'viewer'] instead of a single string like roles = "admin;editor;viewer".
• When this option is disabled, attributes stored as a single concatenated string with commas (,) and semicolons (;) are treated in the way they are stored instead of a structured list.
• In this case, commas (,) and semicolons (;) are not treated as separators, so the values remain combined in one string.
• Getting Required App Details / Updating App Information:
• Go to the Apps section from the side menu. From the list of configured apps, locate the app you created. Click the three-dot icon next to the app and select the Edit option.



• You can edit any of the above-mentioned details in case you want to change them.



• OAuth Endpoints:
• Authorization Endpoint [ https://<your-company-name>.xecurify.com/moas/idp/openidsso ]
• This endpoint is used to authenticate the end user with their miniOrange credentials. This authenticates the users and returns a response back to the redirect_url based on the parameters passed in the request. [Mainly the authorization code]
• This endpoint takes the following parameters:
• Client_id: client_id of the application as configured in the previous steps
• Redirect_uri: The callback URL where you want to return the response
• scope: scope of authorization or level of access, you can send a single or multiple scopes separated by ‘+’. e.g “email+openid”. We support the following scopes :
• Email: returns the email address of the user in the response
• Profile: returns user profile information in the response
• OpenID: returns the id_token containing user profile details.
• This returns the authorization code and the state parameters in the response.
• Token Endpoint [ https://<your-company-name>.xecurify.com/moas/rest/oauth/token ]
• This endpoint returns the following:
• Id_token ​Contains user attributes and signatures which you have to validate with provided public certificate.

iss	https URI that indicates the issuer
sub	identifier of the user at the issuer
aud	client_id of the requesting client
nonce	the nonce parameter value received from the client
exp	expiration time of this token
iat	time when this token was issued
auth_time	time the authentication happened
at_hash	the first half of a hash of the access token

• Access_token: Valid for 1 hour and can be used to access user info or other endpoints until it is expired.
• This endpoint takes the following parameters in the request:
• Client_id: client_id of the application as configured in the previous steps.
• Client_secret: client_secret of the application as configured in the previous step.
• Redirect_url: The callback url where the response should be posted.
• Code: The authorization code received from the authorization endpoint.
• Grant_type: The OAuth grant you want to use for the request.
• User Info Endpoint [ https://<your-domain>.xecurify.com/moas/api/oauth/getuserinfo ] Required in case of OAuth Only
• This API can be used to fetch user profile information with an access token that was assigned to the user. A GET request is sent to the user info endpoint.
• You need to send the access token in the authorization header to receive the user details.
• OpenID Single Logout Endpoint [ https://<your-domain>.xecurify.com/moas/idp/oidc/logout?post_logout_redirect_uri ] :
• This endpoint removes the active user session from the miniOrange IDP and redirects the user to the URL mentioned in the post_logout_url parameter.

• Under Choose Application, select JWT from the All Apps dropdown.



• Search for your application from the list. If your application is not found, search for jwt and you can set up your app via JWT App.



• You can configure the following details in the application:

  Display Name	Enter the Display Name (i.e. the name for this application)
  Redirect URL	Enter the Redirect URL (i.e. the endpoint where you want to send/post your JWT token). You can add multiple redirect URLs by separating them with a ‘;’.E.g. abc.com;xyz.com
  Client ID	The Client ID is shown in the field below. Click the clipboard icon to copy it.
  Client Secret	Client Secret is hidden by default. Click the eye icon to reveal it and use the clipboard icon to copy it. This is used in the HS256 signature algorithm for generating the signature.
  Description (Optional)	Add a description if required.
  Upload App Logo (Optional)	Upload an app logo (Optional). The app will be shown in the end-user dashboard with the logo that you configure here.




• Click Save.
• You will be redirected to the Policies section.



• Click on the Assign group button. A new Configure Group Assignment modal tab will open.
  • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
  
  
  
  • If you need to create new group. Click on Add New Group button.
  • Enter the Group name and click on Create Group.
  
  
  
  • Click on Next.
  • Assign Policies: Add the required policies to the selected groups. Enter the following details:
  • First Factor: Select the login method from the dropdown.
  • If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
  • If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.



• Click on Save. Policies will be created for all the selected groups.
• You will see the policy listed once it's successfully added.



• Click on Advanced tab.
• Enter the following details as required:

  Access Token	Enter the access token that will be sent to your redirect URL after a user logs in. This token helps your app know the user is allowed to access certain features.
  ID Token Expiry (In Mins)	Set how long (in minutes) the ID token will be valid. After this time, the user will need to log in again to get a new token.
  Subject	Choose what information, like the user’s email address, will be used to identify them in the token. This helps your app know which user is logged in.
  Signature Algorithm	Select your signature algorithm from the dropdown.
  The Logout URL of your application	Enter the web address where users should be sent after they log out.
  Enable Shared Identity	This feature lets you control whether a specific application can be accessed by shared user or not.




• Signature Algorithms for JWT

RSA-SHA256

• Asymmetric, uses a set of private and public keys to generate and validate the signature which is included in the JWT token.
• The private key is used to generate the signature on the IDP side.
• The public key is used to verify the signature on the SP side.
• We provide the public key for this.



HS256

• Symmetric, uses the same secret key to generate and validate the signature
• The secret key in this case is configurable from the app configuration page.
• Switch to Login options tab.

  Primary Identity Provider	Select the default ID source from the dropdown for the application. If not selected, users will see the default login screen and can choose their own IDP. [Choose miniOrange in this case.]
  Force Authentication	If you enable this option, users will have to log in every time, even if their session already exists.
  Enable User Mapping	Enable this option, if you want the app to show which user is signed in when it responds.
  Show On End User Dashboard	Enable this option if you want to show this app in the end-user dashboard.




• Switch to Attributes tab.
• Enable Multi-Valued Attributes Option:



• When this option is enabled, both commas (,) and semicolons (;) are treated as delimiters. Any attribute containing these characters will be automatically split and converted into a multi-valued attribute based on their positioning.
• This feature ensures that attributes with multiple values are delivered in a structured format instead of as a single concatenated string.
• For example: when this option is enabled, Attributes will be will appear as a list like roles = ['admin', 'editor', 'viewer'] instead of a single string like roles = "admin;editor;viewer".
• When this option is disabled, attributes stored as a single concatenated string with commas (,) and semicolons (;) are treated in the way they are stored instead of a structured list.
• In this case, commas (,) and semicolons (;) are not treated as separators, so the values remain combined in one string.
• Navigate to Endpoints and copy the following details:



• Single Sign-On URL:
  • This URL is used to initiate user authentication to obtain the JWT token.
  • Take redirect_uri as one of the query parameters.
  • After successful authentication on the IDP end, an active user session is created in the IDP and the user is redirected to the redirect_uri with the JWT token.
• Single Logout URL:
  • This URL is used to log out the user from the IDP by removing the active user session.
  • Take redirect_uri as one of the query parameters.
  • After removing the active user session, the IDP redirects the user to the redirect_uri.
• Reply back URL for IdP initiated logout:
  • This URL is used to initiate the logout in case the JWT user login was IDP Initiated [User logged in to the dashboard
    first and then initiated the login for the app from the dashboard.]
  • After logging out the user from the IDP, the user is redirected to the IDP dashboard login page.