LDAP (UID/PWD) using MC

Scenario

In this scenarion we will add an credential validator to login using an Active Directory account and password.

Note. This use case uses Fortified ID Management Center to configure Fortified ID Access.

In this use case Fortified ID Portal will act as an SAML SP and Fortified ID Access as SAML IdP.

Prerequisite

• Fortified ID Management Center is already installed

  • To install Management Center, click following LINK

  • Fortified ID Portal acting as SAML SP and is added to Fortified ID Access as the SAML IdP

    • We use the products default configuration as base

    • To configure Portal (SAML SP) with Access (SAML IdP), click following LINK

    • We use Fortified ID Portal as an reference SAML SP in this use case, of course you can any SAML SP

• Active Directory (e.g. installed in the same machine)

  • Some users created with known passwords

  • Make sure all of them a mail attribute populated with an mail address.

  • Have some of the users configured as manager for others

  • Some groups created with some user added

Note. All configuration and testing is done on the scenario server.

Overview

If you starts this use case with default installation of Access with Management Center, Access already have four credential validators added to the default selector. See image below.

We will add a fifth credential validator called My Active Directory

Overview of the components to add and configure

1. Add LDAPClient to communicate with your Active Directory

2. User Username & Password credential validator to prompt user for username and password

   1. Add to default Selector object on the SAML default IdP

   2. Configure pipe to verify username and password with your LDAPClient

3. Add EnrichIdentity to fetch user data about user

   1. Add to Default SAML IdP

4. Configure SAML SP assertion (Portal SP) object to return correct data using data from the EnrichIdentity authenticator

1. Add a LDAPClient module

1. Login to Management Center for Access

2. Click Configuration tab

3. Expand Modules and click + to add new module

4. Click add LDAPClient

   1. Click JSON button for the LDAPClient module

   2. Copy data below and overwrite all existing data

5. Only change the three properties below to map your environment:

   1. host

   2. bind_dn

   3. bind_password

   We assume that your domain controller has a server certificate to use LDAPS.

   1. Click Update and Deploy

You have now added an LDAP module that can be used by one or several objects like valves. To address this LDAP module you use the value my_active_directory_module.

2. Add a "Username & password" credential validator

1. Click Configuration tab

2. Click + to the right of label Authentication Methods

3. Expand Credential Validators

4. Scroll down and click Add for validator Username & password

5. Copy data below and overwrite all existing data

6. Click on the associated Pipe and update id usernameandpassword_1_pipe before you click update

7. Click Update and Deploy

2.1 Add a Credential validator to the default Selector

1. Expand SAML -> Default IdP -> Selector

2. On selector object, click CREDENTIAL VALIDATOR tab

3. Click ADD and select the validator you just added, e.g. My Active Directory (UID/PWD)(usernameandpassword_1)

   1. In Display Label type Active Directory (UID/PWD)

   2. In Logo URL, type assets/svg/microsoft.svg

4. Click Update and Deploy changes

2.2 Update pipe for credential validator

1. Click Configuration tab

2. Expand SAML -> Default IdP -> Selector -> My Active Directory (UID/PWD)

3. Click associated pipe, usernameandpassword_1_pipe

4. Click the JSON button in upper right corner

   1. Copy and overwrite all existing data with the JSON data below.

5. Click Update

6. Deploy changes

3. Add an EnrichIdentity flow control

Add an EnrichIdentity to fetch user data from Active Directory for the user about to login

1. Click Configuration tab

2. Click + to the right of label Authentication Methods

3. Expand Flow Control

4. Scroll down and click Add for EnrichIdentity

5. Change display_name to EnrichIdentity from Active Directory

6. Click the Pipe object for the EnrichIdentity flow control

7. Copy data below and overwrite all existing data in the pipe Note! We assume that the pipe id is "enrichidentity_1_pipe", if not, verify the EnrichIdentity object and replace id below.

8. Note! All data received by the LDAP search will be added to Exports, that means it will be available for the SAML Assertion objected.

9. Click Update

3.1 Add EnrichIdentity to your SAML IdP

1. Click Configuration tab

2. Expand SAML and click Default IdP

3. Click AUTHENTICATION

4. Click ADD AUTHENTICATOR

5. Select EnrichIdentity from Active Directory and click Add

6. Click Update

7. Deploy changes

4. Configure SAML SP assertion

The SAML SP object on the SAML IdP needs to be configured what nameid and data to return. We use Fortified ID Portal and we will configure nameid tp be sAMAccountName in this scenario and also return display_name used for the avatar in Fortified ID Portal.

1. Click Application tab

2. Click to edit the Fortified ID Portal SAML SP object

3. Click NAMEID SETTINGS tab and select

   1. NameID Format - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

   2. From parameter - sAMAccountName

4. Click ATTRIBUTE SETTINGS tab

   1. Click Add attribut and type

   2. Name* - display_name

   3. Name Format - Unspecified

   4. Value* - displayName

5. Click Update

6. Deploy changes

Test the configuration

1. If you browse to Fortified ID Portal you will be redirected to Fortified ID Access. It should look like screenshot below.

   
2. If you login using one of your Active Directory test account is should look like the screenshot below